Support for enhanced security - including security trimming and AD integration
I suspect that having a search service with two levels of access (admin and user) isn't likely to be a great solution, particularly if it applies to all indexes within the service. For example, to be able to upload a document, you need the same key as someone that can create indexes. I was left with the feeling that there probably is a need for some sort of role-based security where users/keys can be associated with particular indexes within the service. Even better would be something that allowed for vertical and/or horizontal filtering at the level of each index. Is there any thinking around this aspect? (I know that security is hard to bolt-on later so I thought it was best to raise it now).
I'm guessing that at minimum, uploading and querying documents should be assignable at an index level, separate to admin functions at the service level. All above that would be a bonus.

3 comments
-
Felix G commented
Algolia uses so called Secured API Keys for that: https://www.algolia.com/doc/guides/security/api-keys/how-to/how-to-restrict-the-search-to-a-subset-of-records-belonging-to-a-specific-user/
-
Tyler Syring commented
Would be nice to be able to implement role or permission based access to control what users in a given web application can initiate the API call.
-
Philipp Aumayr commented
I would really like to see that as well. We are developing a multi-tenant SaaS application that uses one index per tenant and would really like to have separate access keys. I thought this could be done with the current query-key mechanism, but query keys cannot currently restricted to a specific index.