Configuring security for record editing

With regard to access control, Siren Investigate goes through the following steps when editing records:

  • An index is chosen to store edited records. The user configuring the record editing must be allowed to add new metadata fields on the index about edited records.

  • Investigate performs the low-level document write operations on behalf of users. To do so, index-level permission to write documents in the storage index must be granted to the Investigate backend user.

  • Permission to edit records is granted when the user has a dedicated revise permission on the Entity Table.

Choosing a storage index

The user configuring the record editing must always be granted permission to view and put mappings on the storage index in the Access Control app. This is required to add specific metadata fields used by Investigate to control record editing.

Dataspace scoped indices

Storage indices managed by Investigate which start with the siren- prefix are automatically granted the right permissions to edit records as part of the setup procedure in Configuring security for shared indices. This is the case when selecting the option Use a revision index to store edited records.

Remember to assign users to the sic_role to let them see dataspace scoped indices and the edited records therein.

Standard Elasticsearch index

Storing edited records in standard Elasticsearch indices requires explicit index-level permissions to write records. This is the case when the storage option Use the same index is selected for an Entity Table with an index name not starting with siren-.

The following is an example of an investigate_system role definition for Elastic Stack Security that gives the backend user the required permissions on the article index:

{
  "cluster": [
    "cluster:internal/federate/*",
    "cluster:admin/federate/*",
    "cluster:monitor/*",
    "manage_index_templates"
  ],
  "indices": [
    {
      "names": [
        "/\\.siren.*/",
        "/siren-.*/",
        "/watcher.*/",
        "/web-service-.*/"
      ],
      "privileges": [
        "all"
      ]
    },
    {
      "names": [
        "article"
      ],
      "privileges": [
        "write"
      ]
    }
  ]
}

The following is an analogous investigate_system role definition for Search Guard Classic:

investigate_system:
  cluster_permissions:
  - CLUSTER_COMPOSITE_OPS
  - CLUSTER_MANAGE
  - CLUSTER_MONITOR
  index_permissions:
  - index_patterns:
    - 'siren-*'
    - '?siren*'
    - '?map__*'
    - 'watcher*'
    - web-service-*
    allowed_actions:
    - INDICES_ALL
  # Grant the backend user permission to write records on every standard ES index for which you want to enable revisions.
  - index_patterns:
    - 'article'
    allowed_actions:
    - WRITE

Legacy revision indices

Prior to Siren Investigate version 12.0, revision indices were not scoped to dataspaces. They required extensive security permissions.

If you have legacy revision indices in your installation, you can keep the security configuration as it is, they will continue to work as usual. However, you cannot create any new non-scoped revision indices.

Allow users to edit records

To allow users to edit records on an Entity Table, grant the ACL revise permission:

  1. Open the ACL permissions page of your saved object search. Select Management > Saved Objects > Entity tables and searches.

  2. From the Revise dropdown of the role, select Allow.

  3. Click Save.

Saved Search ACL Revise Column