_meta:
  type: "roles"
  config_version: 2

gendb_user_role:
  description: "DLS: user can read/write docs they own or are allowed on"
  cluster_permissions:
    - "indices:data/write/bulk"
  index_permissions:
    - index_patterns: ["documents", "documents*"]
      allowed_actions:
        - crud
        - create_index
      dls: >
        {"bool":{"should":[
          {"term":{"owner":"${user.name}"}},
          {"term":{"allowed_users":"${user.name}"}},
          {"bool":{"must_not":{"exists":{"field":"owner"}}}}
        ],"minimum_should_match":1}}