ElasticSearch global search results do not interact with Security Groups

SuiteCRM version: 7.14.3

Good afternoon,

It seems that even if a user has limited access to modules and records and correctly can’t see the records they aren’t supposed to see, those records will still appear in global search if the engine is ElasticSearch. I seem to remember Lucene correctly hid search results but I could be wrong about this. Is there a way to limit Elastic Search results or to disable Global search for specific users altogether?

Thank you.

Does that also apply to new records, or just pre-existing ones?

I am asking, because some sequences of events might be complicating things. Imagine this:

  1. Record is created with wide access
  2. ElasticSearch indexes the record
  3. Access is restrained
  4. … but elastic still has the record indexed for everyone, so it still shows in search

I am not certain of how security accesses are handled during indexing, and afterwards, so I am just speculating.

This is an important issue, if confirmed.

To test this I created a new lead from another account, then looked it up with the account set to see only its own leads. The new lead was visible.
It seems both new and pre-existing records are affected


This would be a good question for @eggsurplus , expert on Security Groups.