opensearch-project · natebower · Nov 28, 2025 · Nov 26, 2025 · Nov 26, 2025 · Nov 26, 2025
@@ -9,7 +9,10 @@ redirect_from:
 ---
 
 # Document-level security
-Document-level security lets you restrict a role to a subset of documents in an index. The easiest way to get started with document- and field-level security is to open OpenSearch Dashboards and choose **Security**. Then choose **Roles**, create a new role, and review the **Index Permissions** section, shown in the following image.
+
+Document-level security (DLS) determines the documents that a role can retrieve during read operations, such as search and get. It does not restrict write operations. If a role has permissions to index, update, or delete documents in an index, it can still modify or remove documents that are hidden by DLS. Write behavior is determined solely by index permissions and action groups.
+
+To get started with DLS, open OpenSearch Dashboards and choose **Security**. Then select **Roles**, create a new role, and review the **Index permissions** section shown in the following image.
 
 ![Document- and field-level security screen in OpenSearch Dashboards]({{site.url}}{{site.baseurl}}/images/security-dls.png)
 
@@ -18,7 +21,7 @@ The maximum size for the document-level security configuration is 1024 KB (1,048
 
 ## Simple roles
 
-Document-level security uses OpenSearch query domain-specific language (DSL) to define which documents a role grants access to. In OpenSearch Dashboards, choose an index pattern and provide a query in the **Document-level security** section:
+DLS uses OpenSearch query domain-specific language (DSL) to define the documents that a role is allowed to retrieve. In OpenSearch Dashboards, choose an index pattern and provide a query in the **Document-level security** section:
 
 ```json
 {

@@ -10,9 +10,9 @@ redirect_from:
 
 # Field-level security
 
-Field-level security lets you control which document fields a user can see. Just like [document-level security]({{site.url}}{{site.baseurl}}/security/access-control/document-level-security/), you control access by index within a role.
+Field-level security (FLS) controls the document fields that a role can read in an index. It applies only to read operations, such as search and get, and does not prevent users with write or delete permissions from indexing, updating, or deleting data in those fields. Similarly to [document-level security]({{site.url}}{{site.baseurl}}/security/access-control/document-level-security/), you configure FLS per index within a role.
 
-The easiest way to get started with document- and field-level security is open OpenSearch Dashboards and choose **Security**. Then choose **Roles**, create a new role, and review the **Index permissions** section.
+The easiest way to get started with FLS is to open OpenSearch Dashboards and choose **Security**. Then choose **Roles**, create a new role, and review the **Index permissions** section.
 
 ---