DOCSP-35902 Security considerations for RBAC

source/rules/filters.txt

@@ -307,3 +307,16 @@ from the App Services UI or by deploying configuration files with Realm CLI:
             .. code-block:: bash
 
                {+cli-bin+} push --remote="<Your App ID>"
+
+.. note:: Security Consideration for App Services Filters
+
+  While :ref:`Role-based Permissions <roles>` and Filters can hide specific 
+  documents and fields within a collection there is a potential that 
+  data can be exposed if the system allows arbitrary 
+  queries to access the collection. For example, queries or functions that 
+  raise errors depending on the values stored in a collection (such 
+  as division-by-zero errors) may reveal information about documents, even if 
+  a role or filter prevents the querying user from viewing 
+  documents directly. Users may also make inferences about the underlying data 
+  in other ways (such as by measuring query execution time, which can be affected 
+  by the data's distribution).

source/rules/roles.txt

@@ -511,3 +511,16 @@ deploying configuration files with {+cli+}:
          .. code-block:: bash
 
             {+cli-bin+} push
+
+.. note:: Security Consideration for App Services Role-based Permissions
+
+  While Role-based Permissions and :ref:`Filters <filters>` can hide specific 
+  documents and fields within a collection there is a potential that 
+  data can be exposed if the system allows arbitrary 
+  queries to access the collection. For example, queries or functions that 
+  raise errors depending on the values stored in a collection (such 
+  as division-by-zero errors) may reveal information about documents, even if 
+  a role or filter prevents the querying user from viewing 
+  documents directly. Users may also make inferences about the underlying data 
+  in other ways (such as by measuring query execution time, which can be affected 
+  by the data's distribution).