[FEATURE] Explicit Deny Construct in the Security Permission Model

[devardee]

Is your feature request related to a problem? Current Permission Model of security plugin has no construct of explicit deny.

What solution would you like? The Role would look something like this :

complex-role:
  reserved: false
  hidden: false
  cluster_permissions:
  - "read"
  - "cluster:monitor/nodes/stats"
  - "cluster:monitor/task/get"
  allowed_index_permissions:
  - index_patterns:
    - "opensearch_dashboards_sample_data_*"
    dls: "{\"match\": {\"FlightDelay\": true}}"
    fls:
    - "~FlightNum"
    masked_fields:
    - "Carrier"
    allowed_actions:
    - "read"
   denied_index_permissions:
  - index_patterns:
    - "sample_index_*"
  tenant_permissions:
  - tenant_patterns:
    - "analyst_*"
    allowed_actions:
    - "kibana_all_write"
  static: false
_meta:

What alternatives have you considered? No

Do you have any additional context? No

[cwperks]

[Triage] Thank you for filing this issue @devardee. This has been brought up previously so I will try to resurrect the discussion.

The currently security model is to DENY ALL and explicitly allow permissions rather than the opposite ALLOW ALL and then list out the denial rules.