Sync Gateway restrict read access

Hey, I have a difficulty with understanding setup of read access control for different users.
In my scenario I want to have 3 users in the Sync Gateway:

  1. master - for uploading/editing/reading all documents stored in this database
  2. userA - with read access to a subset of the documents in this database
  3. userB - with read access to another subset of the documents in this database

I created my documents in a way so the contain channels array in JSON, and in this array I specify FEATURE name to which document belong (like featureA, featureB, featureZ).

My goal is for userA to access documents from channels featureA and featureZ only, and userB from , featureB and featureZ only, As I’m using Couchbase Lite, I want syncing of those documents to exclude not needed documents.

Now I setup my database in following way:

"mydatabase": {
  "server": "http://server",
  "bucket": "bucketname",
  "username": "bucketname",
  "password": "password",
  "users": {
    "GUEST": {
      "disabled": true,
      "admin_channels": ["*"]
    },
    "master": {
      "disabled": false,
      "password": "password",
      "admin_channels": ["*"]
    },
    "userA": {
      "disabled": false,
      "password": "password",
      "admin_channels": [
        "featureA",
        "featureZ"
      ]
    },
    "userB": {
      "disabled": false,
      "password": "password",
      "admin_channels": [
        "featureB",
        "featureZ"
      ]
    }
  },
  "sync":
        `
        function(doc, oldDoc){
            channel(doc.channels);
        }`
}

With such config I can access all documents regardless of which user I’m authenticated with against Sync Gateway.
Can you tell me what I am missing in this config?

How are you accessing the documents ?

Also check the channel assignments for the document via the _raw endpoint to confirm that they are assigned to the right channels.