Show language: C# VB.NET Both

About Security Groups

Security Groups define which groups of users can see which documents. By setting user permissions (see below) only those documents within a specific group can be searched. A document can be associated with multiple Security Groups. Any documents that are not associated with a security group remain in "default" and are available for all users to search.

Example:

Requirement: Only those users within the Sales department should be able to search documents intended for the Sales department. Only those users within the Accounts department should have access to Accounts documents.

  1. First we create a Security Group for 'Sales' and another Security Group for 'Accounts'.
  2. We then associate documents to their respective security groups (Sales or Accounts).
  3. In the code-behind of the SearchResult page we then restrict the search to certain groups based on the logged in user (see below)
A document's Security Group can be specified by;
  1. HTML meta tags
  2. Your plug-in
  3. Matching the auto-assign path, or
  4. Manually using the Index Management Tool or Web Administration Tool.

Assigning Security Groups using HTML meta tags

Security Groups can be assigned to documents using HTML meta tags like this;

<meta name="keyoti_search_security_groups" content="admin,sales">

Note: If the Security Group names specified within the meta tags do not match those setup in the Index Directory, then a new Security Group will be created with that name.

Using your plug-in

Security Groups can be assigned using your own plug-in. Please see the 'Central Event System - Plug-ins' section of this Help for details on setting up your plug-in.

Note: If the Security Group names specified within your plug-in do not match those setup in the Index Directory, then a new Security Group will be created with that name.

Auto Assign Security Groups

By adding an Auto Assign Path to a Security Group, documents can be matched to each group based on their path.

Using Index Management Tool

  1. Enter the name of the Security Group you would like to create.
  2. In the Auto Assign Path column, enter the string that will be used to identify matching paths.
  3. To automatically assign pages that have already been imported, click 'Auto Assign Documents'.
    Note: To reassign documents that have already been assigned to a group select 'Auto Reassign All Documents' by clicking the arrow on the right hand side of the button.

Any documents imported in the future that meet the Auto Assign Path criteria will be automatically assigned for you.

Using Web Administration Tool

To automatically assign security groups to documents using the Web Administration Tool;

1. Select 'Manage Security Groups'.
2. Enter the name of the Security Group you would like to create.
3. In the Security Root Path field, enter the string that will be used to identify matching paths.
4. Click 'Add'.
5. To automatically assign pages that have already been imported, click 'Auto Assign'.
Note: Select 'All Documents' and click 'Auto Assign' to reassign documents that have already been assigned to a security group.

Any documents imported in the future that meet the Auto Assign Path criteria will be automatically assigned for you.

Restricting search based on logged in user

The application developer can restrict the search to certain groups based on the logged in user like this;

C# (ASP.NET Control based usage)

SearchResult1.SearchOptions.SecurityGroupNames = new string[] { "admin" };

VB.NET (ASP.NET Control based usage)

SearchResult1.SearchOptions.SecurityGroupNames = New String() {"admin"}
Javascript (Javascript based usage, called in an .aspx page) 
<script type="text/javascript">    
    keyotiSearch.securityGroups = ["<%= Keyoti.SearchEngine.SecurityGroup.Encrypt("admin") %>"];
</script>
Javascript (Javascript based usage, called in a Razor page) 
<script type="text/javascript">    
    keyotiSearch.securityGroups = ["@Keyoti.SearchEngine.SecurityGroup.Encrypt("admin")"];
</script>

In the Javascript based usage examples the "admin" group name is encrypted on the server before it is written to the HTML rendering on the page. This ensures that users cannot fake the Security Group that they belong to, however it also requires that server side code is used to encrypt the name. In other words, <%= ... %> (ASP.NET) and @... (Razor) type code will only work in ASP.NET and Razor pages, not plain HTML.

If the user does not have special document access privilege, then the security group name specified in the array above should be "default". If no security group names are specified, or if SearchOptions is null, then only documents from "default" will be returned.

For increased security it is possible to specify a custom encryption key used to encrypt the security group name, this is done in the web.config appSettings. The key only needs to be random text.

web.config 
<configuration>
  ...
  <appSettings>
    <add key="Keyoti-SearchEngine-EncryptionKey" value="<some random text>"/>
  </appSettings>