SearchUnit Documentation: Authentication: How do I...: ...secure document access to specific groups of users

Securing Document Access (Security Groups etc)

Overview

In systems and applications where search users may be restricted in the documents that they can view, it is desirable to limit results so as to not include restricted documents. There are various approaches that can be taken to achieve this and the best approach depends on the situation, and must be decided by the creator of the index.

'Early Binding'

This type of access control involves identifying and storing which users (groups) can access which documents as the index is being prepared. This could mean that the document access control is specified in meta-tags, by a plug-in, derived from the document's location or set manually.

The advantage of 'early binding' is performance, because the results are generated based on access control logic at a deeper level in the engine than with 'late binding'. There are 2 models of 'early binding' outlined below:

-Security Groups

Security Groups are built into this product, and are ideal in nearly all cases, except when 'separate index directories' are required.

255 different security groups (or privilege levels) may be specified per index
8 (default) security groups may be assigned to each document
Results are restricted based on the security group (privilege) that the logged in user belongs to

More information on Security Groups

-Separate Index Directories Per User Group

If your application generates different content based on the logged-in user's privilege level (eg. default.aspx has different content for different user groups) then 'Security Groups' will not work, because there is no way for the index to differentiate between the same URL for different user groups.

The suggested solution is to create a different index directory for each privilege level.

Eg. if application users can be either; public, members or premium members then 3 index directories should be created, named;

c:\...\index_dir_public
c:\...\index_dir_members
c:\...\index_dir_premium_members

The web-site should then be crawled 3 times, once for each index directory, and using the appropriate log-in, to show the indexer the content for that user group (public, members, premium members).

Then at search time the SearchResult control can be pointed to the correct index directory for the current user by setting the SearchResult.IndexDirectory property.

'Late Binding'

Possibly the simplest approach, 'late binding' requires only the creation of a filter which will filter documents based on what the current user can see. The disadvantage of this is lower performance and availability of data to decide which documents are accessible. Please see the section on filtering to understand how to write a filter.

The filter must be able to efficiently (ie. ideally not by hitting a DB) decide which documents the current user can see, at search time (this could be based on URL, or using Custom Data)
No logic need to be applied during indexing (unless Custom Data is used, in which case it must be stored during indexing)

Please email support@keyoti.com if it is not clear which type of approach to use.