Google Search Appliance Feeds Protocol Developers Guide User Manual

Google Search Appliance: Feeds Protocol Developer’s Guide

20

Specifying Denial of Access to Users and Groups

The search appliance supports DENY ACLs. When a user or group is denied permission to view the URL,
it does not appear in the search results. You can specify users and groups that are not permitted to view
a document by using meta tags, as shown in the following examples.

To specify denial of access, the value of the name attribute must be google:acldenyusers or
google:acldenygroups.

For example, to specify Joe as the user who is denied access to a document, use the following code:

To specify administration as the group that is denied access to a document, use the following code:

Generally, DENY takes precedence over PERMIT. The following logic determines authorization decisions
for per-URL ACLs:

1.

start with decision=INDETERMINATE

2.

if the user is denied, return DENY

3.

if the user is permitted, set decision to PERMIT

4.

if any of the groups are denied, return DENY

5.

if any of the groups are permitted, set decision to PERMIT

6.

if decision is INDETERMINATE, set to DENY

7.

return decision

Example of a Legacy Per-URL ACL for a Feed

The following example shows the legacy code for adding a per-URL ACL for http://insidealpha.com/
personnel.htm in a feed: