Flexible authorization – Google Search Appliance Managing Search for Controlled-Access Content User Manual
Page 39

Google Search Appliance: Managing Search for Controlled-Access Content
39
Flexible Authorization
Flexible authorization gives you more control over authorization by enabling you to:
•
Specify authorization mechanisms in your environment
•
Customize which authorization mechanisms handle which URLs
You can perform these tasks by configuring flexible authorization rules. A flexible authorization rule
defines:
•
The protected content to which the rule applies
•
An identity that maps the rule to a credential group or instance of an authentication mechanism
•
Information that is specific to the authorization mechanism
You can configure rules for the following authorization mechanisms:
•
CACHE
•
CONNECTOR
•
DENY
•
HEADREQUEST
•
POLICY
•
SAML
•
PER-URL ACL
To configure rules for authorization mechanisms, use the Serving > Flexible Authorization page. For
step-by-step procedures for configuring specific types of rules, click Help Center > Serving > Flexible
Authorization.
After the search appliance authenticates a user by establishing the user’s identity, the search appliance
attempts to determine whether a user has access to the secure content that matches her search. The
search appliance performs authorization checks by applying flexible authorization rules in the order in
which they appear on the Serving > Flexible Authorization page.
Although you can configure the authorization routing table, Google recommends using the default
setting where the first rule in the table is for PER-URL ACLs. This setting provides the best authorization
performance for a larger number of documents. Changing the order of the authorization rules in the
table so that a rule for another mechanism is first might lead to slow authorization performance for a
smaller number of documents. Google recommends always using the PER_URL_ACL mechanism with
pattern “/” as the first rule, with or without late binding.
Most of the supported authorization mechanisms are capable of returning one of three possible
decisions for each URL:
•
Allow—Allow the user access to the URL.
•
Deny—Deny the user access to the URL.
•
Indeterminate—A definitive answer could not be determined, so the search appliance applies the
following rule in the ordered list of rules.
Any given URL might match more than one flexible authorization rule. In this instance, each associated
mechanism in the list is applied in order until one of them returns a decision other than indeterminate.
If all mechanisms return indeterminate, or no mechanisms match, then the user is denied access to the
URL. If a mechanism cannot handle a URL, it returns a decision of indeterminate.