Legacy authorization, Policy access control lists – Google Search Appliance Managing Search for Controlled-Access Content User Manual

Google Search Appliance: Managing Search for Controlled-Access Content

40

Legacy Authorization

With legacy authorization, the search appliance performs an authorization check in this order:

1.

Check for cached results from a previous check.

2.

Check for Policy ACLs and per-URL ACLs.

If you specify a policy ACL rule (see “Policy Access Control Lists” on page 40), the search appliance
checks the URL patterns in the rules against the URLs that are returned for in the search results. If
the users and groups in the rule are permitted to view the results, then the results display. The
search appliance also checks the URL against per-URL ACLs.

If users or groups are not permitted, then the URLs do not display. Steps 2 through 4 occur if a URL
pattern does not match a policy ACL rule, per-URL ACL, or SAML is not configured, but steps 2
through 4 do not occur if a URL pattern does match a policy ACL rule or per-URL ACL, the user is
either permitted to view search results or receives a deny and does not see the search results.

3.

If Google connector URL, ask connector (see “Connectors” on page 33).

4.

Check for SAML.

If the search appliance is configured to use the SAML Authorization SPI (see “The SAML
Authorization Service Provider Interface” on page 47), the search appliance sends a SAML
authorization request to the Policy Decision Point, using the identity obtained for the user during
the serve authentication.

Otherwise,

5.

Impersonate the user and perform a “head request” (supports HTTP Basic or NTLM, or Kerberos,
see “Kerberos-Based Authentication” on page 25).

For secure content that was crawled using HTTP Basic or NTLM HTTP authentication (see “HTTP-
Based Authentication” on page 23), the search appliance performs a HEAD request for the
document, using the credentials obtained for the user during serve authentication.

For secure content that was crawled using cookie-based authentication (see “Cookie-Based
Authentication” on page 20), the search appliance performs a GET request for 0 bytes of the
document, using the credentials obtained for the user during serve authentication.

If the authorization check is successful, the secure content that matches the search query is included in
the user’s search results.

The search appliance only returns at most 1000 results for a query. If the user does not have access to
any of these results, then no results are returned for the query.

Take note that legacy authorization does not support namespaces.

Policy Access Control Lists

A policy ACL (Access Control List) provides information to the search appliance about which users or
groups have access to a specific URL. By specifying policy ACLs on a search appliance, you can enhance
performance and reduce load. Policy ACLs speed up the process of authorization and reduce the load
on the authorization servers that occurs from performing HEAD requests to a remote authorization
server.