beautypg.com

Per-url acls and policy acls – Google Search Appliance Managing Search for Controlled-Access Content User Manual

Page 41

background image

Google Search Appliance: Managing Search for Controlled-Access Content

41

Policy ACLs typically store the results that would have occurred if the search appliance initiated a HEAD
request to verify authorization. However policy ACLs can also be used to override the decision that
would have been returned by a HEAD request. For example, if you put in a policy ACL rule that permits a
group to see all documents at a URL, but at the source repository (that is, the HEAD request), there’s a
more fine-grained rule where only some in the group can view documents, then the behavior with the
policy ACL rule is that everyone can see the search results, but only those who have access rights can
click the links.

Policy ACLs require that you use an authentication method to establish the identity of the user or group
that you specify in the Policy ACL rules.

If you want to use legacy authorization for authorization using groups, you must not specify a domain
name in the policy ACL rule. If you do so, authorization using policy ACLs will not work for domain
groups.

If you want to use legacy authorization for authorization using users, you must specify a domain name
in the policy ACL rule. Also, if you enable flexible authorization you must specify domain name in the
policy ACL. The domain format depends of the authentication method used by the search appliance.

For more information on policy ACLs, see the Policy ACL API Developer’s Guide.

Per-URL ACLs and Policy ACLs

The search appliance supports two types of access control lists:

Per-URL ACL—An ACL in the index that is associated with a single URL. A per-URL ACL has a limit of
100,000 entries (users and groups). ACL information can be applied to groups of documents
through inheritance. For more information, see “Per-URL ACLs and ACL Inheritance,” in the Feeds
Protocol Developer’s Guide
.

Policy ACL—A URL-pattern rule-based ACL. This type of ACL can have many URLs associated with it.
For more information, see “Policy ACLs” on page 43.

Occasionally, a URL can be associated with both types of access control lists. You can choose which type
takes precedence, as described in “Flexible Authorization” on page 39.