beautypg.com

Policy acls – Google Search Appliance Managing Search for Controlled-Access Content User Manual

Page 43

background image

Google Search Appliance: Managing Search for Controlled-Access Content

43

Both the meta-name and the meta-value are encoded according to section 2 of RFC3986 (

http://

www.ietf.org/rfc/rfc3986.txt

) (commonly known as percent-encoding). The following example shows an

encoded header:

X-GSA-External-Metadata: google%3Aaclusers=Maria, google%3Aaclgroups=eng

The per-URL ACLs supplied at crawl time are added to the search appliance index, replacing previously
indexed per-URL ACLs. Subsequently crawled per-URL ACLs replace the previously indexed ones. If no
external metadata header is supplied, the per-URL ACL in the index remains unchanged.

Any per-URL ACLs that are added later using a metadata-and-url feed are not merged with the crawled
per-URL ACLs. An empty metadata-and-url feed clears all previous per-URL ACLs.

Policy ACLs

A policy ACL is expressed as a rule based on URL patterns. A policy ACL rule has two parts:

URL Pattern to Protect (see “URL Pattern to Protect”)—A URL pattern that you want to protect with
restricted access.

Allowed Users or Groups (see “Allowed Users or Groups” on page 44)—Lists the users or groups
that have access to the restricted URL.

For example, suppose the eng (engineering) group is the only group that you permit to view all
documents in the example.com/engsite page. To grant the engineering group access to the engsite
page, specify a policy ACL rule:

example.com/engsite group:eng

When a search appliance executes a search, it attempts to match URLs that the search appliance
retrieves from the index against policy ACLs. If a URL pattern matches the policy ACL rule, the search
appliance applies the rule.

URL Pattern to Protect

You can specify a URL pattern to which you want to limit access. When a user performs a search query,
the user can view this URL pattern in the search results if you list the user as either an allowed user or if
the user is a member of an allowed group.

If more than one URL pattern matches the policy ACL, the search appliance chooses the best match in
this order of precedence:

1.

“Exact-Match URL Rules”

2.

“Coarse-Grained Rules”:

“Prefix Patterns” on page 44

“General URL Patterns” on page 44

Exact-Match URL Rules

If there is an exact-match URL pattern, it is the best match. An exact-match URL patterns begins with a
caret (^) and ends with a dollar sign ($). The following example shows an exact-match URL pattern:

^http://www.example.com/mypage.html$

Coarse-Grained Rules

The coarse-grained rules consist of:

“Prefix Patterns”

See also other documents in the category Google Software: