Setting acl precedence in legacy authorization, The saml authorization service provider interface – Google Search Appliance Managing Search for Controlled-Access Content User Manual

Google Search Appliance: Managing Search for Controlled-Access Content

47

•

The user in the policy ACL rule must match the identity in the Default credential group. For
example, suppose the username in the Default credential group is “joe.” To ensure that the search
appliance can use a policy ACL with this identity, ensure that there is a policy ACL rule with the user
“joe.”

•

Check the Requires a Username option (see “Require a User-Name Option” on page 19) for the
Default credential group.

•

Do not rename the Default credential group.

Enabling Late Binding for Policy ACLs and Per-URL ACLs

In some instances, you might not want to use early binding for allow decisions, for example, if the policy
ACLs or per-URL ACLs in the index don’t reflect the latest changes. For situations like this, you can enable
late binding for policy ACLs and per-URL ACLs.

If you enable late binding for policy ACLs and per-URL ACLs, the search appliance accepts deny decisions
only for these mechanisms. For allow and indeterminate decisions, the search appliance applies each
subsequent associated mechanism in the list in order until one of them returns a decision other than
indeterminate.

For information about enabling late binding for policy ACLs and per-URL ACLs, click Help Center >
Serving > Flexible Authorization.

Setting ACL Precedence in Legacy Authorization

Note: This section pertains to legacy authorization (see “Legacy Authorization” on page 40) only. If you
are using flexible authorization, you set precedence by using the Serving > Flexible Authorization
page. For more information about setting precedence, click Help Center > Serving > Flexible
Authorization in the Admin Console.

Occasionally, a URL can be associated with both a policy ACL and a per-URL ACL. By default, the per-URL
ACLs takes precedence when a URL is associated with both types of policy ACLs. However, you can
specify that policy ACLs can take precedence over per-URL ACLs.

To specify that policy ACLs can take precedence over per-URL ACLs:

1.

Click Serving > Policy ACLs.

2.

Under Set Policy ACL Precedence, click the checkbox for Policy ACLs take precedence over per-
URL ACLs.

3.

Click Set precedence.

To remove policy ACL precedence:

1.

Clear the checkbox for Policy ACLs take precedence over per-URL ACLs.

2.

Click Set precedence.

The SAML Authorization Service Provider Interface

Note: This section pertains to legacy authorization only (see “Legacy Authorization” on page 40). If you
are using flexible authorization, you use the Authorization SPI by configuring a rule for SAML. For more
information about configuring a rule for SAML, click Help Center > Serving > Flexible Authorization in
the Admin Console.