beautypg.com

Google Search Appliance Security User Manual

Page 14

background image


14

there are clear rules on what rules can or cannot be used together:

● Per-URL ACL

○ The ACLs are part of the index that can not be added or removed on the fly. If URLs don’t

have ACLs attached, Per-URL ACL can’t be used as a mechanism for those URLs. The
Credential Group associated with the ACLs is also determined during index time which
cannot be changed in the Flexible Authorization settings.

○ When the Per-URL ACL rule is defined as the first rule, the authorization happens in the

index when matching results are identified. This gives Per-URL ACL much better
performance than other authorizations. That’s also why it’s listed even before Cache
authorization by default.

○ If you define a specific URL pattern instead of “/”, or move the rule down the list below

other authorization rules, it will be the Security Manager that performs the authorization.
This means the performance will be worse as Per-URL ACLs would then be evaluated
out of the index.

● Connector

○ For content to be authorized using Connector authorization, the URLs must start with

“googleconnector://”.

After the GSA has authenticated a user through a configured authentication mechanism, authorization to
documents will be applied in order of their definition in the flexible authorization table for the particular
URL pattern of the document. If more than one authorization mechanism applies to the document, the
GSA will cycle through all the rules that apply, in order, until one of them returns a status of PERMIT or
DENY. For example, if a connector sends in documents with ACLs, the Per-URL ACL rule will be
evaluated first. If PERMIT or DENY is returned, that’s the final result. However, if INDETERMINATE is
returned, the “Connector” rule will be used to evaluate the documents.

Summary

In this chapter, we have reviewed the process of designing security for your enterprise search project with
the Google Search Appliance. This requires a solid understanding of security in your organization, as well
as the related content sources that will be part of the project. Here is a summary of the process in
designing the solution:

Spend time up front to analyze the content sources: How will the content sources be acquired,
what authentication is used, etc.

Determine how many Credential Groups will be needed.

Determine the preferred authorization mechanism for each content source.

Determine the minimum set of authentication mechanisms needed.

When possible, support silent authentication.

When possible, use supported, out of the box components.

Will these authentication mechanisms support the relevant content source authorization?

Configure Universal Login Auth Mechanisms.

Make changes to the Flexible Authorization Rules when necessary.

See also other documents in the category Google Software: