beautypg.com

Google Search Appliance Security User Manual

Page 17

background image


17

Groups database

(beta)

. Starting from release 7.2, the search appliance includes an internal

database that stores ACLs. This is still a beta feature that has limited functions and scalability.
Group memberships must be fed to the appliance, similar to how documents can be fed to the
appliance’s index.

Connectors. The Connector Framework provides an interface to resolve groups. It’s up to the

connector developer to decide whether Per-URL ACL or group resolution is implemented. Of all
the connectors that Google supports, the SharePoint connector, Active Directory Groups
connector, and Documentum connector provide such a feature.

LDAP. LDAP authentication can resolve nested LDAP groups. It is not recommended for use with

Active Directory (use Active Directory Groups connector instead), but it can be used for other
LDAP servers.

The three options above can be SOLELY used to resolve groups when authentication is performed by
another mechanism. The following two options will resolve groups as part of the authentication process—
they cannot be used for group resolution alone.

Cookie Cracking. Groups can be returned in a custom header, together with the user ID. It has

to be part of the cookie authentication process.

SAML. Groups can be returned as part of the SAML authentication process. It has to be part of

the SAML authentication process.

These two mechanisms are generally used at deployments that require custom development. The next
chapter contains more in-depth documentation on this.


Namespace

The GSA supports ACL namespacing. The concept of namespacing was introduced in order to avoid
name clashes of users and groups from multiple sources in the index. Here is an example:

User John Smith has two identities, and we've set up two credential groups, jsmith in CG1, and johns in
CG2. In the index, all ACLs pertaining to John Smith could be associated with either of the two identities.
There must be a way to distinguish them. That’s why namespace is introduced.

If the principal scope is user, the namespace is equivalent to Credential Group. In ACLs, the principal
must be either:

jsmith in namespace CG1

or

johns in namespace CG2

However, if the principal scope is group, namespace doesn't have to be the same as the credential group
of the user. As long as the namespace of the resolved groups matches what is defined in ACL in the
index, the permission check will work. Here is an example:

See also other documents in the category Google Software: