beautypg.com

Google Search Appliance Security User Manual

Page 18

background image


18

John Smith's first identity, jsmith, is from the company-wide Active Directory. Of course, there are AD
Groups that jsmith is a member of. Let's say one of the content sources is Plone, which is integrated with
Active Directory, but has its own groups defined. How do we avoid conflicts when there are groups with
the same names in both Active Directory and Plone? Groups from Active Directory will have namespace
CG1. We can give groups from Plone a different namespace such as plone_space. The ACLs in the
index will have the following entries:

jsmith

authors

access="deny">authors

As long as the right groups can be resolved for jsmith during group resolution after authentication, the
right permissions will be applied:

CG1:jsmith belongs to groups:

CG1:authors, plone_spce:authors


Domain parsing

Domain names are pretty common for user credentials and groups. The search appliance has a separate
field for domain when the principal is stored for the following cases:

● After the user is authenticated, the resolved verified ID and associated groups contain both

username and domain name.

● The principal on document ACLs for both users and groups contain the principal name and

domain name.

From different authentication protocols, verified users can take different formats:

● bob@google.com

google\bob

The search appliance parses these formats consistently and extracts the domain name and username
during authentication and ACL indexing. From the 2 example above, google would be extracted as the
domain.


Late binding for ACLs

When using ACLs to govern access to documents in the GSA, you might want to configure a late binding
fallback in case the ACLs in the index are not fully in synch with the content source due to timing issues.
When the late binding fallback feature for Flexible Authorization is enabled, the GSA will only accept a
DENY response for the POLICY and Per-URL ACL mechanisms. For PERMIT and INDETERMINATE,
the GSA will apply subsequent rules until one of them returns a decision other than INDETERMINATE. If
none do, the result will not be presented to the user.

See also other documents in the category Google Software: