beautypg.com

Connectors using per-url acl – Google Search Appliance Security User Manual

Page 19

background image


19

Connectors using Per-URL ACL

Local Namespace

The Connector Framework introduced the concept of "Local Namespace." Note that this is a connector
concept. For ACL definition, there is only one namespace attribute. In connector configuration, there are
two namespace fields: one is "Global namespace", which is equivalent to the Credential Group in
Authentication. The other is "Local namespace", which will be the name of the connector (or the name of
another configured connector, selectable in the dropdown).

Let's use the previous example of the Plone content source. If a Plone connector is built based on the
connector framework, with the instance name of "plone_connector", here are what the ACL principals look
like in feeds sent by the connector:

jsmith

...

johns

...

authors

...

access="deny">authors

...

The search appliance concatenates the "Global namespace" and the "Local namespace" in the
connector's configuration as the "namespace" attribute in ACL sent via feeds.


Avoiding domain parsing

As the previous section described, the appliance will try to interpret the principal format and extract the
domain out of it. However, there is only one exception: When ACLs are sent in via feeds, if “unqualified” is
set for the attribute principal_type on a principal, the domain will not be parsed and the name will be
treated as a literal no matter what format it takes. This attribute and behavior is designed as another
option to avoid group name conflicts—mainly as a hack to keep the SharePoint connector backward
compatible. SharePoint allows you to define groups at different levels of a hierarchical web site structure.
If we are to use the “Local namespace” feature of the connector, there will be one namespace per site.
GSA’s Connector for SharePoint prefixes all SharePoint local groups with the site URL which the groups
belong to, and sets the principal_type to “unqualified.” The search appliance will store these groups as
they are passed in so that there won’t be any conflicts of the same group name from different sites. Here
is an example of SharePoint local groups being sent to GSA in feeds:

sensitivity-type="everything-case-insensitive" scope="group"

access="permit">[http://w2k8r2entsp1]Home Owners

On the other hand, if an AD group is sent, it will look like the following:

insensitive" scope="group" access="permit">mydomain\Home Owners

See also other documents in the category Google Software: