Chapter 4 authorization for developers, Overview, Per-url acls – Google Search Appliance Security User Manual
Page 34
34
Chapter 4 Authorization for Developers
Overview
An enterprise search engine must return relevant results to the user, but only those that the user has
access to. This is managed through the authorization process that applies to every secure document in
the index. In this chapter we focus on custom solutions when designing the authorization process in your
enterprise search project with Google.
The section
Select an Authorization Approach
introduced the following main options for building a custom
authorization process:
●
Per-URL ACLs
●
Policy ACLs
●
SAML authorization
●
Connectors
The following sections provide more details on using these options in a custom solution.
Per-URL ACLs
The biggest challenge of using early binding in a custom connector or feeds is to simulate the
authorization model of the target system. Every system’s security model can be different.
There are a couple of ways to associate ACLs with documents, such as in HTML headers as metadata,
or through custom HTTP headers. However, only feeds allow you to specify all the possible ACL
attributes. Since the Google Connector Framework is based on feeds, this discussion covers the case
when the ACLs are sent by a connector. S
define the ACL.
Among the features that GSA offers to simulate different security models,
ACL inheritance makes it more efficient to deal with ACL changes. As ACLs no longer have to be
expanded and attached to each level in a hierarchy, it makes it more efficient to deal with ACL changes,
as you only have to re-index the level at which the permission changed.