beautypg.com

Chapter 4 authorization for developers, Overview, Per-url acls – Google Search Appliance Security User Manual

Page 34

background image


34

Chapter 4 Authorization for Developers

Overview

An enterprise search engine must return relevant results to the user, but only those that the user has
access to. This is managed through the authorization process that applies to every secure document in
the index. In this chapter we focus on custom solutions when designing the authorization process in your
enterprise search project with Google.

The section

Select an Authorization Approach

introduced the following main options for building a custom

authorization process:

Per-URL ACLs

Policy ACLs

SAML authorization

Connectors

The following sections provide more details on using these options in a custom solution.

Per-URL ACLs

The biggest challenge of using early binding in a custom connector or feeds is to simulate the
authorization model of the target system. Every system’s security model can be different.

There are a couple of ways to associate ACLs with documents, such as in HTML headers as metadata,
or through custom HTTP headers. However, only feeds allow you to specify all the possible ACL
attributes. Since the Google Connector Framework is based on feeds, this discussion covers the case
when the ACLs are sent by a connector. See

Specifying Per-URL ACLs

for information on how to fully

define the ACL.

Among the features that GSA offers to simulate different security models,

ACL

inheritance

is a very important one.

ACL inheritance makes it more efficient to deal with ACL changes. As ACLs no longer have to be
expanded and attached to each level in a hierarchy, it makes it more efficient to deal with ACL changes,
as you only have to re-index the level at which the permission changed.