beautypg.com

Google Search Appliance Security User Manual

Page 35

background image


35

The attribute “inheritance-type” makes it possible to model the different security mechanisms of
various content systems. In an inheritance chain, the permission check always traces back to the top and
permissions are evaluated according to the inheritance type that was set:

PARENT_OVERRIDES

The permission of the parent ACL dominates the child ACL, except when the parent
permission is INDETERMINATE. In this case, the child permission dominates. If both
parent and child are INDETERMINATE, then the permission is INDETERMINATE.

CHILD_OVERRIDES

The permission of the child ACL dominates the parent ACL, except when the child
permission is INDETERMINATE. In this case, the parent permission dominates. If both
parent and child are INDETERMINATE, then the permission is INDETERMINATE.

AND_BOTH_PERMIT

The permission is PERMIT only if both the parent ACL and child ACL permissions are
PERMIT. Otherwise, the permission is DENY.

Inheritance chain example

URLs

● "FileUrl" (USER:joe access:PERMIT type:LEAF) inherits

● "FolderUrl" (GROUP:eng access:PERMIT type:CHILD_OVERRIDES) inherits

● "ShareUrl" (GROUP:interns access:DENY type:PARENT_OVERRIDES

Authorization Decisions

● PERMITs identity (USER:joe, GROUP:eng)

○ PERMIT by FileUrl ACL, not overridden = PERMIT

● PERMITs identity (USER:moe, GROUP:eng)

○ INDETERMINATE + PERMIT + not overridden = PERMIT

● DENYs (USER:adam, GROUP:eng, GROUP:interns)

○ INDETERMINATE + PERMIT + DENY (override) = DENY

ACLs can be “Free” or “Bound.” ACLs that are attached to indexed documents are “Bound”. “Free”
ACLs can represent non-document elements. For example, some content systems define permission
objects which can be used by different documents. ACLs are maintained on these special objects instead
of on documents. Content systems such as File systems have hierarchies and ACLs can be defined on
folders which are not documents. “Free” ACLs can be used in both of these scenarios. They are not
counted as indexed documents so they don’t count against a GSA’s license.



See also other documents in the category Google Software: