Selecting an authorization mechanism – Google Search Appliance Security User Manual
Page 8
8
Selecting an authorization mechanism
Serve time authentication and authorization are tightly connected. As mentioned previously, although
serve time authentication happens before authorization during serving, you should evaluate the
authorization options FIRST. This is a very important point worth repeating here. This chapter describes
the connections between these two processes in details.
Authorization is always considered on a per content source basis. The purpose of authorization is to
make sure that users can see what they are entitled to see in the search results. Besides this ultimate
goal, the most important criteria in selecting which authorization mechanism to use is performance. It
implies that:
● Search results need to come back as fast as possible to give the end users the best experience
possible. Based on usability studies, if search is too slow, many people would simply give up and
usage of search would decrease.
● Performance needs to be good enough so that relevant results will not be missing due to time
outs. If the authorization decision times out on certain results, the results will have an
indeterminate authorization decision, thus won’t be displayed in the search results list.
● When late binding authorization is used, you need to minimize the performance impact on the
content server.
For deployment projects, if there is an existing connector provided by either Google or one of Google’s
partners, the authorization is already decided for you by the design of the connector. You have to select
an authorization mechanism only under these circumstances:
● There are multiple connectors offered by different parties and they use different authorization
mechanism. There will be many factors in deciding which connector to use including costs, and
authorization mechanism is only one of them.
● A connector sometimes supports multiple authorization mechanisms. For example, the Google
Search Appliance Connector for SharePoint supports three mechanisms: Per-URL ACL,
Connector, and Head Requests.
● When there is no existing connector, you have to develop custom code to integrate the secure
content. This is when you have to consider all options.
Below we discuss the authorization in the order of performance preference. GSA processes authorization
based on two main approaches:
●
Early binding authorization
●
Generally speaking, early binding speeds up the authorization process in the GSA compared to late
binding, but it doesn’t necessarily mean early binding should be the method always used for all content
sources.