beautypg.com

Google Search Appliance Security User Manual

Page 9

background image


9

With early binding, authorization is fully managed by the search appliance itself. Early binding requires
authorization rules to be known to GSA. It doesn’t have to contact an external security component such
as the content source at serve time to validate whether the user has the right to access a document.

The GSA supports the following two types of ACLs:

Per-URL ACLs

With Per-URL ACLs, each document in the index can have its own authorization rules. Adding a Per-URL
ACL to a document can be done through Feeds, metadata in HTML body, or custom HTTP headers. Per-
URL ACLs can include both users and groups. Per-URL ACL is generally preferred since it is much more
scalable with the number of documents and offers better performance.

Considerations for using Per-URL ACLs:

This approach is very useful when you have fine-grained authorization rules and you want to
have quick authorization responses. Fast authorization with ACLs is critical for such GSA features
as Dynamic Navigation, duplicate directory filtering, and Dynamic Result Clusters.

This approach introduces some complexity into resolving group membership in the search
appliance. This resolution can be managed by the GSA in some instances, for example, whether
those groups are in an LDAP directory as Active Directory. You can also create your own custom
processes to pass groups to the search appliance. In 7.2, an onboard

Groups Database

is

introduced as a beta feature that offers even tighter integration.

The

Google Search Appliance Connector for Active Directory Groups

is provided for

resolving groups from single or multiple Active Directory domains.

There is also a delay between when a security setting is changed in the source platform and
when the search appliance is notified of this.

The maximum number of principals that can be attached to a document is configurable, with a
default of 10,000. The maximum is 100,000.

The following worst-case scenario has been tested with good performance (sub-second)
in regards to ACL filtering:

10k URLs to be filtered

Each URL has 10k items in the ACL

Search user belongs to 1k groups, but doesn’t have access to any documents so
the GSA has to exhaustively filter every URL that matches the search term.

Policy ACLs

A policy ACL focuses on protecting URL patterns rather than individual URLs. For this reason, it can
group many documents behind it. You can configure policy ACLs based on URL patterns by using the
GSA Admin Console, as well as the Policy ACL API. Use Policy ACLs when the number of authorization
rules is low and a unique authorization rule can group multiple URLs.



See also other documents in the category Google Software: