Fusion can be configured to use existing file level security permissions for documents indexed from a Windows file share. The end user will need to be authenticated through the Window's Active Directory and credentials verified before accessing the indexed documents.
Sample Active Directory configuration with organizational hierarchy and users
Configure the Window's Share datasource for your collection
- From the Launch pad, navigate to Admin -> Collection
- Choose and existing collection or click "Add Collection" to create a new one
- Select the Datasources tab and click "Add Datasource"
- Choose Filesystem -> Windows share
- Enable Advanced options using the toggle on the top right
- Modify the following fields and leave default values for the rest
- Datasource ID - unique name of datasource
- Windows Domain - top level domain of the server
- File system URI - Location string of Windows share in format file://<server>/<folder>/
- Username - Preferably a user that has access to all the files in the share
- Security trimming - set to TRUE
- AD URL - AD server where the Window Share users are located
- AD Principal - Preferably use an admin account
- AD Credentials
- AD User filter - optional - if omitted, user domain is required during query time for authentication user -> email@example.com
- AD user base DN - format dc=domain, dc=com
- AD cache groups - set to FALSE
- Click Save - you will be directed to the datasources tab
- Start the indexing job for the Windows share datasource by clicking Start
Sample AD configuration for Windows share
Configure the query pipeline for your collection
- From the Launch pad, navigate to Admin -> Pipelines
- Select Query Pipeline tab
- Choose the default pipeline for the Windows Share collection (displayed as collectionName-default)
- Select Security trimming from the Pipeline stages dropdown list.
- Click save on the Security trimming pipeline.
- Set the Security trimming stage to execute before the Query solr stage by moving the tab before Query solr tab. The execution order is automatically saved.
Query the Windows Share collection using Active Directory credentials
You can use the Fusion UI to test security trimming by logging in as an authorized Active Directory user of a pre configured security realm. For more information on setting up realms in Fusion, please refer to following documentation.
- Log into Fusion using an authorized Active Directory user in the configured security realm.
- From the Launch pad, navigate to Search.
- Choose the Windows Share collection from the drop down list
- Select the gear icon at the right of the search box and choose the query pipeline configured with Security trimming and click save.
- The query results will refresh and display the documents that the logged in user is authorized to view.
Alternatively, you can test the security trimming Pipeline query by using this api command in the browser or with the CURL command
curl 'http://<HOST>:<Fusion API port (8765)>/api/v1/query-pipelines/<Pipeline name>/collections/<Collection name>/select?echoParams=all&indent=true&q=*&username=<AD User>&rows=0'
Fusion allows you to add file level permissions capabilities to your search applications with the query pipeline API. With the Security trimming stage enabled, you can mirror individual file permissions in your search index.