Mapped Security Tutorial

The following tutorial demonstrates mapped security and shows how to check whether documents are returned successfully when a user submits a query with a valid security token.

Before starting ensure that you have completed the following steps:

  • Configure the connector, CFS, OmniGroupServer, and the IDOL Content and Community components, as described in Set up Mapped Security.
  • Start all of the IDOL components or services.

NOTE: The following steps include example action commands. These use the standard ports for the relevant IDOL components. If you have configured the components to use different ports, change the following examples accordingly. Some action commands are split over several lines for readability.

To confirm that mapped security is configured successfully

  1. Instruct the connector to start retrieving documents by running the fetch action:

    http://connector:7132/action=fetch&fetchaction=synchronize&tasksections=MyTask

    where MyTask is the name of the fetch task that you configured in the connector's configuration file.

  2. To check that the documents were indexed successfully, run the following actions:

    • Check the status of the fetch action by sending the QueueInfo action to the connector:

      http://connector:7132/action=queueinfo&queueaction=getstatus
                                            &queuename=fetch
                                            &token=token

      where token is the token returned by the fetch action you sent in the previous step.

      The connector returns a response that shows new documents were ingested:

      <action>
         <status>Finished</status>
         <queued_time>2017-Apr-06 05:52:31</queued_time>
         <time_in_queue>0</time_in_queue>
         <process_start_time>2017-Apr-06 05:52:31</process_start_time>
         <time_processing>3</time_processing>
         <process_end_time>2017-Apr-06 05:52:34</process_end_time>
         <documentcounts>
           <documentcount task="MYTASK" errors="0" ingestadded="15" added="15"/>
         </documentcounts>
         <fetchaction>SYNCHRONIZE</fetchaction>
         <tasks>
           <success>MYTASK</success>
         </tasks>
         <tasksection>MyTask</tasksection>
         <token>...</token>
      </action>
    • Check whether the documents were indexed into the IDOL index:

      http://content:9100/action=list

      The IDOL Content component returns a list of documents. Notice the AUTONOMYMETADATA and SECURITYTYPE fields that were added by the connector.

      <autn:hit>
       <autn:content>
        <DOCUMENT>
          <DREREFERENCE>T3E20B2Q2|...</DREREFERENCE>
          <UUID>d49a97506694b06fa712fb4f00a448ef</UUID>
          <AUTN_GROUP>Connector</AUTN_GROUP>
          <AUTN_IDENTIFIER>...</AUTN_IDENTIFIER>
          <AUTN_TASK_BATCH_ID>MYTASK_bcf2c173384f881006b0ed...</AUTN_TASK_BATCH_ID>
          <AUTONOMYMETADATA>U:9u7i4+Po7vni...</AUTONOMYMETADATA>
          <DOCUMENT_METADATA_STANDARDIZED>1</DOCUMENT_METADATA_STANDARDIZED>
          <DREDBNAME>SLACK</DREDBNAME>
          <IMPORTVERSION>1287656</IMPORTVERSION>
          <SECURITYTYPE>SLACK</SECURITYTYPE>
          <TEAM_ID>T3E20B2Q2</TEAM_ID>
          <TEAM_NAME>IDOL Connectors</TEAM_NAME>
          <TEAM_URL>https://idolconnectors.slack.com/</TEAM_URL>
          <URL>https://idolconnectors.slack.com/files/...</URL>
        </DOCUMENT>
       </autn:content>
      </autn:hit>

      If the IDOL Content component does not return any documents, check that the documents reached CFS and then Content. If you run action=grl to see the CFS request log you should see an ingest action from the connector. You can check that CFS issued a DREADD index command to the IDOL Content component by looking for the DREADD command in the Content component index log.

  3. Instruct OmniGroupServer to retrieve user and group information from the Slack repository:

    http://ogs:3057/a=StartJob&Repository=Slack

    where Slack is the name of the job (repository) that you configured in the OmniGroupServer configuration file.

  4. Check that OmniGroupServer has successfully retrieved the user information by running the GetAllUsers action:

    http://ogs:3057/a=GetAllUsers&Repository=Slack

    OmniGroupServer returns the users:

    <action>GETALLUSERS</action>
    <response>SUCCESS</response>
    <responsedata>
      <Users>user1@domain.com</Users>
      <Users>...</Users>
      <UserCount>2</UserCount>
    </responsedata>
  5. Check that OmniGroupServer has successfully retrieved the group information. Run the GetGroups action with a user name that was returned by the GetAllUsers action in the previous step.

    http://ogs:3057/a=GetGroups&Username=user1%40domain.com
  6. Add your users (as returned by OmniGroupServer in step 4) to the IDOL Community component by using the UserAdd action, for example:

    http://community:9030/a=UserAdd
                &Username=user1%40domain.com
                &Password=password
                &SecuritySlackUsername=user1%40domain.com

    where the Username parameter specifies the user name to use for the user in the IDOL Community component, and the SecuritySlackUsername parameter specifies the user name of the user in Slack.

  7. Obtain a SecurityInfo string for a user, by sending the UserRead action to the IDOL Community component. The SecurityInfo string contains security information for a user, for example a list of group memberships.

    http://community:9030/a=UserRead&SecurityInfo=true
                                    &Username=user1%40domain.com
  8. Run the Query action to obtain documents from the IDOL Content component. Your request must include the SecurityInfo string that you obtained in the previous step.

    http://content:9100/a=query&text=*
                               &maxresults=100
                               &securityinfo=securityinfo

    where securityinfo is the SecurityInfo string that you obtained from the IDOL Community component.

    NOTE: The SecurityInfo string can contain a significant amount of information, especially when a user is a member of a large number of groups. If you try to send this request from a web browser the request might be truncated. You must also URL-encode the SecurityInfo string. For this reason you might find it easier to send this request as an HTTP POST request using a tool such as cURL.

    Using cURL the same request looks like this:

    curl --data "text=*&maxresults=100"
        --data-urlencode "securityinfo=securityinfo"
        http://content:9100/a=query

    The IDOL Content component returns documents that the user is permitted to view:

    <action>QUERY</action>
    <response>SUCCESS</response>
    <responsedata>
      <autn:numhits>15</autn:numhits>
      <autn:hit>
        <autn:reference>T3E20B2Q2|...</autn:reference>
        <autn:id>9</autn:id>
        <autn:section>0</autn:section>
        <autn:weight>85.35</autn:weight>
        <autn:database>Slack</autn:database>
        <autn:content>
          <DOCUMENT>
            <TEAM_ID>T3E20B2Q2</TEAM_ID>
            <TEAM_NAME>IDOL Connectors</TEAM_NAME>
            <TEAM_URL>https://idolconnectors.slack.com/</TEAM_URL>
            <URL>https://idolconnectors.slack.com/files/...</URL>
            ...
          </DOCUMENT>
        </autn:content>
      </autn:hit>
      ...
    </responsedata>