Introduction

The Exchange mapped security architecture includes the following components:

  • Active Directory
  • Exchange repository
  • Exchange Web Service Connector
  • OpenText OmniGroupServer
  • OpenText IDOL server
  • OpenText IDOL Mapped Security plug-in
  • A front-end application

Items in the Exchange repository have an Access Control List (ACL) that lists the users and groups who are permitted, and are not permitted, to view the item.

The Exchange Connector retrieves information from the repository and sends documents to CFS to be indexed into IDOL Server. The connector extracts the ACL for each item, and writes it to a document field. Each time the connector synchronizes with the repository, it extracts updated ACLs.

IDOL needs the ACL to determine whether a user can view a document that is returned as a result to a query. However, IDOL must also consider the groups that the user belongs to. A user might not be permitted to view a document, but they could be a member of a group that has permission. Exchange uses NT security. This means that IDOL requires the user and group information from your Active Directory.

OmniGroupServer extracts the security group information from Active Directory using LDAP, and stores it.

When a user logs on to a front-end application, the application requests the user’s security information and group memberships from IDOL server. IDOL returns a token containing the information. The front-end application includes this token in all queries the user sends to IDOL.

After a user submits a query, IDOL sends the result documents and the user’s security token to the Mapped Security plug-in. The Mapped Security plug-in compares the user’s security information and group memberships to each document’s ACL. The plug-in determines which documents the user is permitted to view and returns the results. IDOL server then sends only the documents that the user is permitted to view to the front-end application.