Introduction

The SharePoint mapped security architecture includes the following components:

Items in the SharePoint repository have an Access Control List (ACL) that lists the users and groups who are permitted, and are not permitted, to view the item. The IDOL Content component needs the ACL to determine whether a user can view a document that is returned as a result to a query. When the SharePoint Connector retrieves information from the repository, it extracts the Access Control List (ACL) for the item and writes it to a document field. Each time the connector synchronizes with the repository, it extracts updated ACLs.

On-premise SharePoint instances are typically linked with Active Directory, and administrators can assign permissions to Active Directory users, Active Directory groups, or groups that have been defined within SharePoint site collections (SharePoint groups). For example, a user might have permission to view a document in SharePoint because they are a member of an NT domain group.

In SharePoint Online permissions can be assigned to users and groups. These users and groups could be managed in SharePoint Online, or in an on-premise Active Directory.

In either SharePoint on-premise or SharePoint Online, claims-based authentication can be used, meaning that users and groups could be managed from a claims provider other than Active Directory.

Therefore IDOL must also consider the groups that a user belongs to. A user might not be permitted to view a document, but they could be a member of a group that has permission. This means that IDOL also requires user and group information.

OmniGroupServer can retrieve users and groups from Active Directory or a claims provider, but it must request SharePoint groups through the SharePoint Connector. OmniGroupServer must be configured to extract, combine, and store the group information from both sources.

When a user logs on to a front-end application, the application requests the user’s security information and group memberships from the IDOL Community component. Community returns a token containing the information. The front-end application includes this token in all queries it sends to the IDOL Content component.

After a user submits a query, Content sends the result documents and the user’s security token to the Mapped Security plug-in. The Mapped Security plug-in compares the user’s security information and group memberships to each document’s ACL. The plug-in determines which documents the user is permitted to view and returns the results. Content then sends only the documents that the user is permitted to view to the front-end application.