Mapped Security Example
The following diagram shows the components involved in a Mapped Security architecture:
Connectors extract information from third-party repositories so that you can index the information into an IDOL Content component index. The connector adds an Access Control List (ACL) to a metadata field in each document. The ACL describes which users and groups are permitted to view the document. NiFi indexes the document into Content.
At the same time, OmniGroupServer retrieves group memberships from the third party repositories and from directories such as Active Directory. OmniGroupServer stores this information until it is needed. In some cases, where a repository uses its own system for storing users and groups, OmniGroupServer queries a connector to retrieve group information.
If the permissions set on a file in a repository are changed, NiFi Ingest updates the document ACL in the index. If a user's group memberships change, the group information is updated in OmniGroupServer the next time the group server synchronizes with the repository.
To use the front-end application, a user must log on. After authentication is successful, the front-end application sends a query to the IDOL Community component, to retrieve the user security information. Community returns an encrypted securityinfo
string that contains the names of the groups the user is a member of. The front-end stores the string, because it must be sent with all queries to the IDOL Content component.
When a user does something in the front-end application that requires information from the IDOL index (for example, starting a search), the front-end sends a query to Content. Content runs the operation and sends the resulting documents and the user security information to the Mapped Security plug-in. This compares the user security information with the ACL of each document and returns the documents that the user is permitted to view. Content then returns these documents to the front-end.