Restrict IDOL Database Access

You can restrict access to individual IDOL index databases by creating privileges and associating them with IDOL roles. Only users who belong to a role with the necessary privileges can query a database.

To restrict a role’s access to specific databases

  1. Add a privilege to the IDOL Community component by sending a RoleAddPrivilege action from a browser.

    For example:

    http://localhost:9000/action=RoleAddPrivilege
                                       &Name=Databases
                                       &SingleValue=false

    This example creates a multivalued Databases privilege in Community.

  2. Add the privilege to a role, and specify a value for it.

    For example:

    http://localhost:9000/action=RoleSetPrivilegeForRole 
                                       &RoleName=Marketing
                                       &Privilege=Databases
                                       &Value=News,Markets,Sales

    This example adds the Databases privilege to the Marketing role. The Databases privilege has the value News,Markets,Sales.

  3. Use a SecurityInfo string in your queries to the IDOL Content component as usual. See Query IDOL with Security Information.

    TIP: If you do not have connector-generated ACLs for your documents, you can use an ACL of the form 1:U::G::NU::NG: in all documents to ensure that Content requires a valid security string.

NOTE: You can use the DatabasePrivilege parameter in the [Roles] section of the Community configuration file to specify a privilege that defines which databases all roles can access. The role to which all users belong by default is specified by the DefaultRolename parameter in the [Roles] section of the Community configuration file. This parameter is set to the everyone role by default.

NOTE: Every time you restart Community, it resets the databases that the default role can query (specified by the DefaultRolename configuration parameter) to include all databases. You can override this behavior and persist the databases that can be queried by the default role by setting AutoSetDatabases=False.

The SecurityInfo string approach is the most secure way to ensure that only authorized users can view the documents in a database. However, you can also identify the privileges directly in the front end if you do not want to use SecurityInfo strings.

To restrict a role’s access to specific databases without using SecurityInfo

  1. Set up the privilege and role as described in steps 1 and 2 of the previous procedure.
  2. Set up the front-end application to identify a user’s privileges when the user logs on to the system.

    For example:

    http://localhost:9000/action=RoleGetUserPrivilegeValueList
                                       &UserName=JSmith
                                       &Privilege=Databases

    If the user JSmith has been added only to the Marketing role, the result this action returns specifies that the user’s Databases privilege has the value News,Markets,Sales.

  3. The front-end application can now include the Databases privilege values in queries this user sends to the IDOL Content component. To specify databases to which a query is restricted, for example, the front end should add the DatabaseMatch parameter to the query it sends, and set it with the value that the RoleGetUserPrivilegeValueList action returned.

    For example:

    http://localhost:9000/action=Query
                                    &Text=2003 marketing campaigns in Europe
                                    &DatabaseMatch=News,Markets,Sales

    In this example, the query specified is applied to the News, Markets and Sales databases.