Introduction

Document security protects the information that you index into IDOL.

Your organization is likely to store information in many repositories. Many of these repositories have security features so that files and data can be viewed only by authorized personnel. Document security ensures that when you index information into an IDOL index, these permissions continue to be enforced. In response to a query, IDOL returns only documents that a user is permitted to view.

So that the IDOL Content component can protect your data, connectors must add an Access Control List (ACL) to a metadata field in each document. The ACL contains information about which users and groups are permitted to access the document. In most cases you configure the connector to generate ACLs and add them to documents by setting a parameter named Mapped Security.

A user might be allowed or denied permission to view a document because they are a member of a security group (for example a group in your LDAP directory). This means that IDOL must consider group memberships in order to evaluate an ACL and determine whether a user can view a document.

Group information is extracted in the following ways:

  • Using the IDOL OmniGroupServer, which can extract group information from common types of directory, for example through LDAP.
  • Using an IDOL Connector. Some data repositories maintain their own database of security groups and to extract these groups you usually need to use an IDOL Connector. In a traditional IDOL installation, you might configure your OmniGroupServer to send the SynchronizeGroups fetch action to your connectors on a regular schedule. With IDOL NiFi Ingest, your IDOL NiFi Ingest connectors retrieve group information. The connectors that support the SynchronizeGroups action provide a Get*Groups processor, such as GetSharePointGroupsOData, to extract group information from a data repository. You send the group information to your OmniGroupServer using the PutOGS processor.

    NOTE: The behavior of a Get*Groups processor changes depending on whether it has an incoming connection. Without an incoming connection, the processor synchronizes group information each time it is scheduled to run. If the processor has an incoming connection, it synchronizes group information only when it receives a FlowFile with the property idol.groups.action set to the value synchronizegroups.

For more information about document security, including how to configure IDOL Content and IDOL Community, refer to the IDOL Document Security Administration Guide.