Security
Knowledge Discovery allows you to set permissions and to protect your information and ensure that only the correct people can access it.
Security in Knowledge Discovery covers the following main areas:
-
User authentication
-
Document security
-
Index Encryption
-
Secure communications
The following sections provides a little more information about security in Knowledge Discovery. For further information, refer to the Document Security Administration Guide.
User Authentication
User authentication in Knowledge Discovery is managed by the Community component, which stores details of your users and their security information. You can create users directly in Community, or synchronize the user data from another user repository, such as Microsoft Active Directory.
Another important component in Knowledge Discovery security is the OmniGroupServer, which collects security information from your repositories, and applies it to the users in Knowledge Discovery.
Document Security
The information that you store in the Knowledge Discovery text index might come from many different repositories. Most repositories have security features that apply permissions to files, so that only authorized users can access them. These repositories store details about the user names that use the system, and the permission groups that these users belong to.
When you index the data into Knowledge Discovery, Knowledge Discovery includes security information from your repositories, by using Knowledge Discovery mapped security. Mapped security ensures that query results return only documents that the user has permission to view, without needing to call out to the original secure repository, which reduces overhead and improves responsiveness.
In mapped security, Knowledge Discovery compares the security details for a user against an Access Control List (ACL) in the document.
Knowledge Discovery connectors create the ACLs when they ingest the document, by using the permissions in your data repositories. The ACL contains information about the users and groups that have permission to view the document.
The Knowledge Discovery OmniGroupServer collects and stores the user and group information for your users, and provides it to the Community component, which manages the authentication.
The general process for a system that uses document security is:
-
The user logs on to your application, which sends authentication details to the Community component.
-
Community returns a user security info token to the application, which stores it for the user session.
-
The user sends a text query through your application, and the application attaches the user security info token to the query that it forwards to the Content component.
-
Knowledge Discovery uses the security information in the query string to check the user permissions. It matches the security string against the document ACLs.
-
Knowledge Discovery returns any documents that match the query that the user has permission to see. It excludes any matching documents that the user does not have permissions for.
Knowledge Discovery document security applies to any kind of query in Knowledge Discovery that handles documents. For example, users can add a document to their agents only if they have permissions to see it. Those permissions then apply to other users viewing the agents.
Index Encryption
You can configure the Content component to encrypt the document data that it stores on disk. Index encryption ensures that even administrators who have access to the servers where you store Knowledge Discovery content cannot view any content from documents that they do not have permission to view.
For more information about index encryption, refer to the Content component Help.
Secure Communications
You can configure Transport Layer Security (TLS/SSL) communications for all ACI servers, NiFi and front-end applications.
Knowledge Discovery also supports GSSAPI for authentication and secure communications.