Mapped Security Architecture
The mapped security architecture includes the following components:
- The Salesforce repository.
- Knowledge Discovery Salesforce Connector
- Knowledge Discovery OmniGroupServer
-
Knowledge Discovery Content and Community components
NOTE: Mapped Security for Salesforce requires Content and Community 12.10 or later.
- A front-end application
Items in Salesforce have associated permissions that specify the users and groups who are permitted, and who are not permitted, to view them. The Salesforce Connector retrieves the items from Salesforce and creates documents that can be indexed. To each document the connector adds an Access Control List (ACL) which contains the security information. Each time the connector synchronizes with the repository, it updates the ACLs for any documents where the associated permissions have changed.
The Content component needs the ACL to determine whether a user can view a document that is returned as a result to a query. However, the Content component must also consider the groups that the user belongs to. A user might not be permitted to view a document, but they could be a member of a group that has permission. This means that the Content component requires the user and group information associated with the files.
The connector can extract user and group information from the Salesforce repository. This functionality is available through the SynchronizeGroups
action. Based on a schedule, OmniGroupServer sends a request to the connector to run this action and the connector returns the information. OmniGroupServer then stores the user and group information so that the Community component can query it.
When a user logs on to a front-end application, the application requests the user’s security information and group memberships from the Community component. The Community component returns a token containing the information. The front-end application includes this token in all queries the user sends to the Content component.
When a user submits a query, the Content component sends the result documents and the user’s security token to the Mapped Security plug-in. The Mapped Security plug-in compares the user’s security information and group memberships to each document’s ACL. The plug-in determines which documents the user is permitted to view and returns the results. The Content component then sends only the documents that the user is permitted to view to the front-end application.