Endeca - Security

Data

Metadata Security in Records

Data source(s) may contain not only records, but also metadata describing access rights to those records, such as ACLs.

On ingest, each record can be tagged with ACLs and other security metadata.

Example:

Record Spec LDAP Group Departement
1 LDAPGroup1 Marketing
2 LDAPGroup2 Sales
3 LDAPGroup2 Logistic

Oracle Endeca Server will presents this security-annotated data for querying.

EndUser login

End user logs in and receives credentials from the intern or external authentication provider such as Active Directory or LDAP).

  • User: scott
  • LDAP: LDAPGroup1
  • Department: Sales

Searching

scott does a text-based search. Studio appends custom security filters, derived from scott's credentials, to all Endeca Server queries.

Security Filter

OR(LdapGroup:LDAPGroup1,Department:Sales)

Query results contain only data that Joe is authorized to see.

Object

Studio offers Scott those pages/components that his LDAP group allows.

Filter

Security filters, as well as the mapping to which roles they apply, are coded per data source In the below example, the data source is restricting the regions a user can see wines from, based on an assigned French or Austrian wine role

{
	"server" : "server01.lab.acme.com",
	"port" : "15000",
	"dataDomainName" : "acmeDB",
	"name" : "European Wines",
	"description" : "Sales transactions for European wines",

	"securityEnabled" : "true",
	"inheritSecurity" : "true",

	"securityFilters" : {
		"frenchFilter" : {
			"class" : "com.endeca.portal.data.functions.DataSourceFilter",
			"filterString" : "Region='Bordeaux' OR Region='Burgundy'"
		},
		"austrianFilter" : {
			"class" : "com.endeca.portal.data.functions.DataSourceFilter",
			"filterString" : "Region='Austria' OR Region='Burgenland' OR Region='Steiermark'"
		}
	},

	"rolePermissionsMultiOr" : "true",
	"rolePermissions" : {
		"French Wine" : ["frenchFilter"],
		"Austrian Wine" : ["austrianFilter"]
	}
}

Custom

A custom security manager can be created when the default data source role-based security is insufficient for filtering data from Endeca Server. A custom Security Manager implements the com.endeca.portal.data.security.MDEXSecurityManager base class


Powered by ComboStrap