Endeca - Security
Data
Metadata Security in Records
Data source(s) may contain not only records, but also metadata describing access rights to those records, such as ACLs.
On ingest, each record can be tagged with ACLs and other security metadata.
Example:
Record Spec | LDAP Group | Departement |
---|---|---|
1 | LDAPGroup1 | Marketing |
2 | LDAPGroup2 | Sales |
3 | LDAPGroup2 | Logistic |
Oracle Endeca Server will presents this security-annotated data for querying.
EndUser login
End user logs in and receives credentials from the intern or external authentication provider such as Active Directory or LDAP).
- User: scott
- LDAP: LDAPGroup1
- Department: Sales
Searching
scott does a text-based search. Studio appends custom security filters, derived from scott's credentials, to all Endeca Server queries.
Security Filter
OR(LdapGroup:LDAPGroup1,Department:Sales)
Query results contain only data that Joe is authorized to see.
Object
Studio offers Scott those pages/components that his LDAP group allows.
Filter
Security filters, as well as the mapping to which roles they apply, are coded per data source In the below example, the data source is restricting the regions a user can see wines from, based on an assigned French or Austrian wine role
{
"server" : "server01.lab.acme.com",
"port" : "15000",
"dataDomainName" : "acmeDB",
"name" : "European Wines",
"description" : "Sales transactions for European wines",
"securityEnabled" : "true",
"inheritSecurity" : "true",
"securityFilters" : {
"frenchFilter" : {
"class" : "com.endeca.portal.data.functions.DataSourceFilter",
"filterString" : "Region='Bordeaux' OR Region='Burgundy'"
},
"austrianFilter" : {
"class" : "com.endeca.portal.data.functions.DataSourceFilter",
"filterString" : "Region='Austria' OR Region='Burgenland' OR Region='Steiermark'"
}
},
"rolePermissionsMultiOr" : "true",
"rolePermissions" : {
"French Wine" : ["frenchFilter"],
"Austrian Wine" : ["austrianFilter"]
}
}
Custom
A custom security manager can be created when the default data source role-based security is insufficient for filtering data from Endeca Server. A custom Security Manager implements the com.endeca.portal.data.security.MDEXSecurityManager base class