When a user submits a search query, that user’s security information is embedded in the query string and passed to the DRE. The DRE uses a security plug-in to validate that the user has permission to see the requested result set. To use the DRE this way, pass the following Windows arguments in the query:
user=<User Name> pass=<Password> domain=<Domain Name> group=<Group Name>
For example:
/qmethod=q&querytext=accountWindowsNTs&user= John&pass=111&domain=Global&grou=Admin,Developers
This example requires that the appropriate user security
information has been retrieved from the session before the query
is run.
The mandatory variable/value pairs vary according to the type of security implemented. Table C-1 shows the mandatory values for each security type.
Security type |
Unmapped |
Mapped |
|---|---|---|
Notes |
user: Notes user name group: comma-separated list of groups to which that user belongs domain: Notes domain name |
user: Notes user name group: comma-separated list of groups to which the user belongs |
ODBC |
Dependent on the stored function or procedure |
N/A |
Windows |
user: Windows user name pass: Windows password domain: Windows domain name |
user: Windows user name domain: Windows domain name group: comma-separated list of groups to which that user belongs |
Exchange |
user: Exchange user profile name domain: Exchange server domain name |
N/A |
UNIX |
N/A |
N/A |
Autonomy currently supplies the following security DLL plug-ins:
Unmapped |
Mapped |
|
|---|---|---|
Lotus Notes |
Y |
Y |
ODBC/Oracle |
Y |
N |
Windows |
Y |
Y |
Exchange |
Y |
Y |
UNIX |
N |
Y |
NDS |
N |
Y |
The DLLs act as plug-ins for the DRE. The DRE uses them when instructed to do so in the configuration file. The DRE goes through the following process:
On start-up, the DRE loads the DLLs.
When the DRE receives a query, it looks for the best matching results.
For each result, it calls the security DLL to find out if the requesting user has permission to see that document. If yes, then the document is shown; if no, then the document is not shown. The DRE makes sure that if n results are requested, the user can access the results for that many documents.
By default, results are calculated by absolute value
in the DRE; that is, a number not limited to 100. Generally, results
are returned as a percentage, ranging from 0 to 100. However, depending
on how a query is sent to the DRE, you may get the absolute value
instead; specifically, a value over 100.
The input parameters for the security DLL are:
User name, password, domain, group (passed from the front-end application)
Document reference (configured to be any structured field in the DRE)
Configure the DRE.CFG file the same way for all types of security, with specific values for certain settings. Add a security entry for the DRE database in DRE.CFG. For example:
[Databases] NUMDBS=1 0=ARCHIVE [ARCHIVE] Security=MySecuritySection
Add a Security=security_section entry
under the database name, which is “ARCHIVE” in
this example. The value of this entry is the name of the security
section, in this example [MySecuritySection].
[MySecuritySection] Library= Logging= Type= DebugDecrypt= ReferenceField= CacheMaxSize= CacheExpiryMinutes= HideField=
Table C-2 shows
the possible values for use in [MySecuritySection].
Entry |
Description |
Default |
|---|---|---|
Library |
The name of the DLL file to be used. This should be the name of the DLL supplied by Autonomy. |
Not specified. No security enabled. |
Logging |
For troubleshooting, set this value to 1 to write logging information into a file called security.log. Entries in this file show exactly what the DLL is doing. Once the system is configured properly, turn this setting off to avoid slowing it down. |
FALSE = 0 = NO |
Type |
The type of security you are using. Possible values are:
|
Not specified. No security enabled. |
DebugDecrypt |
Provides a finer grain of logging. Set to 1 to print the access control list (ACL) against which the DLL matches.This is recommended only for debugging because it is a security risk to have ACL information printed in a plain text file, and the DRE’s performance is hindered. This setting is in effect only when logging is set to 1.This setting is available only for the mapped version of the security plug-ins. |
FALSE = 0 = NO |
ReferenceField |
The field used to store the ACL against which the security entitlement is compared. You can specify alternative fields in this entry. For example, in the mapped version of the security modules, this entry is usually: ReferenceField=AUTONOMYMETADATA |
AUTONOMYMETADATA |
CacheMaxSize CacheExpiryMinutes |
The unmapped version of the DLLs can cache security information as it becomes available. The next time the same request is made, the results are returned faster.
|
1000 0 |
HideField |
If the value of ReferenceField is set to anything other than the DREREFERENCE, set the value of HideField to 1 so that the field is not shown in the results that the DRE sends back. This is primarily to be used when implementing mapped security, so that the encrypted ACLs are not shown as part of result sets.
|
FALSE = 0 = NO |
