Document Security

Security is often a key consideration for an organization. For many organizations, some or all document content is confidential, privileged, or otherwise restricted to authorized personnel.

At the same time, all content is more useful to the organization if it can be easily retrieved. With Knowledge Discovery, you can have a single searchable store that respects all your security requirements.

With Knowledge Discovery, you can index all your content, and still ensure that only permitted users can access the documents, or even see them in search results. Users need to search for data in only one place, and they always receive everything that they are allowed to see.

When you have secure content, your data storage repositories have access lists for documents. Document security can:

  • extract the access information from your documents.

  • authenticate users against your security repositories.

  • retrieve and store the security information for a user from your repositories.

  • compare user permissions to the document access restrictions to make sure that only authorized users can view a document.

When a user has no permissions to view a document, the document does not return in any search result list.

Extract Access Lists

In your repositories, documents have an Access Control List (ACL). This is an encrypted string that defines the security groups that can access the document.

When you Retrieve Content from repositories using connectors, the connectors extract the ACLs for the document as well as the document itself. This ACL data is stored in a document field. You configure the Content component with this ACL field, and it reads the security information for each document.

The ACL format can vary from repository to repository, but it always describes which users can access a document, often using security groups. It usually contains:

  • a list of users and groups that must never be allowed to access the document

  • a list of users and groups that must be allowed, unless they are in the not allowed list.

For some repositories the format might be very different.

User Authentication

You can create user accounts with the Community component, and use it to ensure that only authorized users can access your system. You can also combine user authentication in Community with a third-party security repository.

This user authentication allows you to combine your existing security with Knowledge Discovery.

Retrieve Security Information

In security repositories, you associate users with security groups, which define the permissions that a user has for different documents. Knowledge Discovery can retrieve this information from your repositories. The component that stores user and group information is OmniGroupServer.

When Knowledge Discovery has this information for a user, it generates an encrypted security information string. For subsequent actions that the user performs, it uses this security information to match document permissions.

Apply User Permissions

Knowledge Discovery matches the security information for authenticated users against the security information contained in your document ACLs.

When a user runs a query, the Content component matches the query against all content, and then checks the ACL for the document. If the user security information gives them permission to access a document, Content returns the document in the search results. If the user security information does not match the permissions required in the ACL, Content does not display that document in the results list.