Page tree
Skip to end of metadata
Go to start of metadata

 

 

Overview

This document describes an access control use case using a ACL query operator. This use case has two discrete record types: users and documents. 

View incoming links.

 

Access Control Fields

This access control model requires the following fields:

  • table - identify the record type (user or document)
  • acl - allowed acl entries
  • nacl - denied acl entries

Suggested Schema Configuration

This is the suggested configuration of the new fields in the AIE Schema.

...
  <schema type="search" name="default">
    <fields default-search-field="text">
      ...
      <field name="table" type="string" tokenize="false" indexed="true" stored="true" facet="false" sort="false" />
      <field name="acl"   type="string" tokenize="false" indexed="true" stored="true" facet="false" sort="false">
        <properties>
          <property name="join.cachePolicy" value="static"/>
        </properties>
      </field>
      <field name="nacl"  type="string" tokenize="false" indexed="true" stored="true" facet="false" sort="false">
        <properties>
          <property name="join.cachePolicy" value="static"/>
        </properties>
      </field>
      ...
    </fields>
  </schema>
...

This document also assumes that the userid field is defined in the schema (this is recommended).

It is recommended (but optional) to specify the join.cachePolicy property on the acl and nacl fields as specified above. This will result in caches for access control being reloaded at commit time and remaining in memory. This prevents searches from ever needing to load the cache (improving query performance)

User Records

User records should have their access control fields populated as follows:

  • table field should be set to "user".
  • acl field should contain all groups the user is in, along with all document ids the user explicitly has access to.
  • nacl should contain all document ids the user is explicitly denied access to.

Example:

IngestDocument doc = new IngestDocument("user1");
doc.setField("userid", "1");
doc.setField("table", "user");

// User is in the "users" and "admin" groups, and is explicitly granted access to doc 8832
doc.setField("acl", "users", "admin", "doc8832");

// User is explicitly denied access to doc 9931
doc.setField("nacl", "doc9931");

// Populate other user specific fields and feed user record
// ...

You should prefix document IDs for user records with a special prefix (user in this example). This will prevent collision with document records in the event they otherwise have the same ID.

Document Records

Document records should have their access control fields populated as follows:

  • table field should be set to "document".
  • acl field should contain the document's id, and all groups the document is in.
  • nacl should contain the document's id

Example:

IngestDocument doc = new IngestDocument("doc7134");
doc.setField("table", "document");

// Put document id in acl field to allow explicitly allowing a user access to this document
//  Also put this document in the "users" group
doc.setField("acl", "doc7134", "users");

// Put document id in nacl field to allow explicitly denying a user access to this document
doc.setField("nacl"), "doc7134");

// Populate other document specific fields and feed the document record
...

You should prefix document IDs for document records with a special prefix (doc in this example). This will prevent collision with user records in the event they otherwise have the same ID.

Modifying Access Rights

The following operations for modifying access rights are available. Each operation requires either re-feeding the user record or the document record.

  • Add User To Group. Requires re-feeding the user record with the new group added to the acl field.
  • Remove User From Group. Requires re-feeding the user record with the group removed from the acl field.
  • Grant User Access To Document. Requires re-feeding the user record with the document's id added to the acl field and removed from the nacl field (if present there).
  • Deny User Access To Document. Requires re-feeding the user record with the document's id added to the nacl field and removed from the acl field (if present there).
  • Add Document To Group. Requires re-feeding the document record with the new group added to the acl field.
  • Remove Document From Group. Requires re-feeding the document record with the group removed from the acl field.

Access Control Query Template

Once documents have been added to the system, you can now issue queries with access control filtering. Access control queries must be specified using the ACL() query of the Advanced Query Language. These queries will all follow the same template:

ACL(AND(table:document, <USER-QUERY>), FALSE(), AND(table:user, userid:<USERID>), allow="acl", deny="nacl")

It is also possible to insert a Simple Query Language query into the ACL() query, using the Advanced Query Languages QUERY() construct:

ACL(AND(table:document, QUERY("<USER-QUERY>", qlang="simple")), FALSE(),
    AND(table:user, userid:<USERID>), allow="acl", deny="nacl");

Example:

import com.attivio.model.QueryLanguages;
import com.attivio.model.query.Query;
import com.attivio.model.query.QueryString;
import com.attivio.model.query.Operator;
import com.attivio.model.query.Expression;
import com.attivio.model.query.Context;
import com.attivio.model.query.AccessControlQuery;
import com.attivio.model.query.JoinExpression;

String userId = "1";
String userQuery = "computer engineering";

// Create the search query
Query searchQuery = new Expression(Operator.AND,
                                   new Context("table", "document"),
                                   new QueryString(userQuery, QueryLanguages.SIMPLE));

// Create the user id query
Query principalQuery = new Expression(Operator.AND, new Context("table", "user"), new Context("userid", userId));

// Wrap together into access control query
AccessControlQuery aclQuery = new AccessControlQuery(searchQuery, principalQuery,
                                                     new JoinExpression("acl"),
                                                     new JoinExpression("nacl"));

// Create the QueryRequest
QueryRequest request = new QueryRequest(aclQuery);
// specify sorting, rows, etc
// ...

// Submit QueryRequest
// ...

// Process QueryResponse
// ...

Advanced Access Control Model

Another more advanced access control model exists that does not require re-feeding document records for any access control change operations. This is accomplished by adding a "group" record type. Access Control modifications become more complex as do the queries for applying the access control rights. The benefit of this more advanced model is that potentially large documents do not need to be reprocessed in order to affect group changes, which can reduce latency of access control changes, and reduce impact on document processing. Contact Attivio Professional Services if you wish to explore this possibility.

  • No labels