Validating access at query time 

The seedlist SPIs allow all IBM Connections content to be crawled, including access-controlled content. You must take steps to ensure that the data is accessed by only those with the appropriate access privileges.

About this task

To complete the integration, your search engine must be able to establish the security tokens for each user when that user makes a search query. This topic details the SPIs available to independent search engines to retrieve user security tokens to facilitate searching over access-controlled content. Compare these tokens to the wplc:acl tokens that were retrieved in the crawled data to determine which content the querying user should be given access to.

Procedure

1. Before performing a search, send a GET request to the following resource to validate that people performing the search query have access to the content they are searching for.
   

   http://<servername>/<application>/seedlist/authverify/validateUser

   The validateUser details are as follows:

   application/xml
   ValidateUser = element validateuser {
             UserID
             Name
             Email
             Validated
        }
        UserID = element userid { text }
        Name = element name { text }
        Email = element email { text }
        Validated = element validated { "true" | "false" }

   
   

2. Send a GET request to the following resource to retrieve the access control tokens that are applicable to the person performing the search query so that secured documents can be returned in the seedlist response.
   

   http://<servername>/<application>/seedlist/authverify/getACLTokens

   Send this request to only one application and only send it one time for performance reasons.

   The getACLTokens call returns the same response from all IBM Connections applications except the Wikis application, which uses an additional internal access control model. When searching for content from all of IBM Connections content, retrieve the tokens from the Wikis application. If Wikis results are not required for the search query, then it does not matter which application you send the get request to, but you only need to send it to one application.

   The getACLTokens details are as follows:

   application/xml
        GroupsForUser = element groupsforuser {
            UserID
            GroupID*
        }
        UserID = element userid { text }
        GroupID = element groupid { text }

   Documents in the search index should be returned if any of the values returned from getACLTokens, such as the <userid> or <groupid> elements, match the values in the wplc:acl elements in the seedlist entries that were indexed at crawling time.
   

Results

To enable real-time accuracy on search results some search engines, such as IBM Omnifind Enterprise Edition, implement a post-processing step on search results to filter out documents that users have lost access to since the last crawl. This step is not currently supported for IBM Connections and crawling should be frequent enough to reduce the likelihood of false positive results being returned. The default indexing schedule of the IBM Connections search engine is to crawl all applications every 15 minutes.

Parent topic

Seedlist SPI

   

 

});

+

Search Tips   |   Advanced Search