![]() |
|
Help Center
Home |
Serving > Flexible AuthorizationUse the Serving > Flexible Authorization page to perform the following tasks:
About Flexible AuthorizationFlexible authorization gives you, as a search appliance administrator, more control over authorization by enabling you to:
You can perform these tasks by configuring flexible authorization rules. A flexible authorization rule defines:
Configuring Flexible Authorization RulesYou can configure rules for the authorization mechanisms described in the following table. For step-by-step procedures for configuring specific types of rules, see the sections listed in the table.
Flexible authorization rules for most mechanisms contain the following information: Additionally, rules for CONNECTOR and SAML authorization mechanisms contain additional, mechanism-specific information. For more information, see the sections on adding rules for specific mechanisms. URL PatternIn authorization rules for any type of mechanism, you must supply a URL Pattern that identifies the protected content. The URL patterns that you supply on this page are the same as those used in policy ACLs. For information about constructing valid URL patterns for flexible authorization, see "URL Pattern to Protect" on the help page for Serving > Policy ACLs. Authentication IDCredential groups, as well as instances of authentication mechanisms, can provide session identities. By selecting the Authentication ID, you are instructing the authorization mechanism to use a session identity from a specific credential group or instance of an authentication mechanism. In authorization rules for CONNECTOR, HEADREQUEST, or SAML, you can select an Authentication ID from the pull-down menu. This menu is populated with credential group names and mechanism names that you, as the search appliance administrator, provide by using the Serving > Universal Login page and the Serving > Universal Login Auth Mechanisms tabs. A Mechanism Name is a unique name for a particular authentication mechanism. If you don't select an authentication ID, the Default credential group is used. TimeoutIn authorization rules for CONNECTOR, HEADREQUEST, or SAML, you can optionally supply a Timeout value. This value indicates the time in milliseconds for making a network connection. The default value is 3 seconds. If the search appliance does not make the network connection in the specified time, it abandons the attempt. Use this field to override the default timeout of 3 seconds. How the Search Appliance Applies RulesAfter the search appliance authenticates a user by establishing the user's identity, the search appliance attempts to determine whether a user has access to the secure content that matches her search. The search appliance performs authorization checks by applying flexible authorization rules in the order in which they appear in the authorization routing table on the Serving > Flexible Authorization page. Although you can configure the authorization routing table, Google recommends using the default setting where the first rule in the table is for PER-URL ACLs. This setting provides the best authorization performance for a larger number of documents. Changing the order of the authorization rules in the table so that a rule for another mechanism is first might lead to slow authorization performance for a smaller number of documents. Google recommends always using the PER_URL_ACL mechanism with pattern "/" as the first rule, with or without late binding. For information about configuring the routing table, see Changing the Order of Flexible Authorization Rules. Most of the supported authorization mechanisms are capable of returning one of three possible decisions for each URL:
Any given URL might match more than one flexible authorization rule. In this instance, each associated mechanism in the list is applied in order until one of them returns a decision other than indeterminate. If all mechanisms return indeterminate, or no mechanisms match, then the user is denied access to the URL. If a mechanisms cannot handle a URL, it returns a decision of indeterminate. Before Starting this TaskBefore configuring flexible authorization, complete the tasks shown in the following table.
Enabling and Disabling Flexible AuthorizationIf flexible authorization is enabled, the search appliance legacy authorization is disabled and authorization uses the security manager's authorization checker. If flexible authorization is disabled, the search appliance uses its legacy authorization. However, there is one exception: SMB URLs, which are only handled by the search appliance's legacy authorization. By default, flexible authorization is disabled. To enable flexible authorization, click Enable. To disable flexible authorization, click Disable. Adding Flexible Authorization RulesAfter you enable flexible authorization, you can add rules, as described in the following sections:
You can also enable late binding for policy ACLs and per-URL ACLs. Adding a Cache RuleAdd a cache rule for a URL pattern for which you want the search appliance to check the cached results of a previous authorization. To add a cache rule:
Adding a Connector RuleAdd a connector rule for a URL pattern for which you want the search appliance to get a decision from the appropriate connector. To add a connector rule:
Adding a Deny RuleAdd a deny rule for a URL pattern for which you want to deny the user access. To add a deny rule:
Adding a Headrequest RuleAdd a headrequest rule for a URL pattern for which you want the search appliance to perform a HEAD request, using the credentials obtained for the user during serve authentication. To add a headrequest rule:
Adding a Policy RuleAdd a policy rule for a URL pattern for which you want the search appliance to check by using policy ACLs. To add a policy rule:
Adding a SAML RuleAdd a SAML rule for a URL pattern for which you want the search appliance to send a SAML authorization request to the Policy Decision Point, using the identity obtained for the user during the serve authentication. The Add Flexible Authorization Rule page for SAML contains a checkbox for using batched SAML authorization requests (Use batched SAML Authz requests). You can use batched SAML authorization requests only if your SAML provider supports the Google SAML batch authorization extension. If your your SAML provider does not support the extension, do not use batched SAML authorization requests. To add a SAML rule:
Adding a Per-URL ACL RuleTo add a per-URL ACL rule:
Enabling Late Binding for Policy ACLs and Per-URL ACLsIn some instances, you might not want to to use early binding for allow decisions, for example, if the policy ACLs or per-URL ACLs in the index don't reflect the latest changes. For situations like this, you can enable late binding for policy ACLs and per-URL ACLs. If you enable late binding for policy ACLs and per-URL ACLs, the search appliance accepts deny decisions only for these mechanisms. For allow and indeterminite decisions, the search appliance applies each subsequent associated mechanism in the list in order until one of them returns a decision other than indeterminate. To enable late binding for policy ACLs and per-URL ACLs:
Editing Flexible Authorization RulesTo edit a rule:
Changing the Order of Flexible Authorization RulesTo change the order of rules in the authorization routing table:
Deleting Flexible Authorization RulesTo delete a rule:
For More InformationFor more information about flexible authorization, see "Managing Search for Controlled-Access Content," which is linked to the Google Search Appliance help center. |
||||||||||||||||||||||||||||||||||||
© Google Inc. |