Back to Home | Help Center | Log Out
 Help Center
 
Help Center

Home

Crawl and Index

Serving
  Front Ends
    Output Format
    KeyMatch
    Related Queries
    Filters
    Remove URLs
    OneBox Modules
  Query Settings
  OneBox Modules
  Document Preview Module
  Result Biasing
  Dynamic Navigation
  Suggestions
  Access Control
  Head Requestor Deny Rules
  Policy ACLs
  Universal Login
  Universal Login Auth Mechanisms
    Cookie
    HTTP
    Client Certificate
    Kerberos
    SAML
    Connectors
    LDAP
  Universal Login Form Customization
  Flexible Authorization
  Alerts
  Language Bundles

Status and Reports

Connector Administration

Social Connect

Cloud Connect

GSA Unification

GSAn

Administration

More Information

Serving > Flexible Authorization

Use the Serving > Flexible Authorization page to perform the following tasks:

About Flexible Authorization

Flexible authorization gives you, as a search appliance administrator, more control over authorization by enabling you to:

  • Specify authorization mechanisms in your environment
  • Customize which authorization mechanisms handle which URLs

You can perform these tasks by configuring flexible authorization rules. A flexible authorization rule defines:

  • The protected content to which the rule applies
  • An identity that maps the rule to a credential group or instance of an authentication mechanism
  • Information that is specific to the authorization mechanism

Configuring Flexible Authorization Rules

You can configure rules for the authorization mechanisms described in the following table. For step-by-step procedures for configuring specific types of rules, see the sections listed in the table.

Authorization Mechanism Description See Section
CACHE For the specified URL pattern, the search appliance checks the cached results of previous authorization. Adding a Cache Rule
CONNECTOR For the specified URL pattern, the search appliance passes the decision to the appropriate connector. Adding a Connector Rule
DENY For the specified URL pattern, the search appliance denies the user access to the URL. Adding a Deny Rule
HEADREQUEST For the specified URL pattern, the search appliance performs a HEAD request, using the credentials obtained for the user during serve authentication.
 Adding a Headrequest Rule
POLICY

For the specified URL pattern, the search appliance checks the URL patterns in policy ACL rules against the URLs that are returned in the search results.

Adding a Policy Rule
SAML For the specified URL pattern, the search appliance sends a SAML authorization request to the designated SAML authorization service. Adding a SAML Rule
Per URL ACL For the specified URL, the search appliance checks the per-URL ACL. Adding a Per-URL ACL Rule

Flexible authorization rules for most mechanisms contain the following information:

Additionally, rules for CONNECTOR and SAML authorization mechanisms contain additional, mechanism-specific information. For more information, see the sections on adding rules for specific mechanisms.

URL Pattern

In authorization rules for any type of mechanism, you must supply a URL Pattern that identifies the protected content. The URL patterns that you supply on this page are the same as those used in policy ACLs. For information about constructing valid URL patterns for flexible authorization, see "URL Pattern to Protect" on the help page for Serving > Policy ACLs.

Authentication ID

Credential groups, as well as instances of authentication mechanisms, can provide session identities. By selecting the Authentication ID, you are instructing the authorization mechanism to use a session identity from a specific credential group or instance of an authentication mechanism.

In authorization rules for CONNECTOR, HEADREQUEST, or SAML, you can select an Authentication ID from the pull-down menu. This menu is populated with credential group names and mechanism names that you, as the search appliance administrator, provide by using the Serving > Universal Login page and the Serving > Universal Login Auth Mechanisms tabs. A Mechanism Name is a unique name for a particular authentication mechanism. If you don't select an authentication ID, the Default credential group is used.

Timeout

In authorization rules for CONNECTOR, HEADREQUEST, or SAML, you can optionally supply a Timeout value. This value indicates the time in milliseconds for making a network connection. The default value is 3 seconds. If the search appliance does not make the network connection in the specified time, it abandons the attempt. Use this field to override the default timeout of 3 seconds.

How the Search Appliance Applies Rules

After the search appliance authenticates a user by establishing the user's identity, the search appliance attempts to determine whether a user has access to the secure content that matches her search. The search appliance performs authorization checks by applying flexible authorization rules in the order in which they appear in the authorization routing table on the Serving > Flexible Authorization page.

Although you can configure the authorization routing table, Google recommends using the default setting where the first rule in the table is for PER-URL ACLs. This setting provides the best authorization performance for a larger number of documents. Changing the order of the authorization rules in the table so that a rule for another mechanism is first might lead to slow authorization performance for a smaller number of documents. Google recommends always using the PER_URL_ACL mechanism with pattern "/" as the first rule, with or without late binding.

For information about configuring the routing table, see Changing the Order of Flexible Authorization Rules.

Most of the supported authorization mechanisms are capable of returning one of three possible decisions for each URL:

  • Allow--Allow the user access to the URL.
  • Deny--Deny the user access to the URL.
  • Indeterminate--A definitive answer could not be determined, so the search appliance applies the following rule in the ordered list of rules.

Any given URL might match more than one flexible authorization rule. In this instance, each associated mechanism in the list is applied in order until one of them returns a decision other than indeterminate. If all mechanisms return indeterminate, or no mechanisms match, then the user is denied access to the URL. If a mechanisms cannot handle a URL, it returns a decision of indeterminate.

Before Starting this Task

Before configuring flexible authorization, complete the tasks shown in the following table.

Task Description
Configure credential groups Set up credential groups by using the Serving > Universal Login page.
Configure credential group rules for appropriate authentication mechanisms Configure credential groups for authentication mechanisms that are supported in your environment by using the tabs on the Serving > Universal Login Auth Mechanism page.
(Optional) Configure Policy ACL rules If you want to use policy ACLs for authorization, configure rules by using the Serving > Policy ACLs page.
(Optional) Configure a SAML Policy Decision Point (PDP) If you want to use SAML authorization, configure a SAML PDP. If you are a user of the search appliance's legacy SAML authorization, you must convert all SAML SPI instances to SAML flexible authorization rules.

Enabling and Disabling Flexible Authorization

If flexible authorization is enabled, the search appliance legacy authorization is disabled and authorization uses the security manager's authorization checker. If flexible authorization is disabled, the search appliance uses its legacy authorization. However, there is one exception: SMB URLs, which are only handled by the search appliance's legacy authorization.

By default, flexible authorization is disabled. To enable flexible authorization, click Enable. To disable flexible authorization, click Disable.

Adding Flexible Authorization Rules

After you enable flexible authorization, you can add rules, as described in the following sections:

You can also enable late binding for policy ACLs and per-URL ACLs.

Adding a Cache Rule

Add a cache rule for a URL pattern for which you want the search appliance to check the cached results of a previous authorization.

To add a cache rule:

  1. Choose CACHE from the pull-down menu.
  2. Click Add another rule.
    The Add Flexible Authorization Rule page appears.
  3. In the URL Pattern field, type the URL pattern identifying the protected content.
  4. Click Save.

Adding a Connector Rule

Add a connector rule for a URL pattern for which you want the search appliance to get a decision from the appropriate connector.

To add a connector rule:

  1. Choose CONNECTOR from the pull-down menu.
  2. Click Add another rule.
    The Add Flexible Authorization Rule page appears.
  3. In the URL Pattern field, enter ^googleconnector://.
    For this URL pattern, the search appliance automatically extracts the Connector Name. If you enter any other URL pattern in this field, you must also supply a Connector Name.
  4. Select an Authentication ID from the pull-down menu or accept the Default credential group.
  5. If you want to override the default value of 3 seconds for making a network connection, enter the time in seconds in the Timeout field.
  6. If you entered ^googleconnector:// in the URL Pattern field, the connector name is chosen automatically during authorization.
  7. Click Save.

Adding a Deny Rule

Add a deny rule for a URL pattern for which you want to deny the user access.

To add a deny rule:

  1. Choose DENY from the pull-down menu.
  2. Click Add another rule.
    The Add Flexible Authorization Rule page appears.
  3. In the URL Pattern field, type the URL pattern identifying the protected content.
  4. Click Save.

Adding a Headrequest Rule

Add a headrequest rule for a URL pattern for which you want the search appliance to perform a HEAD request, using the credentials obtained for the user during serve authentication.

To add a headrequest rule:

  1. Choose HEADREQUEST from the pull-down menu.
  2. Click Add another rule.
    The Add Flexible Authorization Rule page appears.
  3. In the URL Pattern field, type the URL pattern identifying the protected content.
  4. Select an Authentication ID from the pull-down menu or accept the Default credential group.
  5. If you want to override the default value of 3 seconds for making a network connection, enter the time in seconds in the Timeout field.
  6. Click Save.

Adding a Policy Rule

Add a policy rule for a URL pattern for which you want the search appliance to check by using policy ACLs.

To add a policy rule:

  1. Choose POLICY from the pull-down menu.
  2. Click Add another rule.
    The Add Flexible Authorization Rule page appears.
  3. In the URL Pattern field, type the URL pattern identifying the protected content.
  4. Select an Authentication ID from the pull-down menu or accept the Default credential group. 
  5. Click Save.

Adding a SAML Rule

Add a SAML rule for a URL pattern for which you want the search appliance to send a SAML authorization request to the Policy Decision Point, using the identity obtained for the user during the serve authentication.

The Add Flexible Authorization Rule page for SAML contains a checkbox for using batched SAML authorization requests (Use batched SAML Authz requests). You can use batched SAML authorization requests only if your SAML provider supports the Google SAML batch authorization extension. If your your SAML provider does not support the extension, do not use batched SAML authorization requests.

To add a SAML rule:

  1. Choose SAML from the pull-down menu.
  2. Click Add another rule.
    The Add Flexible Authorization Rule page appears.
  3. In the URL Pattern field, type the URL pattern identifying the protected content. 
  4. Select an Authentication ID from the pull-down menu or accept the Default credential group.
  5. If you want to override the default value of 3 seconds for making a network connection, enter the time in seconds in the Timeout field.
  6. In the Authorization service ID field, enter the Entity ID of the SAML server.
  7. In the Authorization service URL field, enter the URL of the service where the search appliance will send the SAML authorization query.
  8. Optionally, click Use batched SAML AuthZ requests.
  9. Click Save.

Adding a Per-URL ACL Rule

To add a per-URL ACL rule:

  1. Choose PER_URL_ACL from the pull-down menu.
  2. Click Add another rule.
    The Add Flexible Authorization Rule page appears.
  3. In the URL Pattern field, type the URL pattern identifying the protected content. 
  4. Select an Authentication ID from the pull-down menu or accept the Default credential group.
  5. Click Save.

Enabling Late Binding for Policy ACLs and Per-URL ACLs

In some instances, you might not want to to use early binding for allow decisions, for example, if the policy ACLs or per-URL ACLs in the index don't reflect the latest changes. For situations like this, you can enable late binding for policy ACLs and per-URL ACLs.

If you enable late binding for policy ACLs and per-URL ACLs, the search appliance accepts deny decisions only for these mechanisms. For allow and indeterminite decisions, the search appliance applies each subsequent associated mechanism in the list in order until one of them returns a decision other than indeterminate.

To enable late binding for policy ACLs and per-URL ACLs:

  1. Click the Enable late binding for Policy and Per-Url-Acls checkbox.
  2. Click Save.

Editing Flexible Authorization Rules

To edit a rule:

  1. Click the Edit link next to the rule you want to edit.
  2. Make changes to the rule using the Edit Flexible Authorization Rule page.
  3. Click Save.

Changing the Order of Flexible Authorization Rules

To change the order of rules in the authorization routing table:

  1. Click the Move Up or Move Down link next to the rule that you want to move.
  2. Click Save Rules Order.

Deleting Flexible Authorization Rules

To delete a rule:

  1. Click the Delete link next to the rule you want to delete.
    A confirmation box appears.
  2. Click OK.

For More Information

For more information about flexible authorization, see "Managing Search for Controlled-Access Content," which is linked to the Google Search Appliance help center.

 
© Google Inc.