none
FS4SP security implementation RRS feed

  • Question

  • We are going to convert Sharepoint to FS4SP.In existing system we have the groups and user rights in the database and expose  the roles via some provider model(ASP.net). that is we have used  custom authorization scheme instead of AD groups

    How this can be handled in FAST in Security perspective?
    Does the Custom security implementation helps?
    How does it perform Authorization and Authentication?
    What role the indexing play in security perspective?
    How do we pass username and password credentials?


    Tuesday, June 21, 2011 3:41 AM

All replies

  • I assume that you want to protect your content so that users cannot search for documents they cannot access in the first place. If not, please elaborate.

    In FS4SP this aspect is governed by Fast Search Authorization (FSA) as outlined here: http://technet.microsoft.com/en-us/library/ff393751.aspx

    FS4SP does not perform Authentication, but leaves that up to Sharepoint (or any other application using the Fast Search server). What FSA does is that it filters out documents the user is not authorized to see. The standard Sharepoint web parts has this built in.

    When documents are sent to Fast an ACL is built for each document. The indexer sees this ACL as nothing more than a regular property, and is indexed as such. The filter generated by FSA is filtering out documents based on the value in the ACL field.

    As far as I understand you might run into some trouble if your users and groups are not in AD. I don't think it is possible to build this ACL from anything other than Windows users/groups (or Lotus Notes users/groups using the Lotus Notes connector). if someone knows better, please reply!

    I have only found two possible solutions for users and groups not in AD:

    • Mirror your users and groups in AD.
    • Using a Custom Connector or a .NET Assemby Connector, extract the users/groups for each document and add this information as a managed property. Then, when a search is submitted by a user, use your own code to map the Windows user submitting the search to your custom users/groups and build a filter against this managed property.

    I am not a big fan of either of these solutions, as the first one seems messy and the second one is basically implementing your own version of FSA. If anyone has any other suggestions, I would really like to hear what they are!

    With regards,

    Gunnar

    Tuesday, June 21, 2011 11:23 AM
  • Hi,

    Take a look at the FASTSearchSecurityXmlAliaser powershell commandlets (http://technet.microsoft.com/en-us/library/ff393793.aspx). You should be able to create xml files mapping the AD credentials over to custom ones. Though I haven't tested this myself. Basically it's the same mechanisms as the Notes connector uses.

    Regards,
    Mikael Svenson 

     


    Search Enthusiast - MCTS SharePoint/WCF4/ASP.Net4
    http://techmikael.blogspot.com/
    Tuesday, June 21, 2011 1:59 PM
  • Hi,

    Yes, FASTSearchSecurityXmlAliaser would have been a part of a possible solution! But one problem is that you dont have any control over the user stores.

    There are two kinds of users stores, Claims and Lotus Notes. A Claims store is automatically created and hooked up to Sharepoint when configuring Fast search for Sharepoint. The other is used by the Lotus Notes connector.

    The issue is that you cannot fill a Claims User Store with your custom users and groups. It was possible in SAM (my imperssion is that FSA is SAM without the kind of functionality that we discuss here), but I havent found anything indicating that this is possible. You also probably want to configure how to add filters.

    This is an example of an aliaser configuration file: http://msdn.microsoft.com/en-us/library/ff387682(v=office.12).aspx. There are a lot of references to namespaces and classes in the namespace Microsoft.SharePoint.Search.Extended. I have found very little information regarding these. The namespace is also not mentioned here: http://msdn.microsoft.com/en-us/library/ff394416.aspx, which to me indicates that MS has not opened this up yet.

    I hope I am wrong (it would make my job a lot easier), so please comment if I am. Maybe it is possible, but just very badly documented. Alternatively I hope that MS opens this up.

    Regards,

    Gunnar

     


    Tuesday, June 21, 2011 2:40 PM
  • Could security aliaser be integrated with security in the database meaning user/group info stored at the record level?

     

    Monday, December 5, 2011 3:27 PM
  • FS4SP Supports only windows authentication. And also it doesent support the custom security trimming option. the only option @ FS4SP is feed the ACL along with the data/documents.

    If you have data at database level and need to trim the results based on windows security , use the BCS to feed the data. BCS is Business Connectivity series helps to feed the data to FAST/Sharepoint.


    Sriram S
    Wednesday, December 7, 2011 11:54 AM