locked
Security trimming in SharePoint Search? RRS feed

  • Question

  • Hello,

    I have question related to search. let say there is a user who does'nt have the permission on particular document library but when user do a search, the documents should come on to the search result page from that document library  but when user try to open it from the search result page, user shouldnt or message should pop up saying user doesnt have the perminssion on this document?

    Is it possible?

    Thanks...
    • Edited by Mike Walsh FIN Tuesday, January 12, 2010 6:03 AM "Security trimming in" added to Title - "SharePoint Search" as a Title isn't useful in a post sent to the SharePoint - Search forum
    Monday, January 11, 2010 11:03 PM

Answers

All replies

  • Hi,

    Yes, it is the default behaviour of SharePoint search. Unfortunately, search results are not security trimmed. Therefore, if you search  something, even the documents you do not have the right to open will be displayed in the search results. But, if you try to open one of them, SharePoint will redirect you the Access denied page.

    Regards,

    Djamel Chagour

    http://spbyexamples.blogspot.com/
    http://mosslogviewer.codeplex.com/
    • Marked as answer by Mike Walsh FIN Tuesday, January 12, 2010 6:02 AM
    • Unmarked as answer by abc67 Wednesday, January 13, 2010 9:14 PM
    Tuesday, January 12, 2010 2:00 AM
  • And this is because the content access account you specify will generally have permission to read and index all the documents.
    If the content access account specified doesnt have the read permissions on the document, you may not be able to crawl it.

    Regards,
    Farhan
    Tuesday, January 12, 2010 3:14 AM
  • According to http://msdn.microsoft.com/en-us/library/aa981314.aspx , by default, Enterprise Search results are trimmed at query time, based on the identity of the user who submitted the query. When results are returned for a user's search, the Query engine performs an access check for the user's identity against the security descriptor stored in the content index for each item in the search results. The Query engine then removes any items in the search results that the user does not have access to, so that the user never sees these results.

     

    And according to http://msdn.microsoft.com/en-us/library/aa981559.aspx , search in Windows SharePoint Services 3.0 also support default security trimming.

     

    So, you won’t see items you don’t have permission with in SharePoint search result. An exception is that Items that are associated with a "keyword best bet" in SharePoint Server 2007 are displayed in the search results even though a user does not have permissions to access the items

    • Proposed as answer by Djamel Chagour Wednesday, January 13, 2010 3:31 AM
    • Marked as answer by abc67 Wednesday, January 13, 2010 9:15 PM
    Tuesday, January 12, 2010 7:47 AM
  • Thanks you very much for your help.
    Tuesday, January 12, 2010 9:48 PM
  • Thanks for your reply. but what you think about the following kb article?

    http://support.microsoft.com/kb/923900

    all it says is Items that are associated with a "keyword best bet" in SharePoint Server 2007 are displayed in the search results even though a user does not have permissions to access the items.

    Thanks..

    Tuesday, January 12, 2010 9:51 PM
  • Hello,

    Thanks for your reply. I think search results are  security trimmed. so if the user dont have the permission than that doc will not come up on the user's search. Let me know if I am wrong.

    Thanks,
    Tuesday, January 12, 2010 9:53 PM
  • Hi Vatdal67,

    Yes GuYming is right and you too : search results are security trimmed at query time. There are some situations where the results are not security trimmed, such as the one you mentioned about 'Keyword best bet'. Please read this post for more details : http://mikewalsh.bilsimser.com/PermaLink,guid,a47ee723-a0ac-43c1-b1cd-319e9631d492.aspx

    Another situation I've seen myself is about unpublished (draft) items. Draft items are by default not crawled because the crawler account has the 'Full read' permission which does not let him see those items. However if you raise the crawler account rights to crawl them, these items will be shown in search results even to users who are not supposed to see them. Of course if they try to open them the will be denied the access.

    Please unmark my previous post as answer to not mislead other vistors. I can't do it myself.

    Regards,

    Djamel Chagour

    http://spbyexamples.blogspot.com/
    http://mosslogviewer.codeplex.com/
    • Marked as answer by GuYuming Thursday, January 14, 2010 1:09 AM
    Wednesday, January 13, 2010 3:06 AM
  • Thanks Djamel Chagour.
    Wednesday, January 13, 2010 9:19 PM
  • I am interested in search results on document libraries with version control.

    Typically the versions of interest are the most recent published version, and the most recent draft (if later than the most recent published version).

    Imagine the scenario where there's a v1.0 and a v1.1.

    From my experiments it appears I can either have the v1.1 showing in search results, and the user (read rights) see the draft document content (when they shouldn't), or the document doesn't show in the search results *at all* unless the very latest version happens to be the published version.

    I would like the user (read rights) to find the latest published version, no matter whether there is a later draft version in the pipeline.  Surely SP2010 does this(!!?!).

    My configuration is:
    Enterprise Search (not FAST)
    crawler account Full Read rights (through web app policy)
    library has version control (major and minor, require approval, draft item security - only users who can edit items)

    I wonder how many document versions search keeps in it's index - it appears just one.

    Thanks
    Martin

    Thursday, December 2, 2010 10:47 AM
  • It's understood that SharePoint does not display result since user has no access.

     

    Many customer are asking, at least some hints should be displayed to users, so they can send access request, if it's really justified.

     

    E.g The non-accessible result in gray color with all links disabled and only link "request access"

    or display summary, how many search results are ignored due to lack of permission.

     

    What do you propose for same?

     

    Saturday, December 10, 2011 11:45 AM