Summary

This article describes Document Level Security (integration of file access permissions), enumerates advantages of implementing Coveo Enterprise Search and explains how to avoid security problems.

Description

Coveo Enterprise Search offers full support of file access permissions, including local and Exchange groups, for system files (NTFS and NFS), emails (Exchange server), SharePoint, Lotus Notes and Web files (HTTP) hosted on the network. When the File crawler scans the documents of a Local/Network file source, it extracts the security access rights of every document. Similarly, when the MAPI crawler scans the documents of an Exchange server source, it extracts the security access rights of every folder. SharePoint crawler can extract access rights for all SharePoint content. Web crawlers also have access to security settings of Web documents if their corresponding folders on the network file servers were specified in the Administrator Tool. The Security IDs (SID) of granted and denied users and groups are stored in the index for further references. This includes domain users, domain groups, local groups, Exchange groups and standard groups like Everyone, Authenticated Users or Administrators.

Novell Netware and Lotus Notes a re a bit different, as indexing of their content does not yields Active Directory accounts but account from their respective security model. These accounts are stored in Coveo's security cache and each one of them must be set a corresponding Active Directory account.

Upon querying, the security attributes of the user submitting the query are matched against the security access rights of each document that satisfies the query. Only the documents that the user may access (according to his security attributes) will be returned in the search results list.

Local and Exchange Groups

The security token of the user that performs the query contains only the global groups (local groups are also included if the user performs the query from the computer where Coveo Enterprise Search is installed). Hence, Coveo Enterprise Search must be able to add the security attributes from other local computers to the user security attributes in order to return all accessible documents.

Documents are added to the index along with their security attributes. When a local security attribute is found, it is expanded and added to the security cache in Coveo Enterprise Search. The expansion consists in retrieving the list of valid users for the local or Exchange group and adding it to the local or Exchange group cache. Then, when a query is performed, the user’s security attributes are scanned and the cache's local attributes that matches the user's are added to the list. Here is an example:

The query is executed using the following securities:

· XYZDomain\John

· XYZDomain\Manager

· Everyone

· XYZMachine2\LocalGroup

· XYZExchange\MailingList

Expanding the local/Exchange groups can take some time. Thus, the expansion is kept in the cache. When modifications are made to the local/Exchange groups, Coveo Enterprise Search will not be aware of them until the cache is refreshed. By default, Coveo Enterprise Search runs a schedule that updates the security cache every day at 12:00 am. Nonetheless, the content manager can force the update of the security cache by clicking the Update Cache Now in the Status > Details page of the Administration Tool.

Novell Netware and Lotus Notes Users and Groups

Documents from Novell Netware and Lotus Notes repositories are stored in Coveo's index with the list of Novell or Notes user that are granted or denied access. Because the user that performs the query is authenticated by Window's Active Directory, his security token cannot match any stored Novell/Notes security token. The Administration Tool's Configuration/Security Details page displays all Novell/Notes users found in documents' security access rights. It allows the administrator to specify a list of Active Directory users for each Novell/Notes user. With that information in hand, Coveo can display Notes/Lotus documents to Active Directory users.

Advantages

The support of Document Level Security has many advantages:

· No extra security management is necessary because the file system’s access permission is reflected in the index;

· Secure indexing of sensitive data;

· Support of local groups;

· When enabled, the File Monitoring detects file access permission modifications and updates the index immediately;

· If it is not required, the Document Level Security can be disabled to optimize indexing performances and reduce disk space usage.

Possible Security Problems

A content manager who needs to index sensitive data should be careful with security management. Here are a few tips to avoid security problems.

Make sure the Local/Exchange Groups cache is up to date

Local and Exchange groups are cached to optimize performance. However, a cache that contains obsolete information may cause security problems. For example, the user U is a member of the group G. Group G has access rights to the file F. Even if the network administrator removes the user U from group G, user U will still see file F in his query results. As long as the cache is not updated, user U will still be a member of group G (from the point of view of the index).

Avoid files and folders without permission inheritance

When a user explores a file system with Windows Explorer, he will be blocked as soon as a folder access right denies him access. As a result, the user can not access any file in this folder, even if a file access right gives him access to the given file.

The index contains access rights for every file. If the inheritance is turned off, a user could be denied access to a folder but granted access to a file. In this case, a user who queries the index will receive documents that he should not see in his result set.

Consider this scenario: A user is denied access to a given folder. In this folder, there is a file that does not inherit its parent permissions, thus allowing the user to access it. From the user's point of view, the file is not accessible as most users access files through folders.

While this is not a security failure, it can be confusing when the folder is indexed because Coveo Enterprise Search indexes individual file access permissions. Therefore, the file described above will be shown in the search results list, although the user does not have access to the folder that contains this file.

Last Reviewed	2006/04/01
Keywords	Document level security, Local / Exchange Server groups cache