Back to Home | Admin Console Help | Log Out
 Admin Console Help
 
Admin Console Help

Home

Content Sources

Index

Search
  Search Features
  Secure Search
    Access Control
    Head Requestor Deny Rules
    Policy ACLs
    Universal Login
    Universal Login Auth Mechanisms
      Cookie
      HTTP
      Client Certificate
      Kerberos
      SAML
      Connectors
      LDAP
    Universal Login Form Customization
    Flexible Authorization
    Trusted Applications
  Diagnostics

Reports

GSA Unification

GSAn

Administration

More Information

Search > Secure Search > Policy ACLs

Use the Search > Secure Search > Policy ACLs page to perform the following tasks:

What Is a Policy ACL?

A policy ACL (access control list) provides information (called rules) to the Google Search Appliance about which users or groups have access to a specific URL.

By specifying policy ACLs on a search appliance, you can enhance performance and reduce load. Policy ACLs speed up the process of authorization and reduce the load on the authorization servers that occurs from performing HEAD requests to a remote authorization server.

Policy ACLs typically store the results that would have occurred if the search appliance initiated a HEAD request to verify authorization. However policy ACLs can also be used to override the decision that would have been returned by a HEAD request. For example, suppose you add a policy ACL rule that permits a group to see all documents at a URL. However, at the source repository (that is, to the HEAD request), there's a more fine-grained rule that only allows some people in the group to view these documents. Therefore, the behavior with the policy ACL is that everyone can see the search results, but only those people with permission can successfully click the links.

Policy ACLs require that you use an authentication method to establish the identity of the user or group that you specify in the Policy ACL rules.

A policy ACL rule has two parts:

For example, suppose the eng (engineering) group is the only one permitted to view all documents in example.com/engsite. You can add the following policy ACL rule:

example.com/engsite group:eng

When a search appliance executes a search, the search appliance attempts to match URLs that it retrieves from the index against Policy ACL and Per-URL ACL rules. If a URL pattern in the search results matches the pattern a ACL rule, the search appliance applies the rule. The user is denied access to a document if no matching ACLs are found for the user id or user's groups.

URL Pattern to Protect

You can specify a URL pattern to which you want to limit access. When a user performs a search query, the user can view this URL pattern in the search results if you list the user as either an allowed user or if the user is a member of an allowed group

If more than one URL pattern matches the policy ACL rule, the search appliance chooses the best match, in the following order of precedence:

  1. Exact-Match URL Rules
  2. Forward slash "/" pattern
  3. Coarse-Grained Rules:
Exact-Match URL Rules

If there is an exact-match URL pattern, it is the best match. An exact-match URL patterns begins with a caret (^) and ends with a dollar sign ($).The following example shows an exact-match URL pattern:

^http://www.example.com/mypage.html$

Coarse-Grained Rules

Rules that match for prefix or general URL patterns.

Prefix Patterns

If there is one or more matching prefix-patterns, the one with the longest prefix is the best match. A prefix-pattern specifies a (possibly partial) domain and a prefix of the path portion of the URL. The general format of a prefix pattern is:

<domain>/<prefix>

The following examples show prefix patterns:

sales.example.com/products/

sales.example.com/products/mypage.html

sales.example.com/

General URL Patterns

If the only matching URL patterns are general patterns, the best match is undefined. The search appliance chooses one for the URL pattern. A general URL pattern is any pattern other than an exact-match pattern or a prefix pattern.

Examples of general URL patterns are:

Example Description
*.doc A suffix pattern, matches any file ending with the .doc value.
contains:productThe product string can appear either in the host name, such as myproduct.com, or at the end of a URL and doesn't have to be a full word.
regexp:sid=[0-9A-Z]+/The URL has to contain a URL parameter with sid= followed by a value that contains either a digit or capital letter. The plus means one or more characters.

Allowed Users or Groups

A policy ACL rule lists each user's or group's login ID. The user who entered the search is permitted to view the URL result if either of the following conditions is true:

  • The current user's name is one of the user names listed in the rule
  • The current user is a member of one of the groups listed

Otherwise, the user is denied permission to view the URL. The URL does not appear in the search results.

Determining Group Membership

To determine which group a user belongs to, the search appliance uses one of the following mechanisms:

  • Using LDAP

    If the Google Search Appliance is configured to use LDAP, then the search appliance gets group memberships from the LDAP server. To configure LDAP for a search appliance, use the Administration > LDAP Setup page.

  • Using a groups database

    You can import a list of groups and memberships lists for each group using the Google Data API.

If a groups database is present, the search appliance uses it to determine a user's group membership. However, you can use both mechanisms together. In this case, the search appliance gets all group memberships from both sources.

Adding a Policy ACL

The search appliance reserves an "everyone" group with the following attributes:

  • namespace: "Default"
  • case-sensitivity-type: "EVERYTHING_CASE_SENSITIVE"
  • scope "GROUP"

Take note that you cannot create a Policy ACL with the "everyone" group.

To add a policy ACL:

  1. Click Search > Secure Search > Policy ACLs.
  2. In the URL Patterns field, type the pattern of the URL you want to restrict.
  3. Click Create New Policy ACLs.
  4. Under Principal Name, type the name of a user or group that is permitted to view the URL.
  5. Click the appropriate Principal Type (User or Group).
  6. Enter a valid domain name in the Domain box.
  7. In the Namespace/Credential Group box, accept the default namespace/credential group for the principal or type a different namespace/credential group.
  8. If the principal name and domain are case sensitive, click the Case Sensitive? checkbox.
  9. Click Save.

To navigate to the previous page, click the Back to Policy ACL list link.

Note: The order that you specify users or groups is not significant. When you click Save, the search appliance sorts the principal names into groups then users.

Editing a Policy ACL

To edit a policy ACL:

  1. Click Search > Secure Search > Policy ACLs.
  2. Click the Edit link next to the policy ACL you want to edit.
  3. Make changes to the policy ACL.
  4. Click Save.

Deleting a Policy ACL

To delete a policy ACL:

  1. Click Search > Secure Search > Policy ACLs.
  2. Click the Delete link next to the policy ACL you want to delete.\

Importing a Configuration File

You can import a text file that contains policy ACL rules. The file you import overwrites all existing policy ACL rules.

Note: Before importing a configuration file, if you have defined policy ACL rules, click Export Search Results to back up your rules. The exported file is in the same format as a configuration file that you can import.

The format of each rule in the file is:

url_pattern allowed_user_or_group

Each line of the file must list only one URL pattern rule, and one or more users, denoted by the user: prefix or groups, denoted by the group: prefix, as shown in the following example:

example.com/docsite user:jane user:sue user:wilson group:chicagodoc group:texasdoc
mycompany.com/engsite group:eng
mycompany.com/salessite group:sales user:yvette

To import a file that contains policy ACLs:

  1. Under Import a Configuration File, click Browse.
  2. Select the file.
  3. Click Open.
  4. Click Import.

Importing and Updating Policy ACLs from an Eariler Release

If you want to use policy ACLs from search appliance releases 6.8. 6.10, 6.12, or 6.14 in release 7.0, you must import the configuration file from the earlier release and update each policy ACL to the new format.

To import and update policy ACLs:

  1. Import the policy ACLs from the esrlier release as described in "Importing a Configuration File."
  2. For each imported policy ACL, click the Edit link under Matching URL Patterns.
    Observe that Principal Name and Principal Type are imported correctly and that default values are added for the Domain, Namespace/Credential Group, and Case Sensitive?.
  3. Update Domain, Namespace/Credential Group, and Case Sensitive? as appropriate for the policy ACL.
  4. Click Save.

Searching Policy ACLs

You can perform the following two types of searches from the Policy pattern field on the Search > Secure Search > Policy ACLs page:

  • All Rules or Exact-match Rules or Coarse-grained Rules

    Display rules by their type--view all rules by the filter you choose, or only those that contain text that you specify in the Policy pattern field. Click Search to list the rules, rules display in alphabetic order by the rule name. The rule filters are as follows:

    • All Rules -- List all rules or those that contain the text you specify in the Policy pattern field.
    • Exact-match Rules -- List all exact-match rules or those exact-match rules that contain the text you specify in the Policy pattern field. An exact-match URL patterns begins with a caret (^) and ends with a dollar sign ($).
    • Coarse-grained Rules -- List all coarse-grained rules or those coarse-grained rules that contain the text you specify in the Policy pattern field.

  • Find Rules for URL

    Provide a URL and all the rules that match the URL are displayed. This search tells you which patterns match a URL. This helps you know which rule applies for a given URL. Enter a URL pattern in the Policy pattern field, choose Find Rules for URL, and click Search. The rules are displayed in best match order. The first rule that displays is the best match and is what the search appliance applies. The first rule is the only rule that is applied. This best match order is useful when you have two rules that match a URL and you want to find which rule applies best to the URL.

Search results appear under Matching URL Patterns.

Exporting Search Results

After you search policy ACLs, you can export the search results as a Protocol Buffer-based file. To export search results, click Export Search Results.

Related Tasks

You can also add policy ACLs by using the following mechanisms:

  • Policy ACL Google Data API--Use this API to add policy ACLs programmatically to the search appliance.
  • Feeds --Use feeds to supply policy ACLs with exact-match patterns along with content and metadata.

For More Information

For more information about URL patterns, see "Constructing URL Patterns" in "Administering Crawl." For information about using feeds, see "Feeds Protocol Developer's Guide." Both of these documents are linked to the Google Search Appliance help center.

For more information about the Policy ACL Google Data API, see the documentation on the Google Search Appliance help center.

 
© Google Inc.