Product DocsMenu

Security in CES

Group Expansion

In most systems, security is defined in terms of groups and users. A group contains users, and users are members of one or more groups. For each object to secure (a file for example), access is only granted to members of specific groups or certain users directly. The security on the object is defined by setting a list of groups and/or users.

In CES, security on documents is also defined by the concept of groups and users. Expanding a group means determining the list of users who are members of that group.

Security on Each Document

When documents are indexed using CES, the list of allowed and denied users/groups is saved in order to determine who can access the documents.

Hence, when a user performs a search query, CES returns only the documents that specific user has access to. If the security for a given document is set using a group, CES validates if the user is a member of that group.

The denied list always has precedence over the allowed list. For example, if a user is a member of group C, and group C is in the denied list for a given document, the user cannot see the said document even if he is part of the allowed list for that document. Another example, if a user is a member of groups A and B, and group B is in the denied list for a given document, the user cannot see the said document even if group A is in the allowed list.

The Security Cache

In order to quickly determine the users who are member of a group and vice versa, CES keeps the results of group expansions in a local cache, which is entitled File Security Cache. The group expansion process is done asynchronously, meaning the cache is refreshed every night to reflect changes that are made occasionally in Active Directory ( ex.:, users added to and removed from groups).

For certain external security providers, a mapping between each external user identity and a Windows (Active Directory) identity is specified. The File Security Cache also keeps that mapping. When such a mapping exists, users do not have to login manually using the login page of the Search page. The authentication process between the browser and Web server (ex.: NTLM or Kerberos) automatically identifies the user and, by using the mapping between external and Windows logins, CES grants access to the documents protected by the External Security Provider. However, if no mapping exists, users have to login manually using the login page.