…how to enable searching securely in 3rd-party content sources with custom security models
TRANSCRIPT
Security Trimming for Search in SharePoint 2013 Morgan Larsson Sveinar Rasmussen(Senior PM) (Principal SDE)
SPC049
• …how to enable searching securely in 3rd-party content sources with custom security models
Today you’re going to learn…
Topic: Security in Search
• Authentication• Identifying who
• Authorization• Define access policy• Once we know who,
determine type of access
• Documentum Content Server
Security is hard... Why?
• Different security model• Map user permission model• Enforce TCS (Trusted Content
Services)
• Problems that we will help you solve.• Enable your custom database contents in
SharePoint search
Takeaway #1
• Security Trimmers Toolbox
Takeaway #2
COMPLEXSIMPLER
BEFORE
COMPLEXSIMPLER
AFTER
Early Binding
Concepts of Secure Search
Keys to unlock
Word/Term Lookup
Late Binding
SharePoint 2013 Search Architecture
SearchAdmin
Content UXCrawl
ContentProcessing Index
QueryProcessing WFE
API
AnalyticsProcessing
Crawl
Search Admin
Link
Analytics Reporting
FAST Search Index
CustomConnectors
Public API
Unit of scale/role boundary
Extensibility Points
Search Architecture: Content feeding
Content Crawl
ContentProcessing
CustomConnectors
..
.Crawl
CustomConnectors
BCS
Documentum
ACME XML Connector
Your Connector
SharePoint 2013 Search Architecture
SearchAdmin
Content UXCrawl
ContentProcessing Index
QueryProcessing WFE
API
AnalyticsProcessing
Crawl
Search Admin
Link
Analytics Reporting
FAST Search Index
CustomConnectors
Public API
Unit of scale/role boundary
Extensibility Points
QueryProcessing
Query +Claims set
Result set
Search Architecture: Query evaluation
UXQueryProcessing WFE
API
STS
IND
EX
Early binding(Pre trimming)
Late binding(Post trimming)
Demo: Searching Securely in a 3rd-Party Document Source
Security models: Strategy
Hierarchical
Allow/Deny
Dynamic
Pre-trimming
Post-trimming
Pre&Post-trimming
Models Tools
Demo: Post-Trimmer Implementationand Deployment
• ISecurityTrimmer2• ISecurityTrimmerPost
• CheckAccess(…)
Trimmers and compatibility
Time to choose solution?
Pros
Index latency
Cons
Query latencyRefiner counts
Cons
Index latency
Pros
Query latencyRefiner counts
Late binding Early binding
1. Design2. Deployment3. Registration4. Explain Source Code5. Trimmer Action!
Pre-Trimmer Demo Overview
A Pre-Trimmer Design
My Pre Trimmer
CLA
IMS
User Identity
datafile.txt
30 second refresh
Demo: Pre-Trimmer Implementationand Deployment
What did we learn today...• Searching securely in external content
sourcesLate Security Binding
Post-Trimmers
Early Security BindingPre-TrimmersBCS for Indexing
Claims
Performance & Quality Tradeoffs
And now… to get you started on your
own…..
Sample Code? Visit our blog…
• On MSDN Blogs• Search for
«blogs msdn security 2013»
http://blogs.msdn.com/b/security_trimming_in_sharepoint_2013/
Search HOLs and events @ SPCHOL031 – Introduction to Search in SharePoint 2013HOL034 – Exploring Search Query Rules in SharePoint 2013HOL032 – Extending the Search experience in SharePoint 2013HOL033 – People Search in SharePoint 2013
HOL035 – SharePoint Server 2013 Search Connectors and Using BCS
Meet a Search SME
Ask questions, meet the community and share knowledge!
Mon-Thu @ Exhibit Hall
Hands on Labs
Daily 10:30am-6:30pm @ HOL Lab Lounge
Ask the Experts
Discuss search!
Wed 6:15PM @ Ask the Experts Lounge
Related Search Sessions @ SPC
Mon 3:45pm - SPC202 - Search Architecture in SharePoint 2013Speakers: Thomas Molbach, Rune Zakariassen
Thu 12:00pm – SPC233 - SPC233 Surfacing LOB Data in SharePoint 2013 and Search Speaker: Shannon Bray
Tue 10:30am - SPC044 - Crawl and Index all Enterprise Content with SharePoint 2013 Search Speaker: Vaidy Raghavan
Q&A
Evaluate this session now on MySPC using your laptop or mobile device: http://myspc.sharepointconference.com
MySPC
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Content ACL Types and Encoding
Docaclmsspacl
ACL Encoding
Encoding into queryable termwzo4215nb1hi3b1f3xxg4lsmzqwgzjonvuwg3tponxwm4bomnxw1l2tmvrxk3tjor3s5yldnqmn1xg4dpnv1he1lnnvsxeovzwk3rr
Security FilterAND
ANDNOT
OR
Query
User1 Group1 Group2
OR
9User1 9Group1 9Group2 ...GroupN 9GroupN...
Allow Deny