Industry-wide Standards for Document-level Security in Enterprise Search
By Paul Nelson, Chief Architect at Search Technologies
Below are some concluding remarks, as a summary to my series of articles on document-level security in search systems. If you haven't read them yet, start with Search System Security.
Ever since joining Search Technologies, I have been on something of a mission to elevate the search engine industry to a discipline that has the highest levels of craftsmanship and has recognized professional standards.
And so, I must admit that this series of articles on the subject of document-level security has a purpose beyond mere education. My goal is the development of an industry-wide standard for enterprise search security.
With hundreds of customers, Search Technologies all too often encounters bizarre content source security models, or poorly implemented document-level security features in search engines. These limitations cost customers time and money to work around. That is time and money that could be better spent on improving the search experience, or extending the scope of the corporate-wide search system.
And so, I am asking for help from developers of search engines and content storage systems everywhere.
Search Engine Security Standards
Here is a simple - and I have to say - relatively short list of requests, which taken together, might be considered as an industry standard.
For Search Engine Developers:
- Allow for very large Boolean queries over ACL fields
- Allow for parentACLs and denyACLs as well as allowACLs
- Allow the indexing of a string such as “SharePoint:Virginia Employees” as a single token
For Content Storage Developers:
This means developers of Content Management Systems, databases, forums, support ticket systems, CRM systems, file systems, etc.
- Provide APIs to scan through all objects on your system
- Provide APIs to fetch all of the ACLs required to determine the access rights for any object
- This should include all documents, folders, and parent containers
- Provide APIs to list all groups, and also to determine the membership of any group
- Please use standard LDAP or Active Directory for your usernames