Community articleValidating access at query time
Added by IBM contributorIBM | Edited by IBM contributordeveloperWorks Lotus Team on July 8, 2014
Rate this article 1 starsRate this article 2 starsRate this article 3 starsRate this article 4 starsRate this article 5 stars

The seedlist SPIs allow all IBM® Connections content to be crawled, including access-controlled content. You must take steps to ensure that the data is accessed by only those with the appropriate access privileges.



The seedlist SPIs allow all IBM® Connections content to be crawled, including access-controlled content. You must take steps to ensure that the data is accessed by only those with the appropriate access privileges.

About this task

To complete the integration, your search engine must be able to establish the security tokens for each user when that user makes a search query. This topic details the SPIs available to independent search engines to retrieve user security tokens to facilitate searching over access-controlled content. Compare these tokens to the wplc:acl tokens that were retrieved in the crawled data to determine which content the querying user should be given access to.

Procedure

  1. Before performing a search, send a GET request to the following resource to validate that people performing the search query have access to the content they are searching for.
  2. http://servername/<application>/seedlist/authverify/validateUser


    The validateUser details are as follows:

    application/xml
    ValidateUser = element validateuser {
              UserID
              Name
              Email
              Validated
         }
         UserID = element userid { text }
         Name = element name { text }
         Email = element email { text }
         Validated = element validated { "true" | "false" }

  3. Send a GET request to the following resource to retrieve the access control tokens that are applicable to the person performing the search query so that secured documents can be returned in the seedlist response.
  4. http://<servername>/<application>/seedlist/authverify/getACLTokens


    Send this request to only one application and only send it one time for performance reasons.

    The getACLTokens call returns the same response from all IBM Connections applications except the Wikis application, which uses an additional internal access control model. When searching for content from all of IBM Connections content, retrieve the tokens from the Wikis application. If Wikis results are not required for the search query, then it does not matter which application you send the get request to, but you only need to send it to one application.

    The getACLTokens details are as follows:

    application/xml
         GroupsForUser = element groupsforuser {
             UserID
             GroupID*
         }
         UserID = element userid { text }
         GroupID = element groupid { text }


    Documents in the search index should be returned if any of the values returned from getACLTokens, such as the <userid> or <groupid> elements, match the values in the wplc:acl elements in the seedlist entries that were indexed at crawling time.

Results

To enable real-time accuracy on search results some search engines, such as IBM Omnifind Enterprise Edition, implement a post-processing step on search results to filter out documents that users have lost access to since the last crawl. This step is not currently supported for IBM Connections and crawling should be frequent enough to reduce the likelihood of false positive results being returned. The default indexing schedule of the IBM Connections search engine is to crawl all applications every 15 minutes.