Legacy Product

Fusion 5.10
    Fusion 5.10

    Configure Security Trimming for SharePoint Optimized V2

    You can configure the SharePoint Optimized V2 connector to use security trimming so that query results are filtered based on the roles and permissions assigned to the user.

    To configure security trimming, you’ll need to set up and run a SharePoint Optimized V2 datasource, an LDAP ACLs V2 datasource, and a Graph Security Trimming query stage in the same app and collection.

    When a crawl is run, the SharePoint Optimized V2 and LDAP ACLs V2 datasources must index the content documents and ACL documents to the same collection.

    • ACL documents: Users, Groups, and their Role Assignments.

    • Content documents: The SharePoint objects with metadata and content (Sites, Lists, Items). These documents have _lw_acl_ss fields which determines who can see the docs when searching.

    Set up the datasources

    1. Navigate to Indexing > Datasources.

    2. Install the datasource connectors if not already installed.

    3. Click Add and select SharePoint Optimized V2 or LDAP ACLs V2.

    4. Fill in all required fields.

    The SharePoint Optimized V2 and LDAP ACLs V2 datasources must index the content documents and ACL documents to the same collection. Ensure both datasources use the same value, contentCollection, for the field ACL Collection ID.

    If using SharePoint-Optimized and LDAP-ACLs < v2.0.0

    Update the ACL Collection Id in the datasource configuration.

    The SharePoint-Optimized and LDAP-ACLs datasources must index their content_documents and acl_documents to the same collection. Make sure the property SecurityACL Collection in both datasources have the same value. In both datasources, SharePoint-Optimized and LDAP-ACLs, check the property SecurityACL Collection Id and make sure it points to the same content-collection.

    1. Navigate to Indexing > Datasources.

    2. Open your SharePoint Optimized V2 or LDAP ACLs V2 datasource.

    3. Under Security, update the configuration to use contentCollection as the ACL Collection ID.

      Datasource config for Fusion 5.8 with Graph Security Trimming

      The Security checkbox must be checked for this field to appear.
    4. Save the configuration.

    Repeat this process for all required datasources.

    If using SharePoint-Optimized and LDAP-ACLs >= v2.0.0

    Recreate or update the datasources. If only updated, it is not possible to go back to the configuration of a previous plugin version.

    By default, the LDAP-ACLs and SharePoint-Optimized V2 datasources will index the content_documents and acl_documents to the same collection.

    1. Navigate to Indexing > Datasources.

    2. Open your SharePoint Optimized V2 or LDAP ACLs V2 datasource.

    3. Under Graph Security Filtering Configuration, select Enable security trimming.

    Repeat this process for all required datasources.

    Set up Graph Security Trimming

    A Graph Security Trimming stage is used to pull all nested groups for a user. Then the Solr join query takes those ACL IDs found in the graph query and filters out everything that does not match one of the ACLs.

    1. Navigate to Querying > Query Pipelines.

    2. Open the query pipeline associated with your SharePoint Optimized V2 or LDAP ACLs V2 data.

    3. Click Add a new pipeline stage and select Graph Security Trimming.

    4. Configure the stage with the following settings:

      Field Value

      ACL solr collection

      Your ACL collection

      User ID source

      query_param or header

      User ID key

      The key that contains the User ID

      Join Field

      _lw_acl_ss

      Join method

      topLevelDV

    Test the configuration

    To confirm that security trimming works as configured, run the following test:

    1. First, run the SharePoint Optimized V2 and LDAP ACLs V2 datasources.

    2. Run a series of queries to test user permissions are working as intended:

      1. Run a query using a User ID key with no permissions. You should see no search results.

      2. Run a query using a User ID key that has access to some documents. You should see some search results.

      3. Run a query using a User ID key that has access to all documents. You should see all documents.

        Facet by _lw_document_type_s: contentDocument to see only the SharePoint docs, otherwise aclDocuments will be also shown.