Tell Me Glossary
 

Previous Model
Previous previous|next Next Page

With the previous versions of SES, it was mandatory that SES needs to be registered first to an OID server in order to perform secure search.

The following was the mechanism used:

  1. During crawling, the crawler provides ACLs which indicate who can read the document.
  2. The ACL consists of grants and denies to individual users or groups all of which MUST exist in OID.
  3. The ACL grant and deny information is pushed into the text index in the form of text attributes EQGRANT and EQDENY.
  4. Optimization is done in the case of datasource level ACL to only publish the datasource id to the text index to prevent re-indexing of the entire source in the case of ACL changes.



  5. Authentication of the user is performed using OC4J’s form authentication or in the case of SSO, using the SSO authentication. In all these cases, the user GUID is gotten from the OID server and the secure search is made.
  6. For the search, the eq0qry.pkb finds the groups for the current user from OID and adds a query such as:
    ((PUBLIC OR <userguid> OR <group1> OR <group2>..) WITHIN EQGRANT and NOT (PUBLIC OR <userguid> OR <group1> OR <group2>) WITHIN EQDENY)
  7. The query retrieves all the documents with the right grants and no deny privilege to the specific user or group.
  8. The result is further filtered using the XDB ACL mechanism at the row level, which again talks to the OID server to retrieve the group.