4 Replies Latest reply on Jul 20, 2012 5:40 AM by User387251

    Multiple security filters


      we have a scenario where we need to fire a single query to the index and need to apply 2 different security filters.

      For eg:

      In the UI, by default an user can search in two fields. "Title" & "Content" and each have own security filter, view meta data filter & view record filter

      Assume 4 records with below data,

      R1 Tiltle = "XYZ", content = ""XYZ", viewmetadata = "true", viewrecord = "true"
      R2 Tiltle = "ABC", content = ""XYZ", viewmetadata = "true", viewrecord = "true"
      R3 Title="ABC" and content = "XYZ", viewmetadata = "true", viewrecord = "false"
      R4 Title = "XYZ" and content = "XYZ", viewmetadata = "true", viewrecord = "false"

      user has view meta data for R1,R2,R3,R4 & view record for R1, R2, R4,so if some one search for "XYZ", then user should get back R1,R2,R4.

      can any one plz suggest how to get the unique results from the index based on this scenario with single query?

      Many Thanks
        • 1. Re: Multiple security filters
          Hi Sri,

          Can I infer from your post that you're employing your security filters via a Studio SecurityManager extension? If so, there is no reason that you can use this extension to apply a security filter which uses a boolean "AND" operator between your two mandatory conditions (ie. viewmetadata="true" AND viewrecord="true").

          Please see chapter 2 of the StudioDevelopmentGuide --> http://docs.oracle.com/cd/E29805_01/StudioDevGuide.pdf for creating a custom SecurityManager

          Please see information related to DataSourceFilters in the StudioUsersGuide for info on syntax --> http://docs.oracle.com/cd/E29805_01/StudioUsersGuide.pdf

          • 2. Re: Multiple security filters
            Hi Danny,

            Thanks for the reply.

            Yes, we are are using the concept in SecurityManager to apply the security filters.

            We have found an issue using mutiple security filter with "AND" operator.

            For example,

            Record1: Title="Fire" Content="Fire" Viewmetadata="true" Viewrecord="true"
            Record2: Title="Fire" Content="Fire" Viewmetadata="true" Viewrecord="false"
            Record3: Title="water" Content="Fire" Viewmetadata="true" Viewrecord="false"

            If an user has perimission to view meta data for all three records & can view content of only record1 and the user searches for "Fire" we want back Record1&Record2.

            But record2 should only get searched in "Title" field because user don't have permission to view the content.

            So if we apply "AND" operator in this situation we only get back record1.

            The issue we are facing here is, we have to make the search only happens in,

            1. both (title and content) if user has permission to view metdata and view record
            2. only title if user has permission to view metdata only.

            Please provide your suggestion on this.

            • 3. Re: Multiple security filters
              Brett R-Oracle
              Your requirements are a mixture of record/row-level security (which records can I see) and attribute/field-level security (which attributes can I see and search). The focus of the Security Manager extension and default implementation is on record-level security.

              In terms of restricting searchability of attributes or sets of attributes, this can be achieved through the use of Search Interfaces. These aggregate attributes into a single search, however you won't be able to automatically bind users to Search Interfaces, although you may be able to achieve this manually through multiple search portlets and portlet permissions. The same applies for the actual display of attributes.

              • 4. Re: Multiple security filters
                Hi Brett,

                Thanks for the reply. Yes we want to limit the number of fields getting searchED and it will vary per record for a given query.

                For example, For record 1 => search in Title & content and for record 2 => search in only Title.

                Because for record 2, user may not have permission to view the content.

                The one way of achieving this use case.

                1. Create search interface for Title field and search in all the records for which user has the permission to view the meta data
                2. Create search interface for Content and search in all the records for which user has the perimission to view the content
                3. In the UI code, aggregate the results from two different queries

                But with this approach, the result aggregation, pagination have to be done through code. So is there an another way to handle this use case(whether engine can handle aggregating the results)?.

                Please provide your suggestions.

                Thank You,