Mapped Security Example

The following diagram shows the components involved in a Mapped Security architecture:

Connectors extract information from third party repositories so that the information can be indexed into IDOL Server. The connector adds an Access Control List (ACL) to a metadata field in each document. The ACL describes which users and groups are permitted to view the document. CFS indexes the document into IDOL Server.

At the same time, OmniGroupServer retrieves group memberships from the third party repositories and from directories such as Active Directory. OmniGroupServer stores this information until it is needed. In some cases, where a repository uses its own system for storing users and groups, OmniGroupServer queries a connector to retrieve group information.

If the permissions set on a file in a repository are changed, the connector sends the update to CFS and the document's ACL is updated in IDOL Server. If a user's group memberships change, the group information is updated in OmniGroupServer the next time the group server synchronizes with the repository.

To use the front-end application, a user must log on. After authentication is successful, the front-end application sends a query to Community, to retrieve the user's security information. Community returns an encrypted securityinfo string that contains the names of the groups the user is a member of. The front-end stores the string, because it must be sent with all queries to IDOL server.

When a user does something in the front-end application that requires information from IDOL server (for example, starting a search), the front-end sends a query to IDOL server. IDOL Server (Content) runs the operation and sends the resulting documents and the user's security information to the Mapped Security plug-in. This compares the user's security information with the ACL of each document and returns the documents that the user is permitted to view. IDOL Server then returns these documents to the front-end.