Document-Level Security

K2 uses native authentication and the K2 Ticket Server to achieve collection-level security. However, you may also want to limit certain documents within collections to specific users. In this case, you implement document-level security to control whether a document appears in a results list, and whether a user can retrieve it.

Document-level security uses Verity Gateways to determine a user’s access rights for individual documents. Each gateway respects and enforces the document repository’s existing security model. Since gateways support ODBC-compliant databases, Lotus Notes, Documentum, Microsoft Exchange, Web servers, and file systems, K2 can examine access rights for multiple models and use them to provide document-level security.

No Results Filtering

K2 offers different methods for document-level security. The first is no results filtering, in which you configure K2 to display all documents in a results list or category, regardless of user access rights. If a user doesn’t have access rights to view a document, he can see its results list information, such as its title and summary, but he cannot retrieve it. This method is useful when you want users to be aware of documents, whether or not they can view the details within them.

Results-List Filtering

The second method of document-level security is called results-list filtering, in which K2 checks each document for access rights before it displays the results list to the user. Filtered results lists and categories only show documents that a user can retrieve.

Results list filtering is useful when you do not want particular users to be aware of certain documents within a secure collection. Results-list filtering can be important in some situations, because a query result for some documents might provide as much information as the entire contents of the document itself.

Access-Control Lists

For gateways that support them, K2 uses access-control lists (ACLs) to regulate security at the document level. To enhance performance, an ACL for each document is cached within a collection. When users submit queries, K2 uses the cached information to determine whether the user can access a document, instead of examining the access rights of each document in its remote repository. This approach dramatically increases the speed with which K2 returns results and significantly decreases the load on each repository.

K2 provides the flexibility to use cached ACLs or to check repository access rights when it generates a results list. However, when a user selects a document from a results list for viewing, K2 always checks the repository for access rights. It does not use cached ACLs to determine whether a user can open a document for viewing. Therefore, even if a document’s access rights change immediately after a collection is indexed, K2 will apply the most current security measures before it displays the document itself to the user.