SlideShare a Scribd company logo

Deep Dive: Security Trimming in Fusion

Download as PPTX, PDF
Lucidworks, profile picture
Lucidworks

The document discusses security trimming in Fusion, comparing old and new security filtering approaches. The old method involved storing access control lists (ACLs) with content documents, leading to performance issues and dependency on third-party systems. The new approach, which separates user and group access control entities into a distinct collection and utilizes a solr graph+join query for security filters, offers better performance and flexibility in managing permissions.

Technology
1 of 26
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
Deep Dive: Security Trimming in Fusion
Deep Dive: Security Trimming in Fusion
Vrinda Davda Senior Engineer Nicholas Dipiazza Sr Software Engineer Connectors team Rakesh Maski Senior Engineer SPEAKERS
1.What is security trimming? 2.How does the old security filtering approach work? o Index Time o Query Time 3.Problems with old approach 4.New security filtering approach o Index time o Query time 5.Supported operations - add/update/delete ACLs 6.Use cases and Demo A G E N D A
Access to unintended data Internal misuse Security Violation S E C U R I T Y T R I M M I N G REAL TIME SCENARIOS FACED BY ORGANIZATION
W H A T I S S E C U R I T Y T R I M M I N G Documents you have access to Documents you do not have access to Solr Collection
Old Approach
• While crawling documents through a data source, Fusion stores Access Control List(ACL) metadata as SOLR fields in the content document. • The Security Trimming query stage matches this information against the ID of the user running the search query. S E C U R I T Y T R I M M I N G I N F U S I O N – O L D A P P R O A C H "acls_ss":["SP_ALLOW_GROUP_ADFSCOMMUNICATION SITE MEMBERS", "SP_ALLOW_GROUP_ADFSCOMMUNICATION SITE OWNERS", "SP_ALLOW_GROUP_ADFSCOMMUNICATION SITE VISITORS", "SP_ALLOW_GROUP_ADFSEVERYONE EXCEPT EXTERNAL USERS", "SP_ALLOW_GROUP_ADFSSHAREPOINT SERVICE ADMINISTRATOR", "SP_ALLOW_USER_ADMIN2@ADFS.LAB.LUCIDWORKS.COM", "SP_ALLOW_USER_DBENSON@AZURE.LAB.LUCIDWORKS.COM"]
I N D E X T I M E – O L D A P P R O A C H • ACLs are retrieved for each document, and an additional trip is made to get nested group relationships (for example, LDAP groups). • Permissions are flattened (Denormalized) and set into the field “acl_ss”
V 1 C O N N E C T O R I N D E X W O R K F L O W – O L D A P P R O A C H LDAP Data Source Parser Index Pipeline "id":"https://lucidworksfusiondev.sharepoint.com/LoadTest "acls_ss":["SP_ALLOW_GROUP_ADFSCOMMUNICATION SITE MEMBERS", "SP_ALLOW_GROUP_ADFSCOMMUNICATION SITE OWNERS", "SP_ALLOW_GROUP_ADFSCOMMUNICATION SITE VISITORS", "SP_ALLOW_GROUP_ADFSCOMPANY ADMINISTRATOR", "SP_ALLOW_GROUP_ADFSCOMPANY ADMINISTRATOR", "SP_ALLOW_GROUP_ADFSEVERYONE EXCEPT EXTERNAL USERS", "SP_ALLOW_GROUP_ADFSSHAREPOINT SERVICE ADMINISTRATOR", "SP_ALLOW_USER_ADMIN2@ADFS.LAB.LUCIDWORKS.COM", "SP_ALLOW_USER_DBENSON@AZURE.LAB.LUCIDWORKS.COM"], "_lw_data_source_s":"SpDefault", "body_t":"# ESP Forecast Informationn#n# …
Q U E R Y T I M E – O L D A P P R O A C H • The purpose of the security trimming stage is to add fq's to remove content that a user should NOT see. • User principal is passed as query parameter, query stage makes an internal connection to 3rd party system (such as LDAP, SharePoint) to resolve group memberships. • This is an internal connection to the Connectors service cluster and lists all datasources in the current collection, builds an fq based on each datasource it finds. • If the datasource had security trimming enabled, the fq will be built and will be trimmed. Otherwise, there will be no filtering imposed on the datasource.
Q U E R Y T I M E – O L D A P P R O A C H {!lucene q.op=OR} ( *:* -acl_ss:* ) ( *:* -_lw_data_source_s:( SpDefault )) ( acl_ss:WINADomain Admins -acl_ss:WINDDomain Admins acl_ss:WINALdapGroup3 -acl_ss:WINDLdapGroup3 acl_ss:WINALdapGroup2 -acl_ss:WINDLdapGroup2 acl_ss:WINALdapGroup1 -acl_ss:WINDLdapGroup1 ) Query Pipelin e q=*:*&username:admin2@adfs .lab.lucidworks.com admin2@adfs.lab.lucidworks.com WINALdapGroup3, WINALdapGroup2, WINALdapGroup1 LDAP 1 2 3
PROBLEMS WITH OLD SECURITY FILTERING APPROACH • Every single datasource would have to have its own fq. • Security trimming performance will degrade with the increase in number of datasources. • Permissions duplication - Denormalized/Flattened permissions. • Permissions(ACLs) not updated on incremental crawling. • QTime might vary depending the on the group hierarchy size. • Relies on 3rd party servers (example: LDAP) and if they are down, security filtering will not work as it wont be able to resolve permissions.
S U M M A R Y : P R O B L E M S W I T H O L D S E C U R I T Y F I L T E R I N G A P P R O A C H More DataSources? More FQ’s, Security Trimming performance will degrade No LDAP? No Security Trimming as it won’t be able to resolve permissions Permission (ACLs) are not updated on incremental Crawl QTime might vary depending on Group hierarchy size LDAP ds1 ds2
New Approach
OPTIMIZED SECURITY FILTERING• In the old approach, content documents and ACLs were stored in the same collection. • In the new approach, access control entities (users and groups) are stored in a separate collection. • A SOLR graph+join query is used to build a security filter query. {"id "_lw_data_source_s "type_s" "inbound_ss "outbound_ss } {“id”, “contentTypeName_s”, “_lw_acl_ss”, “_lw_data_source_s” “body_t”, . .} ACL Main Collection graph+join
SOLR COLLECTIONS- MAIN COLLECTION The _lw_acl_ss field contains the direct users and/or groups that can access the document. Note: It does not contain the nested groups, just the direct groups and users. {"id":"https://lwdemo.sharepoint.com/sites/corpa/Shared Documents/001/001912.ppt", "parent_s":"https://lwdemo.sharepoint.com/sites/corpa/Shared Documents/001/001912.ppt", "contentTypeName_s":"Document", "_lw_acl_ss":["740c6a0b-85e2-48a0-a494- e0f1759d4aa7:site:2386a403-8d76-4737-b774- dabad52201e3:web:7a2f544f-e3ed-444e-8de3-178c2c9b5848:3”. . . "], "_lw_data_source_s":"SPv1Optimised", "editorValue_s":"Nicholas DiPiazza", "body_t":”Enterprise Resource Management ProgramnnCPIC, "_version_":1643660287496159232}]
SIDECAR COLLECTION- ACL Field Description Id ID of the access control type_s Type of access control (group, user, role assignment, role definition , etc) outbound_ss Outbound edges, i.e. parent objects can be represented with this field inbound_ss Inbound edges i.e. list of access controls which are owned by the current access control { "id":"ADFSADMINISTRATORS", "dn_s":"CN=Administrators,CN=Builtin,DC=adfs,DC=lab,DC=lucidworks,DC=com", "base_s":"dc=adfs,dc=lab,dc=lucidworks,dc=com", "_lw_data_source_s":"AclAD", "type_s":"ldapGroup", "when_changed_s":"20190611155947.0Z", "outbound_ss":["ADFSADMINISTRATORS"], "inbound_ss":["CN=Administrator,CN=Users,DC=adfs,DC=lab,DC=lucidworks,DC=com", "CN=Domain Admins,CN=Users,DC=adfs,DC=lab,DC=lucidworks,DC=com", "CN=Enterprise Admins,CN=Users,DC=adfs,DC=lab,DC=lucidworks,DC=com", "CN=admin2,CN=Users,DC=adfs,DC=lab,DC=lucidworks,DC=com", "ADFSADMINISTRATORS"], "_version_":1643736564827684871}, Domain Admins ldapGroup-dn admin2 ldapUser-dn ADFSADMINISTRATORS ldapGroup-dn Enterprise Admins ldapGroup-dn
INDEX WORK FLOW – NEW APPROACH LDAP Data Source Parser Index Pipeline ACL Collection Content Collection Schedule LDAP Connector {"id":"ADFSNICHOLAS", "_lw_data_source_s":"AD-ACLs", "type_s":"user", "inbound_ss":["ADFSNICHOLAS"], "outbound_ss":["ADFSNICHOLAS", "all-users"], "_version_":1643660598409428998}, { "id":"740c6a0b-85e2-48a0-a494-e0f1759d4aa7:… "_lw_data_source_s":"SPv1Optimised", "type_s":"sharepointGroup", "inbound_ss":["740c… "all-users"], "outbound_ss":["740c6a0b-… :4"], "_version_":1643659978005807105}, {"id":"https://lwdemo.share point.com/sites/corpa/Shared Documents/001/001912.ppt", "contentTypeName_s":"Document", "_lw_acl_ss":["740c6a0b-85e2-48a0-a494- e0f1759d4aa7:site:2386a403-8d76-4737-b774- dabad52201e3:web:7a2f544f-e3ed-444e-8de3- 178c2c9b5848:3", …."], "_lw_data_source_s":"SPv1Optimised", "body_t":"Enterprise Resource Management Program”} 1 2 a b c
• Each connector will index its groups to the ACL collection. For example, SharePoint Connector will index SharePoint groups, Box Connector will index the Box Groups, etc. to ACL collection • The new LDAP ACL connector will be used to index users/groups details from LDAP to the ACL collection. INDEX TIME – NEW APPROACH Box Active Directory ACL SharePoint Optimised SharePoint on-prem Alfresco
INDEX TIME-SUPPORTED OPERATIONS – NEW APPROACH Add or update an ACL (full crawl or incremental crawling) Delete an ACL (incremental crawling) Cascading changes to an inherited ACL. Delete ACL by wildcard query directly from solr.
Q U E R Y T I M E – N E W A P P R O A C H JoinQuery({!join from=id to=_lw_acl_ss fromIndex=acl} +{!graph from=inbound_ss to=outbound_ss}* id:ADMIN2@ADFS.LAB.LUCIDWORKS.COM Query Pipelin e q=*:*&username:ADMIN2@A DFS.LAB.LUCIDWORKS.CO M {"id "_lw_data_source_s "type_s" "inbound_ss "outbound_ss } {“id”, “contentTypeName_s”, “_lw_acl_ss”, “_lw_data_source_s” “body_t”, . .} ACL Main Collection
QUERY TIME – GRAPH/JOIN QUERY NICHOLAS@ADFS.LAB.L UCIDWORKS.COM username CN=EVENT LOG READERS,OU=groups,D C= lucidworks,DC=com ldapGroup-dn b544ce61-e1ba-4b0d-8205- 4898884b6a9d:web(SPGroup2) sharepointGroup CN=nicholas di piazza,CN=Users,DC=adfs,DC=l ab,DC=lucidworks,DC=com user-upn CN=SERVER OPERATORS,OU=groups ,DC= lucidworks,DC=com ldapGroup-dn CN=TERMINAL USERS,OU=groups,DC= lucidworks,DC=com, ldapGroup-dn b544ce61-e1ba-4b0d-8205- 4898884b6a9d:web ADFSTERMINAL ldapGroup-sid 740c6a0b-85e2-48a0-a494- e0f1759d345a7:site(SPGroup1) SharepointGroup740c6a0b-85e2-48a0-a494- e0f1759d4aa7:site ADFSNICHOLAS User-sid 740c6a0b-85e2-48a0-a494- e0f1759d4567:site (SPGroup3) sharepointGroup nicholas.dipiazza@lwdemo.onmicrosoft.com NICHOLAS@ADFS.LAB.LUCIDWORKS.COM CN=nicholas di piazza,CN=Users,DC=adfs,DC CN=EVENT LOG READERS,OU=groups,DC=lucidworks,DC=com, CN=TERMINAL USERS,OU=groups,DC=lucidworks,DC=com, SPGroup1, SPGroup2, SPGroup3, SPGroup4 740c6a0b-85e2-48a0-a494- e0f1759d4aa7:site(SPGroup4) sharepointGroup
C A S E S T U D Y Scenario where we want to crawl more than one datasource with the same query filter. https://www.youtube.com/watch?v=rlr V4-0I_78 DEMO
R E F E R E N C E S • https://doc.lucidworks.com/release-notes/fusion- server/4.2.4-release-notes.html#new-features • https://doc.lucidworks.com/fusion-server/4.2/reference- guides/connectors/sharepoint-online-connector-and- datasource-configuration.html
THANK YOU rakesh.maski@lucidworks.com vrinda.davda@lucidworks.com nicholas.dipiazza@lucidworks.com

More Related Content

DOCX
Sejarah singkat gerakan pramuka
Martaasri
 
PDF
CIS13: How to Build a Federated Identity Service on Identity and Context Virt...
CloudIDSummit
 
PDF
CIS13: Deploying an Identity Provider in a Complex, Federated and Siloed World
CloudIDSummit
 
PPTX
Scylla Summit 2018: Access-control in Scylla - What You Can Do, How It Works,...
ScyllaDB
 
PPTX
Implementing Active Directory and Information Security Audit also VAPT in Fin...
KajolPatel17
 
PDF
DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directory
Felipe Prado
 
PPTX
Creating a Multi-Layered Secured Postgres Database
EDB
 
PDF
A Novel methodology for handling Document Level Security in Search Based Appl...
lucenerevolution
 
Sejarah singkat gerakan pramuka
Martaasri
 
CIS13: How to Build a Federated Identity Service on Identity and Context Virt...
CloudIDSummit
 
CIS13: Deploying an Identity Provider in a Complex, Federated and Siloed World
CloudIDSummit
 
Scylla Summit 2018: Access-control in Scylla - What You Can Do, How It Works,...
ScyllaDB
 
Implementing Active Directory and Information Security Audit also VAPT in Fin...
KajolPatel17
 
DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directory
Felipe Prado
 
Creating a Multi-Layered Secured Postgres Database
EDB
 
A Novel methodology for handling Document Level Security in Search Based Appl...
lucenerevolution
 

Similar to Deep Dive: Security Trimming in Fusion (20)

PPTX
Centralizing users’ authentication at Active Directory level 
Hossein Sarshar
 
PPTX
Lucene solrrev documentlevelsecurity_rajanimaski_final
Rajani Maski
 
PDF
ppt-security-dbsat-222-overview-nodemo.pdf
camyla81
 
PPTX
Modern Data Security for the Enterprises – SQL Server & Azure SQL Database
WinWire Technologies Inc
 
PDF
Access Denied: Real-World Use Cases for APEX and Real Application Security
Jim Czuprynski
 
PDF
C19013010 the tutorial to build shared ai services session 2
Bill Liu
 
PPTX
Webinar: Securing your data - Mitigating the risks with MongoDB
MongoDB
 
PPTX
Security and LDAP integration in InduSoft Web Studio
AVEVA
 
PPTX
Low Hanging Fruit, Making Your Basic MongoDB Installation More Secure
MongoDB
 
PPT
Cordacon 2018 - Cordentity - Hyperledger Indy + Corda
Vasiliy Suvorov
 
PPT
DevDay: Extending CorDapps with Self-Sovereign Identity: Technology Deepdive ...
R3
 
PPTX
Database security and security in networks
Prachi Gulihar
 
PDF
NoSQL Now! Webinar Series: Migrating Security Policies from SQL to NoSQL
DATAVERSITY
 
PPTX
AARAA_Tours_Travels_PPT_for_studnet.pptx
makeforstudentuse
 
PPTX
Here Be Dragons: The Unexplored Land of Active Directory ACLs
Andy Robbins
 
PPTX
Row Level Security in databases advanced edition
Alexander Tokarev
 
PPTX
Shadow admins
Lavi Lazarovitz
 
PPTX
Row level security in enterprise applications
Alexander Tokarev
 
PDF
Continuous compliance using data and code
Erkang Zheng
 
PDF
BlackHat Arsenal 2014 - C-SCAD : Assessing Security Flaws in C-SCAD WebX Clie...
Aditya K Sood
 
Centralizing users’ authentication at Active Directory level 
Hossein Sarshar
 
Lucene solrrev documentlevelsecurity_rajanimaski_final
Rajani Maski
 
ppt-security-dbsat-222-overview-nodemo.pdf
camyla81
 
Modern Data Security for the Enterprises – SQL Server & Azure SQL Database
WinWire Technologies Inc
 
Access Denied: Real-World Use Cases for APEX and Real Application Security
Jim Czuprynski
 
C19013010 the tutorial to build shared ai services session 2
Bill Liu
 
Webinar: Securing your data - Mitigating the risks with MongoDB
MongoDB
 
Security and LDAP integration in InduSoft Web Studio
AVEVA
 
Low Hanging Fruit, Making Your Basic MongoDB Installation More Secure
MongoDB
 
Cordacon 2018 - Cordentity - Hyperledger Indy + Corda
Vasiliy Suvorov
 
DevDay: Extending CorDapps with Self-Sovereign Identity: Technology Deepdive ...
R3
 
Database security and security in networks
Prachi Gulihar
 
NoSQL Now! Webinar Series: Migrating Security Policies from SQL to NoSQL
DATAVERSITY
 
AARAA_Tours_Travels_PPT_for_studnet.pptx
makeforstudentuse
 
Here Be Dragons: The Unexplored Land of Active Directory ACLs
Andy Robbins
 
Row Level Security in databases advanced edition
Alexander Tokarev
 
Shadow admins
Lavi Lazarovitz
 
Row level security in enterprise applications
Alexander Tokarev
 
Continuous compliance using data and code
Erkang Zheng
 
BlackHat Arsenal 2014 - C-SCAD : Assessing Security Flaws in C-SCAD WebX Clie...
Aditya K Sood
 
Ad

More from Lucidworks (20)

PDF
Search is the Tip of the Spear for Your B2B eCommerce Strategy
Lucidworks
 
PDF
Drive Agent Effectiveness in Salesforce
Lucidworks
 
PPTX
How Crate & Barrel Connects Shoppers with Relevant Products
Lucidworks
 
PPTX
Lucidworks & IMRG Webinar – Best-In-Class Retail Product Discovery
Lucidworks
 
PPTX
Connected Experiences Are Personalized Experiences
Lucidworks
 
PDF
Intelligent Insight Driven Policing with MC+A, Toronto Police Service and Luc...
Lucidworks
 
PPTX
[Webinar] Intelligent Policing. Leveraging Data to more effectively Serve Com...
Lucidworks
 
PPTX
Preparing for Peak in Ecommerce | eTail Asia 2020
Lucidworks
 
PPTX
Accelerate The Path To Purchase With Product Discovery at Retail Innovation C...
Lucidworks
 
PPTX
AI-Powered Linguistics and Search with Fusion and Rosette
Lucidworks
 
PDF
The Service Industry After COVID-19: The Soul of Service in a Virtual Moment
Lucidworks
 
PPTX
Webinar: Smart answers for employee and customer support after covid 19 - Europe
Lucidworks
 
PDF
Smart Answers for Employee and Customer Support After COVID-19
Lucidworks
 
PPTX
Applying AI & Search in Europe - featuring 451 Research
Lucidworks
 
PPTX
Webinar: Accelerate Data Science with Fusion 5.1
Lucidworks
 
PDF
Webinar: 5 Must-Have Items You Need for Your 2020 Ecommerce Strategy
Lucidworks
 
PPTX
Where Search Meets Science and Style Meets Savings: Nordstrom Rack's Journey ...
Lucidworks
 
PPTX
Apply Knowledge Graphs and Search for Real-World Decision Intelligence
Lucidworks
 
PPTX
Webinar: Building a Business Case for Enterprise Search
Lucidworks
 
PPTX
Why Insight Engines Matter in 2020 and Beyond
Lucidworks
 
Search is the Tip of the Spear for Your B2B eCommerce Strategy
Lucidworks
 
Drive Agent Effectiveness in Salesforce
Lucidworks
 
How Crate & Barrel Connects Shoppers with Relevant Products
Lucidworks
 
Lucidworks & IMRG Webinar – Best-In-Class Retail Product Discovery
Lucidworks
 
Connected Experiences Are Personalized Experiences
Lucidworks
 
Intelligent Insight Driven Policing with MC+A, Toronto Police Service and Luc...
Lucidworks
 
[Webinar] Intelligent Policing. Leveraging Data to more effectively Serve Com...
Lucidworks
 
Preparing for Peak in Ecommerce | eTail Asia 2020
Lucidworks
 
Accelerate The Path To Purchase With Product Discovery at Retail Innovation C...
Lucidworks
 
AI-Powered Linguistics and Search with Fusion and Rosette
Lucidworks
 
The Service Industry After COVID-19: The Soul of Service in a Virtual Moment
Lucidworks
 
Webinar: Smart answers for employee and customer support after covid 19 - Europe
Lucidworks
 
Smart Answers for Employee and Customer Support After COVID-19
Lucidworks
 
Applying AI & Search in Europe - featuring 451 Research
Lucidworks
 
Webinar: Accelerate Data Science with Fusion 5.1
Lucidworks
 
Webinar: 5 Must-Have Items You Need for Your 2020 Ecommerce Strategy
Lucidworks
 
Where Search Meets Science and Style Meets Savings: Nordstrom Rack's Journey ...
Lucidworks
 
Apply Knowledge Graphs and Search for Real-World Decision Intelligence
Lucidworks
 
Webinar: Building a Business Case for Enterprise Search
Lucidworks
 
Why Insight Engines Matter in 2020 and Beyond
Lucidworks
 
Ad

Recently uploaded (20)

PDF
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
PDF
KodekX | Application Modernization Development
KodekX
 
PDF
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
PPTX
Cloud computing and distributed systems.
kkkkkhan
 
PDF
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
PDF
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
PPTX
MYSQL Presentation for SQL database connectivity
Swati270511
 
PPTX
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
PDF
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
PDF
Optimiser vos workloads AI/ML sur Amazon EC2 et AWS Graviton
Julien SIMON
 
PPTX
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
PDF
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
PDF
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
PPTX
ACSFv1EN-58255 AWS Academy Cloud Security Foundations.pptx
23bcla24
 
PDF
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
PDF
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
PPTX
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
PDF
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
PDF
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
PPT
Teaching material agriculture food technology
LiaRayya
 
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
KodekX | Application Modernization Development
KodekX
 
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
Cloud computing and distributed systems.
kkkkkhan
 
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
MYSQL Presentation for SQL database connectivity
Swati270511
 
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
Optimiser vos workloads AI/ML sur Amazon EC2 et AWS Graviton
Julien SIMON
 
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
ACSFv1EN-58255 AWS Academy Cloud Security Foundations.pptx
23bcla24
 
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
Teaching material agriculture food technology
LiaRayya
 

Deep Dive: Security Trimming in Fusion

  • 3. Vrinda Davda Senior Engineer Nicholas Dipiazza Sr Software Engineer Connectors team Rakesh Maski Senior Engineer SPEAKERS
  • 4. 1.What is security trimming? 2.How does the old security filtering approach work? o Index Time o Query Time 3.Problems with old approach 4.New security filtering approach o Index time o Query time 5.Supported operations - add/update/delete ACLs 6.Use cases and Demo A G E N D A
  • 5. Access to unintended data Internal misuse Security Violation S E C U R I T Y T R I M M I N G REAL TIME SCENARIOS FACED BY ORGANIZATION
  • 6. W H A T I S S E C U R I T Y T R I M M I N G Documents you have access to Documents you do not have access to Solr Collection
  • 8. • While crawling documents through a data source, Fusion stores Access Control List(ACL) metadata as SOLR fields in the content document. • The Security Trimming query stage matches this information against the ID of the user running the search query. S E C U R I T Y T R I M M I N G I N F U S I O N – O L D A P P R O A C H "acls_ss":["SP_ALLOW_GROUP_ADFSCOMMUNICATION SITE MEMBERS", "SP_ALLOW_GROUP_ADFSCOMMUNICATION SITE OWNERS", "SP_ALLOW_GROUP_ADFSCOMMUNICATION SITE VISITORS", "SP_ALLOW_GROUP_ADFSEVERYONE EXCEPT EXTERNAL USERS", "SP_ALLOW_GROUP_ADFSSHAREPOINT SERVICE ADMINISTRATOR", "SP_ALLOW_USER_ADMIN2@ADFS.LAB.LUCIDWORKS.COM", "SP_ALLOW_USER_DBENSON@AZURE.LAB.LUCIDWORKS.COM"]
  • 9. I N D E X T I M E – O L D A P P R O A C H • ACLs are retrieved for each document, and an additional trip is made to get nested group relationships (for example, LDAP groups). • Permissions are flattened (Denormalized) and set into the field “acl_ss”
  • 10. V 1 C O N N E C T O R I N D E X W O R K F L O W – O L D A P P R O A C H LDAP Data Source Parser Index Pipeline "id":"https://lucidworksfusiondev.sharepoint.com/LoadTest "acls_ss":["SP_ALLOW_GROUP_ADFSCOMMUNICATION SITE MEMBERS", "SP_ALLOW_GROUP_ADFSCOMMUNICATION SITE OWNERS", "SP_ALLOW_GROUP_ADFSCOMMUNICATION SITE VISITORS", "SP_ALLOW_GROUP_ADFSCOMPANY ADMINISTRATOR", "SP_ALLOW_GROUP_ADFSCOMPANY ADMINISTRATOR", "SP_ALLOW_GROUP_ADFSEVERYONE EXCEPT EXTERNAL USERS", "SP_ALLOW_GROUP_ADFSSHAREPOINT SERVICE ADMINISTRATOR", "SP_ALLOW_USER_ADMIN2@ADFS.LAB.LUCIDWORKS.COM", "SP_ALLOW_USER_DBENSON@AZURE.LAB.LUCIDWORKS.COM"], "_lw_data_source_s":"SpDefault", "body_t":"# ESP Forecast Informationn#n# …
  • 11. Q U E R Y T I M E – O L D A P P R O A C H • The purpose of the security trimming stage is to add fq's to remove content that a user should NOT see. • User principal is passed as query parameter, query stage makes an internal connection to 3rd party system (such as LDAP, SharePoint) to resolve group memberships. • This is an internal connection to the Connectors service cluster and lists all datasources in the current collection, builds an fq based on each datasource it finds. • If the datasource had security trimming enabled, the fq will be built and will be trimmed. Otherwise, there will be no filtering imposed on the datasource.
  • 12. Q U E R Y T I M E – O L D A P P R O A C H {!lucene q.op=OR} ( *:* -acl_ss:* ) ( *:* -_lw_data_source_s:( SpDefault )) ( acl_ss:WINADomain Admins -acl_ss:WINDDomain Admins acl_ss:WINALdapGroup3 -acl_ss:WINDLdapGroup3 acl_ss:WINALdapGroup2 -acl_ss:WINDLdapGroup2 acl_ss:WINALdapGroup1 -acl_ss:WINDLdapGroup1 ) Query Pipelin e q=*:*&username:admin2@adfs .lab.lucidworks.com admin2@adfs.lab.lucidworks.com WINALdapGroup3, WINALdapGroup2, WINALdapGroup1 LDAP 1 2 3
  • 13. PROBLEMS WITH OLD SECURITY FILTERING APPROACH • Every single datasource would have to have its own fq. • Security trimming performance will degrade with the increase in number of datasources. • Permissions duplication - Denormalized/Flattened permissions. • Permissions(ACLs) not updated on incremental crawling. • QTime might vary depending the on the group hierarchy size. • Relies on 3rd party servers (example: LDAP) and if they are down, security filtering will not work as it wont be able to resolve permissions.
  • 14. S U M M A R Y : P R O B L E M S W I T H O L D S E C U R I T Y F I L T E R I N G A P P R O A C H More DataSources? More FQ’s, Security Trimming performance will degrade No LDAP? No Security Trimming as it won’t be able to resolve permissions Permission (ACLs) are not updated on incremental Crawl QTime might vary depending on Group hierarchy size LDAP ds1 ds2
  • 16. OPTIMIZED SECURITY FILTERING• In the old approach, content documents and ACLs were stored in the same collection. • In the new approach, access control entities (users and groups) are stored in a separate collection. • A SOLR graph+join query is used to build a security filter query. {"id "_lw_data_source_s "type_s" "inbound_ss "outbound_ss } {“id”, “contentTypeName_s”, “_lw_acl_ss”, “_lw_data_source_s” “body_t”, . .} ACL Main Collection graph+join
  • 17. SOLR COLLECTIONS- MAIN COLLECTION The _lw_acl_ss field contains the direct users and/or groups that can access the document. Note: It does not contain the nested groups, just the direct groups and users. {"id":"https://lwdemo.sharepoint.com/sites/corpa/Shared Documents/001/001912.ppt", "parent_s":"https://lwdemo.sharepoint.com/sites/corpa/Shared Documents/001/001912.ppt", "contentTypeName_s":"Document", "_lw_acl_ss":["740c6a0b-85e2-48a0-a494- e0f1759d4aa7:site:2386a403-8d76-4737-b774- dabad52201e3:web:7a2f544f-e3ed-444e-8de3-178c2c9b5848:3”. . . "], "_lw_data_source_s":"SPv1Optimised", "editorValue_s":"Nicholas DiPiazza", "body_t":”Enterprise Resource Management ProgramnnCPIC, "_version_":1643660287496159232}]
  • 18. SIDECAR COLLECTION- ACL Field Description Id ID of the access control type_s Type of access control (group, user, role assignment, role definition , etc) outbound_ss Outbound edges, i.e. parent objects can be represented with this field inbound_ss Inbound edges i.e. list of access controls which are owned by the current access control { "id":"ADFSADMINISTRATORS", "dn_s":"CN=Administrators,CN=Builtin,DC=adfs,DC=lab,DC=lucidworks,DC=com", "base_s":"dc=adfs,dc=lab,dc=lucidworks,dc=com", "_lw_data_source_s":"AclAD", "type_s":"ldapGroup", "when_changed_s":"20190611155947.0Z", "outbound_ss":["ADFSADMINISTRATORS"], "inbound_ss":["CN=Administrator,CN=Users,DC=adfs,DC=lab,DC=lucidworks,DC=com", "CN=Domain Admins,CN=Users,DC=adfs,DC=lab,DC=lucidworks,DC=com", "CN=Enterprise Admins,CN=Users,DC=adfs,DC=lab,DC=lucidworks,DC=com", "CN=admin2,CN=Users,DC=adfs,DC=lab,DC=lucidworks,DC=com", "ADFSADMINISTRATORS"], "_version_":1643736564827684871}, Domain Admins ldapGroup-dn admin2 ldapUser-dn ADFSADMINISTRATORS ldapGroup-dn Enterprise Admins ldapGroup-dn
  • 19. INDEX WORK FLOW – NEW APPROACH LDAP Data Source Parser Index Pipeline ACL Collection Content Collection Schedule LDAP Connector {"id":"ADFSNICHOLAS", "_lw_data_source_s":"AD-ACLs", "type_s":"user", "inbound_ss":["ADFSNICHOLAS"], "outbound_ss":["ADFSNICHOLAS", "all-users"], "_version_":1643660598409428998}, { "id":"740c6a0b-85e2-48a0-a494-e0f1759d4aa7:… "_lw_data_source_s":"SPv1Optimised", "type_s":"sharepointGroup", "inbound_ss":["740c… "all-users"], "outbound_ss":["740c6a0b-… :4"], "_version_":1643659978005807105}, {"id":"https://lwdemo.share point.com/sites/corpa/Shared Documents/001/001912.ppt", "contentTypeName_s":"Document", "_lw_acl_ss":["740c6a0b-85e2-48a0-a494- e0f1759d4aa7:site:2386a403-8d76-4737-b774- dabad52201e3:web:7a2f544f-e3ed-444e-8de3- 178c2c9b5848:3", …."], "_lw_data_source_s":"SPv1Optimised", "body_t":"Enterprise Resource Management Program”} 1 2 a b c
  • 20. • Each connector will index its groups to the ACL collection. For example, SharePoint Connector will index SharePoint groups, Box Connector will index the Box Groups, etc. to ACL collection • The new LDAP ACL connector will be used to index users/groups details from LDAP to the ACL collection. INDEX TIME – NEW APPROACH Box Active Directory ACL SharePoint Optimised SharePoint on-prem Alfresco
  • 21. INDEX TIME-SUPPORTED OPERATIONS – NEW APPROACH Add or update an ACL (full crawl or incremental crawling) Delete an ACL (incremental crawling) Cascading changes to an inherited ACL. Delete ACL by wildcard query directly from solr.
  • 22. Q U E R Y T I M E – N E W A P P R O A C H JoinQuery({!join from=id to=_lw_acl_ss fromIndex=acl} +{!graph from=inbound_ss to=outbound_ss}* id:ADMIN2@ADFS.LAB.LUCIDWORKS.COM Query Pipelin e q=*:*&username:ADMIN2@A DFS.LAB.LUCIDWORKS.CO M {"id "_lw_data_source_s "type_s" "inbound_ss "outbound_ss } {“id”, “contentTypeName_s”, “_lw_acl_ss”, “_lw_data_source_s” “body_t”, . .} ACL Main Collection
  • 23. QUERY TIME – GRAPH/JOIN QUERY NICHOLAS@ADFS.LAB.L UCIDWORKS.COM username CN=EVENT LOG READERS,OU=groups,D C= lucidworks,DC=com ldapGroup-dn b544ce61-e1ba-4b0d-8205- 4898884b6a9d:web(SPGroup2) sharepointGroup CN=nicholas di piazza,CN=Users,DC=adfs,DC=l ab,DC=lucidworks,DC=com user-upn CN=SERVER OPERATORS,OU=groups ,DC= lucidworks,DC=com ldapGroup-dn CN=TERMINAL USERS,OU=groups,DC= lucidworks,DC=com, ldapGroup-dn b544ce61-e1ba-4b0d-8205- 4898884b6a9d:web ADFSTERMINAL ldapGroup-sid 740c6a0b-85e2-48a0-a494- e0f1759d345a7:site(SPGroup1) SharepointGroup740c6a0b-85e2-48a0-a494- e0f1759d4aa7:site ADFSNICHOLAS User-sid 740c6a0b-85e2-48a0-a494- e0f1759d4567:site (SPGroup3) sharepointGroup nicholas.dipiazza@lwdemo.onmicrosoft.com NICHOLAS@ADFS.LAB.LUCIDWORKS.COM CN=nicholas di piazza,CN=Users,DC=adfs,DC CN=EVENT LOG READERS,OU=groups,DC=lucidworks,DC=com, CN=TERMINAL USERS,OU=groups,DC=lucidworks,DC=com, SPGroup1, SPGroup2, SPGroup3, SPGroup4 740c6a0b-85e2-48a0-a494- e0f1759d4aa7:site(SPGroup4) sharepointGroup
  • 24. C A S E S T U D Y Scenario where we want to crawl more than one datasource with the same query filter. https://www.youtube.com/watch?v=rlr V4-0I_78 DEMO
  • 25. R E F E R E N C E S • https://doc.lucidworks.com/release-notes/fusion- server/4.2.4-release-notes.html#new-features • https://doc.lucidworks.com/fusion-server/4.2/reference- guides/connectors/sharepoint-online-connector-and- datasource-configuration.html