Troubleshooting Document Security issues with ESP SharePoint Connector


This document pertains to the .NET SharePoint Connector for ESP.

The security solution with the SharePoint content indexed within ESP is managed by a mix between the document ACLs stored in the index and the User/Group membership information stored in the SharePoint domain within the ESP Security Access Module (SAM)

Common Problems

  1. When the ACL of a document is updated, you must perform an incremental content feed to ESP to update the document ACLs in the index.
  2. When User/Group information is updated within SharePoint you must perform a user directory feed to SAM to update the user directory information.
  3. The SharePoint connector user directory feed needs to be configured to include all the sites included in the content feed specified in the IncludeWebsUrl parameter
  4. If you list web application URLs here, the parameter CrawlWebApplication needs to be set to true.
  5. SiteAdmins are not included in content ACLs since they are not explicity granted rights and are generally set up as management accounts rather than actual users. ESP does not grant SiteAdmins search priveliges unless they are explicitly added to as a user or to a group that is on the ACL.
  6. NT Authority\Authenticated users, is not extracted as part of User/Group membership and needs to be explicitly mapped within SAM.
    SAM illustration

Troubleshooting practices

docacl values of the indexed document for which you believe you should have access.

You can get the view the docacl values by disabling security to get the result which you currently can not see. This is done by adding &qtf_securityfql:enable=0 to the querl url string:

You can then decode these values by using the decode tool in the Advanced Troubleshooting page of the SAM Admin GUI.

If you are debugging a large group of users and documents you can configure the content connector to not publish to ESP, dump records to an XML file, and choose not to encode the docacl. This is done by configuring the following parameters:

Note EncodeAcl is not included in the configuration and needs to be added under the General group 
<parameter name="ActuallyPublish" type="boolean">
<![CDATA[If true, actually submit the documents to ESP. <br>Default: true ]]>
<parameter name="ExportFASTXML" type="boolean">
<![CDATA[If true, export all documents as FASTXML. <br>Default: false ]]>
<parameter name="EncodeAcl" type="boolean">
<![CDATA[If false, ACL values will be plain text. <br>Default: true ]]>

You can look at the filter being generated by using the SAM Admin GUI - Display the complete security filter:
SAM Filter

If the ACL exists in the document but not in the filter you can look at the contents of the local cache. You can view what is currently stored in the SAM domain cache by exporting the cache to a local file. This function can be found in the SAM Admin GUI under the View Maintenance and Troubleshooting Options for that domain:

Maintenacne and Troubleshooting Options

Thuộc tính

ID Bài viết: 2420809 - Xem lại Lần cuối: 02-05-2014 - Bản sửa đổi: 1

Phản hồi