Frequently Asked Questions
Frequently Asked Questions
IDOL - Configuring ACL Deny Flags Into Use
Posted by Kimmo Pyhältö (M-Files) on 30 September 2019 02:38 PM

 The approximated ACL in the IDOL index does not take "Deny" flags into account, this is currently by design. Because the actual ACL in the vault database eventually determines the user's access to a particular search result, this is not directly a security issue. The results count, however, reports all the hits, including those denied ones. This may leave some room for information fishing.

This document describes how to set IDOL to to take "Deny" flags into account.

1. General Information

1.1 CAUTION

When IgnoreDeny is set to false without further preparations on the IDOL side, any newly indexed objects are not accessible in the index because of the ACL format mismatch.

Before IgnoreDeny can be set to false, the following actions must be completed.

Note that if the deny rights are indexed (with IgnoreDeny=0), the checked-out-to-user is also indexed differently from the ACL format previously in use.

2. Configuration steps

This configuration is for the situation, where the IDOL-index exists and is used. In this scenario, we have to create a parallel index that is re-indexed and after finishing, is changed into use.

1. Take the Vault Offline

2. Stop IDOL server services (like Single9IDOLServer)

3. IDOL Configuration file (e.g. Single9IDOLServer.CFG) changes

In these examples, a WithDeny or _WithDeny postfix is added. Apply changes for each IDOL engine. The new and/or changed configuration is colored in blue and/or italic.

3.1 Add a line to the section [FieldProcessing] with an increasing number

[FieldProcessing]
14=DetectMFSecurity
15=SetParametricRangeFields
16=SetNumericDateFields16=SetNumericDateFields
17=DetectMFSecurityWithDeny

3.2 Copy section [DetectMFSecurity] and change values

[DetectMFSecurity]
Property=SecurityMF
PropertyFieldCSVs=*/IDOLSECURITY
PropertyMatch=MF_V4

[DetectMFSecurityWithDeny]
Property=SecurityMFWithDeny
PropertyFieldCSVs=*/IDOLSECURITY
PropertyMatch=MF_V4_WithDeny

3.3 Add new row to the section [Security] with increasing number

[Security]
SecurityInfoKeys=111358696,133122034,192162076,101055217
0=MF_V4
1=MF_V4_WithDeny

3.4 Copy the whole section [MF_V4]. Increase number and change ACL configuration

[MF_V4]
SecurityCode=18
Library=../modules/mapped_security
Type=AUTONOMY_SECURITY_V4_GENERIC_MAPPED
ReferenceField=*/MFACL
SecurityACLFormat=GX:<GX=SLE+>:UG0:<UG0=SLE+>:UG1:<UG1=SLE+>:UG2:<UG2=SLE+>:
SecurityACLCheck=GX=[DG]?P:-,UG0=[DU]?1:-,UG0=[DG]?-:F,UG1=[DU]?1:-,UG1=[DG]?-:F,UG2=[DU]?P:-,UG2=[DG]?P:F
SecurityLogDirectory=../logs
MFLogFile=AccessCheck_OUT.txt

[MF_V4_WithDeny]
SecurityCode=19
Library=../modules/mapped_security

ReferenceField=*/MFACL
SecurityACLFormat=GX:<GX=SLE+>:UX:<UX=SLE+>:UG0:<UG0=SLE+>:UG1:<UG1=SLE+>:UG2:<UG2=SLE+>:NUG:<NUG=SLE+>:
SecurityACLCheck=GX=[DG]?P:-,UX=[DU]?P:-,UG0=[DU]?1:-,UG0=[DG]?-:F,UG1=[DU]?1:-,UG1=[DG]?-:F,UG2=[DU]?1:-,UG2=[DG]?-:F,NUG=[DU]?F:-,NUG=[DG]?F:P
SecurityLogDirectory=../logs
MFLogFile=AccessCheck_OUT.txt

3.5 Copy section [SecurityMF], change name and SecurityType.

[SecurityMF]
SecurityType=MF_V4

[SecurityMFWithDeny]
SecurityType=MF_V4_WithDeny

3.6 Start IDOL server services

3.7 Check that IDOL logs do not give any new errors

4. M-Files server configuration changes

4.1 In M-Files server, configure a parallel IDOL-index with these additional configuration options:

SecurityType (REG_SZ) = <name of the new SecurityType e.g. MF_V4_WithDeny>

IgnoreDeny (REG_DWORD) = 0

PredefinedIndexName (REG_SZ) = <unique name of the new index database e.g. C840BE1A-5B47-4AC0-8EF7-835C166C8E24_WithDeny >   [optional]

When adding a parallel index, remember to add the additional parameter:

Path (REG_SZ) = <path to the corresponding index folder e.g. C:\Program Files\M-Files\Server Vaults\Indexes\Combined_WithDeny>

Last, add the folder into the indexes folder e.g.:
 
C:\Program Files\M-Files\Server Vaults\Indexes\Combined_WithDeny

4.2 Take the vault Online. Wait until the parallel index is complete (during this time, the old index is still active for searches)

4.3 In M-Files, switch over to the parallel index by changing the data of ActiveCombinedIndex into the new index.

4.4 Take the vault Offline and back Online

5. Alternative configuration by re-indexing the current index

If you do not have to keep the current index or if you are just starting to use IDOL, you can use following instructions.

1. Take the Vault Offline

2. Stop IDOL server services (like Single9IDOLServer)

3. Change IDOL Configuration file (e.g. Single9IDOLServer.CFG) section's [MF_V4] SecurityACLFormat and SecurityACLCheck into following:

[MF_V4]
SecurityCode=18
Library=../modules/mapped_security
Type=AUTONOMY_SECURITY_V4_GENERIC_MAPPED
ReferenceField=*/MFACL
SecurityACLFormat=GX:<GX=SLE+>:UX:<UX=SLE+>:UG0:<UG0=SLE+>:UG1:<UG1=SLE+>:UG2:<UG2=SLE+>:NUG:<NUG=SLE+>:
SecurityACLCheck=GX=[DG]?P:-,UX=[DU]?P:-,UG0=[DU]?1:-,UG0=[DG]?-:F,UG1=[DU]?1:-,UG1=[DG]?-:F,UG2=[DU]?1:-,UG2=[DG]?-:F,NUG=[DU]?F:-,NUG=[DG]?F:P
SecurityLogDirectory=../logs
MFLogFile=AccessCheck_OUT.txt

4. In M-Files server, add the following to the IDOL index configuration (e.g. C_B91D75EF-A924-4583-A7BA-2A8F3C5614C3) in the registry:
IgnoreDeny (REG_DWORD) = 0

5. Start IDOL server services

6. Check that IDOL logs do not give any new errors

7. Take the vault Online

 

(0 vote(s))
This article was helpful
This article was not helpful

Comments (0)
Post a new comment
 
 
Full Name:
Email:
Comments:
CAPTCHA Verification 
 
Please enter the text you see in the image into the textbox below. This is required to prevent automated registrations and form submissions.

Help Desk Software by Kayako case