About access rules

Access rules, in conjunction with Endeca's Access Control System, allow you to control which records a user can access.

Access rules, in conjunction with Endeca's Access Control System, allow you to control which records a user can access. Access rules use an if/then construct of this form:

if <property> equals <value> then grant read permissions to <group name>

For example:

if languageequals italianthen grant read permissions to italians

Access rules add an Endeca.ACL.Allow.Read property to records to identify which groups may access them. Any record whose <property> equals <value> has an Endeca.ACL.Allow.Read property with a value of <group name> added to it. The MDEX Engine then uses this property to filter records according to a group's access permissions. Continuing the example above, each record that has the value italian for the property language will have an Endeca.ACL.Allow.Read property added to it with the value italians.

You must manually add the Endeca.ACL.Allow.Read property to your project and enable it for record filtering before creating access rules. In other words, the Endeca.ACL.Allow.Read property must exist in order for it to be added to records during processing.

You use the Access Rules component, on the Pipeline tab, to create and manage access rules. Each access rules component must have either a property mapper or another access rules component as its record source. For internal reasons, you also must specify a dimension source for an access rules component, even though, externally, access rules do not appear to need them. Use the same dimension source that you use for your property mapper (this should be a dimension server).

About the Access Control System

Access rules must be used in conjunction with Endeca's Access Control System. You use the Access Control System to authenticate a user's identity against and obtain authorization information from a variety of external systems, such as an LDAP directory. The authorization information is used to control which records are retrieved during a query.

After the Access Control System authenticates the user against the specified directory, the returned group information for the user is automatically transformed into a user entitlement filter. The user entitlement filter defines the user's access rights to the data in the Endeca implementation. This filter is automatically added to every query that the user makes to the MDEX Engine, which uses the filter to return only those records that the user has a right to see. In effect, this filtered query returns only those records whose Endeca.ACL.Allow.Read property values match the values specified in the filter.

See the Endeca Security Guide for detailed information on configuring and using the Access Control System.
Unlike either of the Endeca crawlers, the Access Control System uses only the Endeca.ACL.Allow.Read permission to determine record access. It ignores all others, including Endeca.ACL.Deny.Read.