Configuring role-based security for viewing Endeca Server connection data

You can also configure an Endeca Server connection to control who can view the data based on user roles.

The Endeca Server connection settings related to role-based security are:
Setting Description
securityEnabled Whether to enable the security filters for queries to the Endeca Server connection.

If set to "true", then the Endeca Server connection uses the filters configured under securityFilters.

securityFilters Defines all of the security filters to be used by the Endeca Server connection. Each filter is given a name to map to the security roles.
For security filters, DataSourceFilters are the only supported type of filter. For each filter, you specify:
  • class - the full path to the DataSourceFilter class.
  • filterString - the EQL snippet containing the filter information. This is essentially the content of a WHERE clause for an EQL statement.
  • viewKey - The key name (not the display name) of the data set against which to execute the EQL.
rolePermissionsMultiOr For users who have more than one security role, whether to use logical OR to combine the filters from each role into a single, combined security role filter.

If set to "true", then logical OR is used, and users have access to data that matches at least one of the filters for their security roles.

If set to "false" (the default value), then logical AND is used, and users only have access to data that matches all of the filters associated with all of their security roles.

Note that if logical OR is used, it is only used to combine filters from different security roles. The filters from each individual role are still applied using logical AND before they are combined with the filters from the other roles.

Data set base filters are also applied using logical AND.

rolePermissions Maps the user roles to the security filters.
For each mapping, the format is: 
"<role name>" : [<filter list>]
where:
  • <role name> is the name of the user role.
  • <filter list> is a comma-separated list of filter names to apply for the specified role. Each name is in quotes. For example, ["filter1", "filter2", "filter3"].

Example of an Endeca Server connection with security filtering

In the following example, users with the role "French Wine" can only see data from the Bordeaux and Burgundy regions, while users with the role "Austrian Wine" can only see data from the Austria, Burgenland, and Steiermark regions.

Because rolePermissionsMultiOr is set to true, users who have both of these roles can view records from any of the five regions. 

{
 "server":"server01.lab.acme.com",
 "port":"15000",
 "dataDomainName":"acmeDB",
 "name":"European Wines",
 "description":"Sales transactions for European wines",
 "securityEnabled":"true",
 "securityFilters": {
    "frenchFilter": {
        "class":"com.endeca.portal.data.functions.DataSourceFilter",
        "filterString":"Region='Bordeaux' OR Region='Burgundy'",
        "viewKey":"Wines"
    },
    "austrianFilter": {
        "class":"com.endeca.portal.data.functions.DataSourceFilter",
        "filterString":"Region='Austria' OR Region='Burgenland' OR Region='Steiermark'",
        "viewKey":"Wines"
    }
  },
 "rolePermissionsMultiOr":"true",
 "rolePermissions": {
    "French Wine": ["frenchFilter"],
    "Austrian Wine": ["austrianFilter"]
  }
}