It is necessary to secure replies, in order to allow user to view only replies he has access to.
Securing replies need actions on both PaF and reply sides:
- PaF must be operated in secured mode.
- Replies databases should be queried using afs:user and afs:group parameters.
For more information about managing rights on documents, see our section about Managing Rights On Documents.
Operate the PaF in secured mode
Operate the PaF in secured mode:
/usr/local/afs7/bin/afs_paf -s
In this case:
- The scheduler stores permissions of all loaded files.
- The scheduler enable rights management for filters (afs_filesystem_load, used for remote file system indexing such as NFS and afs_search_build which generates secured databases).
afs_paf_top displays specific reporting for secured PaF.
DataFlow Back Office application displays the secured icon for these PaFs. 
Query a Secured Database
Focus on Anonymous Queries.
Query Engine can either allow or disallow anonymous queries. In anonymous mode, queries without authentication parameters (afs:user and/or afs:group) will display public documents. In authenticated mode (non-anonymous), a query without authentication parameters will be rejected.
Examples
- Anonymous mode can be used for a web site with specific contents for registered users.
- Authenticated mode can ensure a strict rights policy on an intranet portal.
Authenticated mode is the default setting, it can be changed by setting QEng/Agents/enableAnonymousQueries to true.
Focus on Errors in Authentication Parameters
By default, in case of error with either afs:user or afs:group parameter, all authentication parameters are ignored (user, group), a message appears in the output feed and the query is rejected. Set QueryParsing/discardOnError parameter to false to avoid this behavior.
Focus on Authentication Parameters
Role | Sets the user for the query, afs:user=<user_name>. |
Status | Optional. user_name must be an identifier (one letter followed by several letters and numbers) or an email address compliant to the RFC 5322 internet standard (see Email Address (Wikipedia) or RFC 5322 for more details). Can be set to 0 and can be set several times. |
Example | afs:service=1811&afs:query=I+want+it+all&afs:user=john afs:service=1811&afs:query=I+want+it+all&afs:user=bill&afs:group=windows afs:service=1979&afs:uri=42&afs:user=steeve&afs:group=apple |
Role | Sets the group for the query, afs:group=<group_name>. |
Status | Optional. group_name must be an identifier (one letter followed by several letters and numbers) or an email address compliant to the RFC 5322 internet standard (see Email Address (Wikipedia) or RFC 5322 for more details). Can be set to 0 and can be set several times. |
Example | afs:service=1811&afs:query=I+want+it+all&afs:group=users afs:service=1811&afs:query=I+want+it+all&afs:user=bill&afs:group=windows&afs:group=msdos afs:service=1979&afs:uri=42&afs:user=steeve&afs:group=apple To set several groups, this alternative syntax can be used: afs:groups=<group1_name>,<group2_name>...<groupn_name> |