Rights Storing by PaF Process - AFS

Manage Rights on Documents in AFS

Technical Notes

If PaF is launched in secured mode, search access rights are computed during reply database generation (by afs_search_build filter). See Secured Operating Mode for more information on running the PaF in secured mode.

If data are located on a distant filesystem, it is possible to process them using NFS (for Unix file systems) or Samba (for Windows file systems) thanks to the filesystem connector filter. See afs_filesystem_load for more information.

Unix Rights

In order to compute the rights for a given document, the following unix permissions are taken into account:

  • Permission of the file itself,
  • Permission of every directories in the file path (to have "Read access" on a file under UNIX, "execute access" on every directory in the path are mandatory).

Example if indexing the file /home/john/documents/projet/doc.xml with the following Unix permissions:

drwxr-xr-x root root 4096 4 oct. 2011 home
drwxr-xr-x john antidot 4096 14 sept. 2011 └── john
drwxr-xr-x john commercial 4096 15 mai 11:30 └── documents
drwxr-x--- john commercial 4096 15 mai 11:30 └── projet
-rw-r--r-- john commercial 2398998 15 mai 11:30 └── doc.xml

project directory execution rights are allowed only to commercial group members. Then, search access rights on doc.xml document will be allowed only to commercial group members.

For the file, the read right is taken into account to compute search access rights.

Let's take the previous example, but without the same Unix permission on the doc.xml document:

drwxr-x--- john commercial 4096 15 mai 11:30 projet
-rw------- john commercial 2398998 15 mai 11:30 └── doc.xml

In this case, doc.xml document will be visible in search engine results only by john user.

A modification on a file Unix permissions will be automatically taken into account by the next PaF execution, and reply database will be modified with the new access rights.

A modification on a directory Unix permissions will affect files in this directory only if they are indexed again.

Windows Rights

For a given file, all Windows "ACEs" (Access List Entries) of the file are processed and converted to READ/WRITE/EXECUTE permissions for users and groups. These permissions automatically include inherited permissions defined on parent directories, except if some *deny* permissions are defined and take precedence over the *allow* permissions.

For a file to be visible in the search engine by a given user or group "Read" permission on the file are required.

Usage of "deny" permissions is possible only for *groups*. If a file or directory is configured with "deny" permissions for a specific *user* then the afs_filesystem_load filter will put the document status to KO. Indeed the filter has no information about which groups the user belongs to, therefore it is not capable of simultaneously denying access to the user and allowing access to a group that contains this user.