Skip to content

Document Level Security: NTFS Filecopy collections

Background information

Document Level Security can be applied to NTFS filecopy collections. These are collections that are gathered from an NTFS file system, either on a local disk or more typically on a shared drive. Access to search results are controlled on the same basis as read access to the files on the file system themselves. That is, the Access Control Lists (ACLs) applied to the files are used to determine which users can see which results.

Note that this inherently relies on there being a consistent view of users across the search server and the file server. For this reason it is recommended that NTFS document level security only be used within a Windows domain. (Unless you have a standalone search server that only searches its own local disks)

Setting up security

  • Create a filecopy collection as you would normally do.
  • In the Core tab of the collection settings, set the DLS model parameter to Windows (NTFS), to tell Funnelback to collect the files lock strings when copying files.
  • Edit the collection.cfg file and set to NtfsDls. This will tell the query processor to use a specific plugin to match user keys with the files lockstrings.
  • Ensure that the following security lockstring metadata is configured in your collection's metadata mappings:
    • Class name: S
    • Class type: document permissions
    • Source name: X-Funnelback-LockString
  • Perform a full update of the collection.
  • Ensure that the search pages of your web interface are configured to use basic HTTP authentication or Kerberos authentication.

Note: Early-binding security on NTFS collection doesn't need a specific plugin to collect user keys. The in-memory access token of the current search user is used to perform security checks, meaning that the security.earlybinding.user-to-key-mapper setting is ineffective, and that impersonation must be working properly.

See also


Funnelback logo