Document Level Security - NTFS filecopy data sources

This feature only available in self-hosted installations of the Windows version of Funnelback and is not available to users of the Squiz Experience Cloud version of Funnelback.

Document level security can be applied to NTFS filecopy data sources. These are data sources that are gathered from an NTFS file system, either on a local disk or more typically on a shared drive. Access to search results are controlled on the same basis as read access to the files on the file system themselves. That is, the access control lists (ACLs) applied to the files are used to determine which users can see which results.

Note that this inherently relies on there being a consistent view of users across the search server and the file server. For this reason it is recommended that NTFS document level security only be used within a Windows domain. (Unless you have a standalone search server that only searches its own local disks)

Table of Contents

Setting up security

  • Create a filecopy data source as you would normally do.

  • Edit the data source configuration file and set filecopy.security_model to ntfs. This configures Funnelback to collect the files lock strings when copying files.

  • Edit the data source configuration file and set to NtfsDls. This will tell the query processor to use a specific plugin to match user keys with the files lock strings.

  • Ensure that the following security lock string metadata is configured in your data source’s metadata mappings:

    • Class name: S

    • Class type: document permissions

    • Source name: X-Funnelback-LockString

  • Perform a full update of the data source.

  • Ensure that the search pages of your web interface are configured to use basic HTTP authentication or Kerberos authentication.

Early-binding security on NTFS collection doesn’t need a specific plugin to collect user keys. The in-memory access token of the current search user is used to perform security checks, meaning that the security.earlybinding.user-to-key-mapper setting is ineffective, and that impersonation must be working properly.