Boolean expression lock strings (secBoolExpr DLS plugin)

This feature is not available to users of the Squiz Experience Cloud version of Funnelback.

The secBoolExpr plugin may be used to determine a user’s access to a document when document level security is enabled. It is used when boolean style logic can be used to determine a user’s access when comparing the lock string with the user’s keys.

For example the lock string on a document could be AUTHOR|EDITOR meaning that user would need to have either AUTHOR or EDITOR as values within their user keys. If the user had user keys collection_name;AUTHOR,collection_name;VIEWER then that user would have access to the above document.

When evaluating an expression all values the user has are set to true while all missing values are set to false, for the above example it would become true|false which evaluates to true.

Enabling the plugin

To enable the plugin set the following in collection.cfg

security.earlybinding.locks-keys-matcher.name=secBoolExpr

and add -lock_string_mod_mode=raw to the indexer options

For example in collection.cfg:

indexer_options=-lock_string_mod_mode=raw

Operators

The secBoolExpr plugin supports the following logical operators ordered in lowest to highest precedence:

  • or: can be represented as OR, | or ,.

  • and: can be represented as AND, . or &.

  • not: can be represented as NOT, ! or -.

  • (): can be represented as ( and ).

Word operators are case sensitive and are must be expressed in upper case.

Operator types can be mixed in a single lock string, the follow are a valid lock strings for this plugin:

  • a OR b | c , d

  • NOT!-a

  • a AND b . c & d

Values

  • Values are case sensitive non-zero ASCII strings consisting of the following characters:

    • 0-9

    • a-z

    • A-Z

    • _ and must not be any operator including NOT, OR, AND.

  • Values must not be the lowercase or any mixed case form of an operator. For example, values should not be and, And, not, oR, etc.

  • Values may contain operators within them e.g. NOT_A, that will be processed like any other value.

Missing lock strings

Documents with missing, empty or zero length boolean expression will be treated as a lock string that does not permit access by any user.

Multiple lock strings per document

A single lock string is supported per document. Documents which have multiple lock strings will cause an undefined behavior.

© 2015- Squiz Pty Ltd