Skip to content

Translucent document level security

Introduction

Translucent DLS (document level security) provides a document security model which promotes discovery of documents. Unlike pure document level security which provides a tight security model, translucent DLS allows users to discover documents they are not permitted to see which relate to their query. As translucent DLS reveals some information it should only be used when all authorised users are trusted.

Setup

Translucent DLS can only be enabled on collections which have DLS. To enable translucent DLS set in the query processor options

-translucent_DLS=on

Once enabled by default documents which match the users query that can not be viewed by the user will be returned in the result in the usual ranking order with all revealing information removed. This includes not showing the document title, query biased summary and document links.

Translucent metadata

Typically when Translucent DLS is used the search user needs a way of requesting access to a document they can not see. To achieve this metadata fields can be marked as translucent in query processor options. For example to reveal the owner metadata of the document set:

-translucent_DLS_fields=[owner]

Displaying translucent metadata

If -SF=[owner,author] and -SM=both are both set then for documents which the user could not see the metadata owner would be shown. For documents the user can see, both metadata author and owner would be shown.

Collapsing with translucent DLS

Collapsing can be used when translucent DLS is activated. Documents which the user can not see can only be collapsed if the collapsing signature contains only fields set in -translucent_DLS_fields=. If the signature contains other fields, including special fields such as $, then only documents which the user can see will be collapsed.

Result metadata counts

Result metadata counts -rmcf often used for facets will work when translucent DLS is activated. Documents which are not visible will not have their metadata counted thus counts include only documents the user can see. In future releases this behaviour is expected to change so that non visible documents have the metadata fields which is the intersect of -rmcf and -translucent_DLS_fields counted.

See also

top

Funnelback logo
v15.24.0