You really have two choices:
1> index tokens with each doc of those (usually groups) that are
authorized to see them.
Then when a user signs on, the front end assembles the list of
groups that the user
belongs to and appends a filter query to each request like
&fq=auth:(group1 group5 group89)
This starts to break down if any particular user can belong to
many hundreds of groups,
although if you construct the fq clause _exactly_ the same way
each time, requests 2-n will
use the filterCache.
The other way this breaks down is if you have to grant individual
user/doc rights.
The user changing groups isn't really a problem, since the fq
clause you assemble will just change.
The big downside here is if the doc/group permissions change. Say
group1 suddenly gets or loses
permissions to docs 1, 4, 90, 108. You must then re-index (or use
atomic updates) to update the
auth tokens in each of those docs
2> use a "post filter", see:
http://heliosearch.org/advanced-filter-caching-in-solr/. The advantage
here
is that the filter is run _only_ on docs that make it through the
original query _and_ all
more costly filters.
HTH,
Erick
On Tue, Mar 3, 2015 at 6:32 AM, <johnmu...@aol.com> wrote:
>
> Hi,
>
>
> I'm indexing data off a DB. The data is secured with access permission.
> That is record-A can be seen by users-x, while record-B can be seen by
> users-y and yet record-C can be seen by users x and y. Even more, the group
> access permission can change over time.
>
>
> The question I have is this: how to handle this in Solr? Is there anything I
> can do during index and / or search time? What's the best practice to handle
> access permission in search?
>
>
> Thanks!
>
>
> - MJ
>
