Option #2 is far better.
I found this: https://wiki.apache.org/solr/SolrSecurity#Document_Level_Security but this solution requires that I use Manifold CF which I cannot. Does anyone know how Manifold does it and can it be adopted to Solr? Another idea I'm wandering about is what if I create two cores, one core holds the indexed docs, while the other core holds doc-id + user-ids to which they have access to docs. Then I can do a join between those two cores? I have not given this enough thinking to know if it will work. If it does, will ranking be impacted (the fact that I'm now searching across two cores)? - MJ -----Original Message----- From: Erick Erickson <erickerick...@gmail.com> To: solr-user <solr-user@lucene.apache.org> Sent: Tue, Mar 3, 2015 6:46 pm Subject: Re: Access permission You really have two choices: 1> index tokens with each doc of those (usually groups) that are authorized to see them. Then when a user signs on, the front end assembles the list of groups that the user belongs to and appends a filter query to each request like &fq=auth:(group1 group5 group89) This starts to break down if any particular user can belong to many hundreds of groups, although if you construct the fq clause _exactly_ the same way each time, requests 2-n will use the filterCache. The other way this breaks down is if you have to grant individual user/doc rights. The user changing groups isn't really a problem, since the fq clause you assemble will just change. The big downside here is if the doc/group permissions change. Say group1 suddenly gets or loses permissions to docs 1, 4, 90, 108. You must then re-index (or use atomic updates) to update the auth tokens in each of those docs 2> use a "post filter", see: http://heliosearch.org/advanced-filter-caching-in-solr/. The advantage here is that the filter is run _only_ on docs that make it through the original query _and_ all more costly filters. HTH, Erick On Tue, Mar 3, 2015 at 6:32 AM, <johnmu...@aol.com> wrote: > > Hi, > > > I'm indexing data off a DB. The data is secured with access permission. That is record-A can be seen by users-x, while record-B can be seen by users-y and yet record-C can be seen by users x and y. Even more, the group access permission can change over time. > > > The question I have is this: how to handle this in Solr? Is there anything I can do during index and / or search time? What's the best practice to handle access permission in search? > > > Thanks! > > > - MJ >
