If the permissions are hierarchical, i.e. anyone who can see paid_source and see confidential you could just index the minimum-required clearance with the doc (think numeric codes here) and form your fq as auth:[max_level_for_user TO *]. I admit I've rarely seen security models that are that simple.
You can form a rather complex fq clause like fq=auth:(confidential NOT (paid_source OR other_levels_bob_can't_see)] On the plus side, that fq clause can be cached in the filterCache and re-used. Hint: If you do this, be absolutely sure you form the filter clause exactly the same way each time to insure it is re-used. I.e. even though this is logically equivalent it wouldn't re-use the filterCache entry fq=auth:(confidential NOT (other_levels_bob_can't_see OR paid_source)] You could also write a "post filter", they were originally written exactly to handle ACLs, see: http://yonik.com/advanced-filter-caching-in-solr/ and https://lucidworks.com/blog/2012/02/22/custom-security-filtering-in-solr/ Best, Erick On Fri, Jul 1, 2016 at 3:48 AM, Ellis, Tom (Financial Markets IT) <tom.el...@lloydsbanking.com.invalid> wrote: > Hi There, > > I'm trying to create search component for some document level security. A > user will have a number of tags assigned to them, and these will be passed to > the search component which will add a filter to whatever the user's original > query was. Documents will be written with some or all of the users tags, and > the query must only return documents that have a set of tags that are > included in the users tags. > > E.g. Alice is authorised to see 'confidential' and 'paid_source' > > Bob is only authorised to see 'confidential' > > Document 1 has tags confidential and paid_source - Alice should be able to > see this document, but Bob should not. > > So if I am creating a query for Bob, how can I write it so that he can't see > Document 1? I.e. how do I create a query that checks the multiValued field > for 'confidential' but excludes documents that have anything else? > > Cheers, > > Tom Ellis > Consultant Developer - Excelian > Data Lake | Financial Markets IT > LLOYDS BANK COMMERCIAL BANKING > ________________________________ > > E: tom.el...@lloydsbanking.com<mailto:tom.el...@lloydsbanking.com> > Website: www.lloydsbankcommercial.com<http://www.lloydsbankcommercial.com/> > , , , > Reduce printing. Lloyds Banking Group is helping to build the low carbon > economy. > Corporate Responsibility Report: > www.lloydsbankinggroup-cr.com/downloads<http://www.lloydsbankinggroup-cr.com/downloads> > > > > Lloyds Banking Group plc. Registered Office: The Mound, Edinburgh EH1 1YZ. > Registered in Scotland no. SC95000. Telephone: 0131 225 4555. Lloyds Bank > plc. Registered Office: 25 Gresham Street, London EC2V 7HN. Registered in > England and Wales no. 2065. Telephone 0207626 1500. Bank of Scotland plc. > Registered Office: The Mound, Edinburgh EH1 1YZ. Registered in Scotland no. > SC327000. Telephone: 03457 801 801. Cheltenham & Gloucester plc. Registered > Office: Barnett Way, Gloucester GL4 3RL. Registered in England and Wales > 2299428. Telephone: 0345 603 1637 > > Lloyds Bank plc, Bank of Scotland plc are authorised by the Prudential > Regulation Authority and regulated by the Financial Conduct Authority and > Prudential Regulation Authority. > > Cheltenham & Gloucester plc is authorised and regulated by the Financial > Conduct Authority. > > Halifax is a division of Bank of Scotland plc. Cheltenham & Gloucester > Savings is a division of Lloyds Bank plc. > > HBOS plc. Registered Office: The Mound, Edinburgh EH1 1YZ. Registered in > Scotland no. SC218813. > > This e-mail (including any attachments) is private and confidential and may > contain privileged material. If you have received this e-mail in error, > please notify the sender and delete it (including any attachments) > immediately. You must not copy, distribute, disclose or use any of the > information in it or any attachments. Telephone calls may be monitored or > recorded.
