Gravatar for alok.gupta@perficient.com

Question by Alok Gupta, Mar 31, 2018 12:52 AM

Is it possible to associate groups from multiple custom identity providers to a given document?

Hi,

I am building custom connectors to index identities (internal and external) and their groups from multiple identity providers in Coveo cloud V2. The internal and external identities are pulled from different sources and will be pushed by separate custom push API based connectors. Created the following identity providers in Coveo cloud V2 org and associated them with push API sources:

security-provider-internal
security-provider-external 

The documents are fed in Coveo index using a Push API based connector. Please note, it is possible that a given document is searchable by internal and external groups. Therefore, in the push API feed, I am looking for ways to pass the group's identity provider name? Is it possible?

I see from extensions point of view, it is possible to pass the "securityProvider" but don't see that in the push API documentation for security providers. Anyways, I gave it a try and as expected it didn't work. The document shows the first identity provider (internal) for both the internal and external groups.

{
    "CompressedBinaryDataFileId": "833176fe-d696-4c7e-a695-56d4e4b2dbc0",
    "size": 25,
    "author": "Gupta, Alok",
    "clickableUri": "https://www.test.com/testdocument",
    "date": "2017-12-16",
    "FileExtension": ".txt",
    "id": "150cc214-06fd-41a4-9653-f3576bfe7ed7",
    "name": "value-add-document",
    "permissions": [
        {
            "allowedPermissions": [
                {
                    "identity": "internal",
                    "identityType": "Group",
                    "securityProvider": "security-provider-internal"
                },
                {
                    "identity": "external",
                    "identityType": "Group",
                    "securityProvider": "security-provider-external"
                }
            ],
            "allowAnonymous": false
        }
    ]
}

This is a legitimate scenario and looking for possible ways to address this with Coveo cloud V2 platform. Is there a way we can address this with Coveo cloud V2?


/

Alok

2 Replies
Gravatar for wnijmeijer@coveo.com

Answer by Wim Nijmeijer, Apr 3, 2018 2:12 PM

Hi Alok,

You cannot use different security providers on one source. So in your case you could transform the internal and external groups by using:

"permissions": [        
    {            
        "allowedPermissions": [                
            {                    
                "identity": "internal-GroupA",         
                "identityType": "Group",                    
            },
            {                    
                "identity": "external-GroupB",         
                "identityType": "Group",                    
            },
        ],            
        "allowAnonymous": false        
    }    
]

Then when you provide the identities, you map them to the proper users, like:

{
  "identity": {
    "name": "internal-GroupA",
    "type": "GROUP"
  },
  "members": [
    {
      "name": "Domain Users",
      "type": "GROUP"
    },
    {
      "name": "dmoore",
      "type": "USER"
    }
  ]
}

Now you can map the users to the specific security providers of choice:

{
  "identity": {
    "name": "dmoore",
    "type": "USER"
  },
  "mappings": [
    {
      "name": "dmoore@example.com",
      "type": "USER",
      "provider": "Email Security Provider"
    },
    {
      "name": "dmoore",
      "type": "USER",
      "provider": "mycustomsecurityProvider"
    }
  ]
}

Gravatar for alok.gupta@perficient.com

Comment by Alok Gupta, Apr 3, 2018 5:15 PM

Thanks @Wim Nijmeijer!

I'll push the security identities from both the Directories' connectors (AD and LDS/ADAM) to the same security provider in the Coveo org.

/

Alok

Gravatar for bcarroll@coveo.com

Answer by bcarroll, Apr 2, 2018 5:04 PM

Per the warning on this document, you cannot define security identities in item permission models. A particular source is going to be associated with a security provider, and ideally, any identities which are unique to that provider will be normalized to another provider, such as the email security provider, to make it easier to generate your search tokens when people land on your site.

When the identity is set up, it can be associated with groups--such as internal or external, per your use case--so when the search token is generated based on the established user identity, all queries which use that token carry with them that user's entitlements, including their membership in particular groups.

In your use case, a document may have a group entitlement for internal or external access, or both; the user whose token was generated with one provider or another, based on how you set things up, will then get access to that document if they're in the right group.

I mentioned normalization; if you've got a scenario where you can be sure that all of your identities are unique to users (e.g. email addresses), it's a great idea to map to that normalized provider so that you can use one mechanism to generate all of your search tokens.

Gravatar for alok.gupta@perficient.com

Comment by Alok Gupta, Apr 2, 2018 8:55 PM

Thanks, Benjamin for your response!

I think the model you have suggested will work if we have a single custom security provider. However, in my case, the content source is associated with groups from 2 custom security providers -

1. ADAM/LDS directory for external users (security-provider-external)

2. Active Directory for internal users (security-provider-internal)

Both of the security providers have identities mapped to the Email Security provider. The source security configuration looks as below -

"securityProviders": {
      "security-provider-internal": {
      "name": "security-provider-ad",
      "typeName": "Expanded"
      },
      "security-provider-external": {
      "name": "security-provider-adam",
      "typeName": "Expanded"
      }
}

Let's assume there are 2 groups -

security-provider-internal -> GroupA

security-provider-external -> GroupB

and the document permissions are defined as below -

"permissions": [        
    {            
        "allowedPermissions": [                
            {                    
                "identity": "GroupA",         
                "identityType": "Group",                    
            },
            {                    
                "identity": "GroupB",         
                "identityType": "Group",                    
            },
        ],            
        "allowAnonymous": false        
    }    
]

When I checked the indexed document permissions in the Coveo cloud, it shows "security-provider-internal" as an identity provider for groups 'GroupA' and 'GroupB'.

The issue is if I generate a search token for a user who is a member of 'GroupB' from the Identity provider 'security-provider-external' (or using a mapped email identity), it won't be able to see the above document as Coveo has marked 'GroupB' as part of 'security-provider-internal' instead of 'security-provider-external'.

{
  "userIds": [
    {
      "name": "alok.gupta",
      "provider": "security-provider-external",
      "type": "User"
    }
  ]
}

Does Coveo supports documents to have permissions from 2 or more custom security providers?

/

Alok

Ask a question