Difference between revisions of "Knowledge:Access manager"
(→Difference between "simple" and "recursive") |
(→Difference between "simple" and "recursive") |
||
Line 17: | Line 17: | ||
* [[File:Folder.png]] okm:root | * [[File:Folder.png]] okm:root | ||
** [[File:Folder.png]] level-1a | ** [[File:Folder.png]] level-1a | ||
− | *** [[File:Folder.png]] level-2a | + | *** [[File:Folder.png]] ''level-2a'' |
− | **** [[File:Folder.png]]level-3a | + | **** [[File:Folder.png]] ''level-3a'' |
− | ***** [[File:Document.png]] alpha.doc | + | ***** [[File:Document.png]] ''alpha.doc'' |
− | ***** [[File:Document.png]] beta.doc | + | ***** [[File:Document.png]] ''beta.doc'' |
− | ***** [[File:Document.png]] gamma.doc | + | ***** [[File:Document.png]] ''gamma.doc'' |
**** [[File:Folder.png]] level-3b | **** [[File:Folder.png]] level-3b | ||
** [[File:Folder.png]] level-1b | ** [[File:Folder.png]] level-1b | ||
** [[File:Folder.png]] level-1c | ** [[File:Folder.png]] level-1c | ||
− | When using ''' | + | '''When using ''simple''''' if you revoke permission from ''level-2a'' folder and user is viewing ''level-3a'' folder, OpenKM still be showing the documents to this user. When user search, OpenKM will return these document as search results. User can't access the documents because when OpenKM try to access the document, it will open every path location and will fail to open ''level-2a'' because the user has no grants. You need to apply revoke recursively to prevent the user to access these document, so they won't be shown in the search results. |
− | When using ''' | + | '''When using ''recursive''''' if you revoke permission from ''level-2a'' folder and user is viewing ''level-3a'' folder, OpenKM will five an error because Access Manager also evaluates the permission of the ''level-2a'' ancestor node. When user search, OpenKM won't show these documents in the search results. |
Revision as of 10:49, 6 October 2012
By default OpenKM 6 is configured this way:
security.access.manager = simple security.search.evaluation = lucene
Which provides great performance by only evaluating a single node. But if you want to evaluate every parent you can change this behavior with these settings:
security.access.manager = recursive security.search.evaluation = [ am_more | am_window | am_limited ]
This will reduce OpenKM performance (at least in search) but will match customer requirements.
Difference between "simple" and "recursive"
Give this repository structure:
When using simple if you revoke permission from level-2a folder and user is viewing level-3a folder, OpenKM still be showing the documents to this user. When user search, OpenKM will return these document as search results. User can't access the documents because when OpenKM try to access the document, it will open every path location and will fail to open level-2a because the user has no grants. You need to apply revoke recursively to prevent the user to access these document, so they won't be shown in the search results.
When using recursive if you revoke permission from level-2a folder and user is viewing level-3a folder, OpenKM will five an error because Access Manager also evaluates the permission of the level-2a ancestor node. When user search, OpenKM won't show these documents in the search results.