Enterprise Search Security Model

SharePoint 2007

This topic provides an overview of the following elements in the Enterprise Search in Microsoft Office SharePoint Server 2007 security model from a developer perspective:

  • Content crawling

  • Security trimming

  • Search administration

Content Crawling

During the content crawling process, the protocol handler for a content source extracts the security information for a content item and stores this in the content index. The extracted information is a self-relative Windows–based security descriptor. For more information, see Security Descriptors and Absolute and Self-Relative Security Descriptors.

If you implement a protocol handler for a custom content source, you emit this information in the GetSecurityDescriptor Method method of the IUrlAccessor Interface interface.

Security Trimming

By default, Enterprise Search results are trimmed at query time, based on the identity of the user who submitted the query. When results are returned for a user's search, the Query engine performs an access check for the user's identity against the security descriptor stored in the content index for each item in the search results. The Query engine then removes any items in the search results that the user does not have access to, so that the user never sees these results.

The Query engine caches access check results for each unique security descriptor.

Using the Query Web Service

When you execute a search query by using the Enterprise Search Query Web service, search results are trimmed based on credentials you pass in the call to the Web service.

If you accessed the Query Web service by adding a Web reference to your project in Microsoft Visual Studio, you specify these credentials in the Credentials property of the WebClientProtocol class.

For more information, see Enterprise Search Query Web Service Overview.

Custom Security Trimming

Enterprise Search enables you to implement a custom security trimmer to perform custom trimming of search results. Security trimming from custom security trimmers is also applied at query time to search results.

For more information, see Custom Security Trimming for Enterprise Search Results Overview. For an example of a custom security trimmer implementation, see Walkthrough: Using a Custom Security Trimmer for Search Results.

Business Data Catalog

Office SharePoint Server 2007 provides a security trimmer for the Business Data Catalog. For more information, see Business Data Catalog Security Trimmer. For a sample, see AccessChecker Samples.

Search Administration

Custom applications using the new Microsoft.Office.Server.Search.Administration object model to administer Enterprise Search must run as an account with sufficient permissions to perform the administrative task.

For Shared Services Provider (SSP)-level tasks, the custom application must run as an SSP Administrator. SSP-level tasks include administration of the following:

  • Content sources

  • Crawl schedules

  • Crawl rules

  • Crawl log

  • Metadata property schema

  • Global scopes

  • Relevance settings

For site-level tasks, the custom application must run as a site or site-collection Administrator. Site-level tasks include administration of the following:

  • Keywords

  • Best bets

  • Site-level scopes

For more information, see Getting Started with the Enterprise Search Administration Object Model.

See Also

Community Additions