Re: Matching all terms in a multiValued field

[Erick Erickson]

If the permissions are hierarchical, i.e. anyone who can see
paid_source and see confidential you could just index the
minimum-required clearance with the doc (think numeric codes here) and
form your fq as auth:[max_level_for_user TO *]. I admit I've rarely
seen security models that are that simple.

You can form a rather complex fq clause like
fq=auth:(confidential NOT (paid_source OR other_levels_bob_can't_see)]

On the plus side, that fq clause can be cached in the filterCache and re-used.
Hint: If you do this, be absolutely sure you form the filter clause exactly the
same way each time to insure it is re-used. I.e. even though this
is logically equivalent it wouldn't re-use the filterCache entry

fq=auth:(confidential NOT (other_levels_bob_can't_see OR paid_source)]

You could also write a "post filter", they were originally written
exactly to handle
ACLs, see: http://yonik.com/advanced-filter-caching-in-solr/
and
https://lucidworks.com/blog/2012/02/22/custom-security-filtering-in-solr/

Best,
Erick

On Fri, Jul 1, 2016 at 3:48 AM, Ellis, Tom (Financial Markets IT)
 wrote:
> Hi There,
>
> I'm trying to create search component for some document level security. A 
> user will have a number of tags assigned to them, and these will be passed to 
> the search component which will add a filter to whatever the user's original 
> query was. Documents will be written with some or all of the users tags, and 
> the query must only return documents that have a set of tags that are 
> included in the users tags.
>
> E.g. Alice is authorised to see 'confidential' and 'paid_source'
>
> Bob is only authorised to see 'confidential'
>
> Document 1 has tags confidential and paid_source - Alice should be able to 
> see this document, but Bob should not.
>
> So if I am creating a query for Bob, how can I write it so that he can't see 
> Document 1? I.e. how do I create a query that checks the multiValued field 
> for 'confidential' but excludes documents that have anything else?
>
> Cheers,
>
> Tom Ellis
> Consultant Developer - Excelian
> Data Lake | Financial Markets IT
> LLOYDS BANK COMMERCIAL BANKING
> 
>
> E: tom.el...@lloydsbanking.com
> Website: www.lloydsbankcommercial.com
> , , ,
> Reduce printing. Lloyds Banking Group is helping to build the low carbon 
> economy.
> Corporate Responsibility Report: 
> www.lloydsbankinggroup-cr.com/downloads
>
>
>
> Lloyds Banking Group plc. Registered Office: The Mound, Edinburgh EH1 1YZ. 
> Registered in Scotland no. SC95000. Telephone: 0131 225 4555. Lloyds Bank 
> plc. Registered Office: 25 Gresham Street, London EC2V 7HN. Registered in 
> England and Wales no. 2065. Telephone 0207626 1500. Bank of Scotland plc. 
> Registered Office: The Mound, Edinburgh EH1 1YZ. Registered in Scotland no. 
> SC327000. Telephone: 03457 801 801. Cheltenham & Gloucester plc. Registered 
> Office: Barnett Way, Gloucester GL4 3RL. Registered in England and Wales 
> 2299428. Telephone: 0345 603 1637
>
> Lloyds Bank plc, Bank of Scotland plc are authorised by the Prudential 
> Regulation Authority and regulated by the Financial Conduct Authority and 
> Prudential Regulation Authority.
>
> Cheltenham & Gloucester plc is authorised and regulated by the Financial 
> Conduct Authority.
>
> Halifax is a division of Bank of Scotland plc. Cheltenham & Gloucester 
> Savings is a division of Lloyds Bank plc.
>
> HBOS plc. Registered Office: The Mound, Edinburgh EH1 1YZ. Registered in 
> Scotland no. SC218813.
>
> This e-mail (including any attachments) is private and confidential and may 
> contain privileged material. If you have received this e-mail in error, 
> please notify the sender and delete it (including any attachments) 
> immediately. You must not copy, distribute, disclose or use any of the 
> information in it or any attachments. Telephone calls may be monitored or 
> recorded.

Matching all terms in a multiValued field

[Ellis, Tom (Financial Markets IT)]

Hi There,

I'm trying to create search component for some document level security. A user 
will have a number of tags assigned to them, and these will be passed to the 
search component which will add a filter to whatever the user's original query 
was. Documents will be written with some or all of the users tags, and the 
query must only return documents that have a set of tags that are included in 
the users tags.

E.g. Alice is authorised to see 'confidential' and 'paid_source'

Bob is only authorised to see 'confidential'

Document 1 has tags confidential and paid_source - Alice should be able to see 
this document, but Bob should not.

So if I am creating a query for Bob, how can I write it so that he can't see 
Document 1? I.e. how do I create a query that checks the multiValued field for 
'confidential' but excludes documents that have anything else?

Cheers,

Tom Ellis
Consultant Developer - Excelian
Data Lake | Financial Markets IT
LLOYDS BANK COMMERCIAL BANKING


E: tom.el...@lloydsbanking.com
Website: www.lloydsbankcommercial.com
, , ,
Reduce printing. Lloyds Banking Group is helping to build the low carbon 
economy.
Corporate Responsibility Report: 
www.lloydsbankinggroup-cr.com/downloads



Lloyds Banking Group plc. Registered Office: The Mound, Edinburgh EH1 1YZ. 
Registered in Scotland no. SC95000. Telephone: 0131 225 4555. Lloyds Bank plc. 
Registered Office: 25 Gresham Street, London EC2V 7HN. Registered in England 
and Wales no. 2065. Telephone 0207626 1500. Bank of Scotland plc. Registered 
Office: The Mound, Edinburgh EH1 1YZ. Registered in Scotland no. SC327000. 
Telephone: 03457 801 801. Cheltenham & Gloucester plc. Registered Office: 
Barnett Way, Gloucester GL4 3RL. Registered in England and Wales 2299428. 
Telephone: 0345 603 1637

Lloyds Bank plc, Bank of Scotland plc are authorised by the Prudential 
Regulation Authority and regulated by the Financial Conduct Authority and 
Prudential Regulation Authority.

Cheltenham & Gloucester plc is authorised and regulated by the Financial 
Conduct Authority.

Halifax is a division of Bank of Scotland plc. Cheltenham & Gloucester Savings 
is a division of Lloyds Bank plc.

HBOS plc. Registered Office: The Mound, Edinburgh EH1 1YZ. Registered in 
Scotland no. SC218813.

This e-mail (including any attachments) is private and confidential and may 
contain privileged material. If you have received this e-mail in error, please 
notify the sender and delete it (including any attachments) immediately. You 
must not copy, distribute, disclose or use any of the information in it or any 
attachments. Telephone calls may be monitored or recorded.