Is it possible to implement user based security on Azure Search? - McMap

About

Is it possible to implement user based security on Azure Search?

Asked 4/8, 2015 at 7:20 Answered 4/8, 2015 at 7:25

Solved security azure azure-cognitive-search

A

1

9

In Azure Search we can create multiple indexes for different search results, and we have two types of api-key. One is for administation and other one is for querying. But with same api-key users can search all indexes.

In my solution I need to design a system so that different users that use the system will get different results by their previleges. I thought this could be solved with dedicated indexes for each role but still users can query other indexes if they want to.

How can I be sure that every user can ONLY be able to search on particular a index.

Anagoge answered 4/8, 2015 at 7:20 Comment(0)

E

7

Out of the box it is not possible to restrict the key usage for a specific index. You would need to do something on your own.

Other possibility would be to create different search service accounts and then creating indexes in them instead of having one account. You can then grant access to your users to appropriate search service account.

UPDATE

Based on your comments, you're actually looking to restrict search results (documents) by user's role i.e. going one level deeper than indexes. To achieve this, what you could do is dynamically append this role criteria to your search query as OData Filter. For example, let's say your index has boolean fields for each role type (Administrator, User etc. etc.) and the user searches for some keyword. Then what you could do is create an OData Filter $filter where you check for these conditions. So your search URL would look something like:

https://<search-service-name>.search.windows.net/indexes/<index-name>/docs?search=<search-string>&$filter=Administrator%20eq%20true

That way Search Service is doing all the filtering and you don't have to do anything in your code.

You can learn more about query options here: https://msdn.microsoft.com/en-us/library/azure/dn798927.aspx.

Emad answered 4/8, 2015 at 7:25 Comment(8)

I thought creating a web service that will work between client and Azure Search. It will take the search term from customer and send to Azure Search by adding the api-key to it. After getting the result, it will filter the result according to the role of the client and return the final result. By this way api-key will be hidden from the clients so nobody will be able to search directly from Azure Search service. How does it look ? – Anagoge 4/8, 2015 at 7:49

That would work because your application is restricting access by only showing the index (or indexes) a user has access to. – Emad 4/8, 2015 at 7:54

Acutally there will be only one index. Index will include a field named Roles with will include which roles will have access to particular document. My web service will filter the documents according to the roles field. – Anagoge 4/8, 2015 at 8:1

Aah .... I see. Will each document contain the information (or names) of the "roles" that will have access to that document? – Emad 4/8, 2015 at 8:4

Yes, exactly. It may effect overall performance a little bit for big result sets though. – Anagoge 4/8, 2015 at 8:26

In that case, I think there's a better way of doing things instead of you filtering the results :) Let me update my answer in a little bit. – Emad 4/8, 2015 at 8:27

Updated my answer. HTH. – Emad 4/8, 2015 at 9:6

I may be missing something here but in your updated solution wouldn't anybody be able to append &administrator=true to any url and get data they're not supposed to? – Macaluso 15/4, 2017 at 23:3

Recommended topics

#Godot #Unity #Godot 4.X #Mongodb

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

© 2022 - 2024 — McMap. All rights reserved.