How does dtSearch Web handle security?

Article: dts0127     

Applies to: dtSearch Web

Limiting access to documents

dtSearch Web does not alter Windows security settings and only provides access to documents when the user seeking access has the necessary permissions. To secure a site, or to make a site open to the public, use Explorer and Internet Information Services (IIS) Manager to set the permissions you want. dtSearch Web will recognize those permissions automatically. There is no need to rebuild your indexes after changing security settings.

If a user has access to an index, but not to the documents, dtSearch will let the user search the index but will not enable the user to open documents from the search results list.  Therefore, it is preferable to make the security settings on each index match the security settings on the documents.  This is especially important if an index is created with caching of documents or text enabled, because when documents are cached in the index they are accessible to anyone who can access the index, regardless of the security settings on the original documents.  For more information on caching of documents, see: https://support.dtsearch.com/webhelp/dtsearch/Caching.htm

Multiple collections with different security settings

A common way to handle groups of documents with different security settings is to set up a different index for each group of documents, and to give each index the same security rights as the documents that it covers. This way only users who have access to the documents will be able to search the index.

Implementing complex security categories

The dtSearch Engine's developer API has a SearchFilter object that can be used to implement more complex security schemes, such as access rights stored in a database that specify the users who can access each document.  A SearchFilter object specifies, for one or more indexes, which documents can be returned in a search.  SearchFilter objects can be constructed from query results or directly from document ids, and can be saved to disk and read from disk.  

To use SearchFilters to implement security, an application would first create a series of SearchFilters, one for each security category, Based information in the database (or other repository) that specifies security rights.  When a user submits a query, the application would select the SearchFilter that corresponds to the user's security category and attach it to the search.  When the search executes, it will only return documents that the SearchFilter permits.  

For more information on SearchFilter objects, see the dtSearch Engine help file, dtSearchApiRef.chm, and this article:
Implementing Document Classification.

Documents on multiple servers

It is much easier to work with security settings if the indexes, documents, and dtSearch Web are all on the same IIS server. Otherwise, a security issue known as "delegation" makes limiting access to the documents much more difficult. Because of the difficulty involved in dealing with delegation, it is recommended that documents, indexes, and dtSearch Web all be kept on the same server, even if this means keeping an extra copy of the documents. For more information on resolving delegation issues, please see: "dtSearch Web document access problems"

Virtual directories

Documents on an internet site are usually placed in virtual directories. These are folders that have been designated as part of your site and that have been given an "alias" such as /Docs. dtSearch Web will only display documents that are located in a virtual directory, and will display an error message if a user tries to access documents located in other folders. The purpose of this is to provide an additional layer of protection against unauthorized access to documents.

There is an option to override this setting in the Document Display Options tab of the dtSearch Web Setup dialog box, but this option is not recommended, because of the risk that documents could be inadvertently made available on the web through dtSearch Web. In nearly all cases, you can create a virtual directory for the documents, which is a much safer way to make them available.