Skip to main content
The Graph Security Trimming stage restricts query results according to the user ID as an alternative to Security Trimming Stage. Whereas the Security Trimming stage has one Solr filter query per data source, Graph Security Trimming uses a single filter query for all data sources.

Stage setup

When using this stage with SharePoint Optimized V2 or LDAP ACLs V2 connectors, configure the following settings:
FieldValue
User ID sourcequery_param or header
User ID keyThe key that contains the User ID
You can configure the SharePoint Optimized V2 connector to use security trimming so that query results are filtered based on the roles and permissions assigned to the user.To configure security trimming, you’ll need to set up and run a SharePoint Optimized V2 datasource, an LDAP ACLs V2 datasource, and a Graph Security Trimming query stage in the same app and collection.When a crawl is run, the SharePoint Optimized V2 and LDAP ACLs V2 datasources must index the content documents and ACL documents to the same collection.
  • ACL documents: Users, Groups, and their Role Assignments.
  • Content documents: The SharePoint objects with metadata and content (Sites, Lists, Items). These documents have _lw_acl_ss fields which determines who can see the docs when searching.

Set up the SharePoint datasource

  1. Navigate to Indexing > Datasources.
  2. Install the datasource connector if not already installed.
  3. Click Add and select SharePoint Optimized V2.
  4. Fill in all required fields.
  5. Configure only one authentication method. Enable NLTM Authentication Settings or SharePoint Online Authentication and configure the fields as explained below.

NTLM Authentication

This method connects to SharePoint on-premises server instances, such as SharePoint Server 2013, 2016, and 2019. When using this authentication method, the connector will index contentDocuments and the following aclDocuments: sharepointGroups, siteAdmins, roleDefinition, and roleAssignment.To use this authentication method, in your SharePoint Optimized V2 datasource, select the NTLM Authentication Settings checkbox and configure the following fields:
  • User
  • Password
  • Domain
  • Workstation

SharePoint Online Authentication

These methods connect to SharePoint Online server instances. When using one of these methods, the connector will index contentDocuments and the following aclDocuments: sharepointGroups, siteAdmins, roleDefinition, roleAssignment and sharepointUsers in which loginName ends with onmicrosoft.com.

Basic

To use this authentication method, in your SharePoint Optimized V2 datasource, select the SharePoint Online Authentication checkbox and configure the following fields:
  • SharePoint online account
  • Password

App only (OAuth protocol)

To use this authentication method, in your SharePoint Optimized V2 datasource, select the SharePoint Online Authentication checkbox and configure the following fields:
  • Azure AD client ID
  • Azure AD tenant
  • Azure AD Client Secret
  • Azure AD login endpoint (advanced)
  • Azure AD Refresh Token (advanced)

App only with private key

To use this authentication method, in your SharePoint Optimized V2 datasource, select the SharePoint Online Authentication checkbox and configure the following fields:
  • Azure AD client ID
  • Azure AD tenant
  • Azure AD login endpoint
  • Azure AD PKCS12 Base64 Keystore
  • Azure AD PKCS12 Keystore Password

Set up the LDAP datasource

  1. Navigate to Indexing > Datasources.
  2. Install the datasource connector if not already installed.
  3. Click Add and select LDAP and Azure ACLs Connector (V2).
  4. Fill in all required fields.
  5. Configure authentication methods. Enter LDAP login credentials and/or enable Azure AD Properties and configure the fields as explained below.

LDAP Authentication

This method connects to an LDAP AD server. When using this method, the connector will index the following aclDocuments: ldapUsers, and ldapGroups.To use this authentication method, in your LDAP and Azure ACLs Connector (V2) datasource, configure the following fields:
  • Login User Principal
  • Login Password

Azure AD Authentication

This method connects to an Azure AD server. When using this method, the connector will index the following aclDocuments: azureUsers, and azureGroupsTo use this authentication method, in your LDAP and Azure ACLs Connector (V2) datasource, select the Azure AD Properties checkbox and configure the following fields:
  • Azure AD Tenant ID
  • Azure AD Client ID
  • Azure AD Client Secret

Supported authentication methods for security trimming

LDAP ADAzure AD
SharePoint On-PremisesNTLM Authentication and LDAP AuthenticationNTLM Authentication and Azure AD Authentication
SharePoint OnlineN/AAny SharePoint Online authentication method and Azure AD Authentication

Configure ACL collection

The SharePoint Optimized V2 and LDAP ACLs V2 datasources must index the content documents and ACL documents to the same collection. Ensure both datasources use the same value, contentCollection, for the field ACL Collection ID.

If using SharePoint-Optimized and LDAP-ACLs < v2.0.0

Update the ACL Collection Id in the datasource configuration.The SharePoint-Optimized and LDAP-ACLs datasources must index their content_documents and acl_documents to the same collection. Make sure the property Security -> ACL Collection in both datasources have the same value. In both datasources, SharePoint-Optimized and LDAP-ACLs, check the property Security -> ACL Collection Id and make sure it points to the same content-collection.
  1. Navigate to Indexing > Datasources.
  2. Open your SharePoint Optimized V2 or LDAP ACLs V2 datasource.
  3. Under Security, update the configuration to use contentCollection as the ACL Collection ID. Datasource config for Fusion 5.8 with Graph Security Trimming
    The Security checkbox must be checked for this field to appear.
  4. Save the configuration.
Repeat this process for all required datasources.

If using SharePoint-Optimized and LDAP-ACLs >= v2.0.0

Recreate or update the datasources. If only updated, it is not possible to go back to the configuration of a previous plugin version.By default, the LDAP-ACLs and SharePoint-Optimized V2 datasources will index the content_documents and acl_documents to the same collection.
  1. Navigate to Indexing > Datasources.
  2. Open your SharePoint Optimized V2 or LDAP ACLs V2 datasource.
  3. Under Graph Security Filtering Configuration, select Enable security trimming.
Repeat this process for all required datasources.

Set up Graph Security Trimming

A Graph Security Trimming stage is used to pull all nested groups for a user. Then the Solr join query takes those ACL IDs found in the graph query and filters out everything that does not match one of the ACLs.
  1. Navigate to Querying > Query Pipelines.
  2. Open the query pipeline associated with your SharePoint Optimized V2 or LDAP ACLs V2 data.
  3. Click Add a new pipeline stage and select Graph Security Trimming.
  4. Configure the stage with the following settings:
    FieldValue
    User ID sourcequery_param or header
    User ID keyThe key that contains the User ID

Test the configuration

To confirm that security trimming works as configured, run the following test:
  1. First, run the SharePoint Optimized V2 and LDAP ACLs V2 datasources.
  2. Run a series of queries to test user permissions are working as intended:
    1. Run a query using a User ID key with no permissions. You should see no search results.
    2. Run a query using a User ID key that has access to some documents. You should see some search results.
    3. Run a query using a User ID key that has access to all documents. You should see all documents.
      Facet by _lw_document_type_s: contentDocument to see only the SharePoint docs, otherwise aclDocuments will be also shown.
This describes how to migrate your pre-Fusion 5.8 Graph Security Trimming query pipeline stage setup to Fusion 5.8 or later. It applies to deployments using:
  • SharePoint Optimized V2 connector v1.1.0 or later
  • LDAP ACLs V2 connector v1.4.0 or later to crawl Active Directory in Azure
  • The LDAP ACLs V2 connector v1.2.0 or later to crawl Active Directory in LDAP

Migration

To migrate a deployment that is crawling Active Directory to Fusion 5.8 or later, follow these steps.

Update the datasource configurations

The SharePoint Optimized V2 and LDAP ACLs V2 datasources must index the content documents and ACL documents to the same collection. Ensure both datasources use the same value, contentCollection, for the field ACL Collection ID.

If using SharePoint-Optimized and LDAP-ACLs < v2.0.0

Update the ACL Collection Id in the datasource configuration.The SharePoint-Optimized and LDAP-ACLs datasources must index their content_documents and acl_documents to the same collection. Make sure the property Security -> ACL Collection in both datasources have the same value. In both datasources, SharePoint-Optimized and LDAP-ACLs, check the property Security -> ACL Collection Id and make sure it points to the same content-collection.
  1. Navigate to Indexing > Datasources.
  2. Open your SharePoint Optimized V2 or LDAP ACLs V2 datasource.
  3. Under Security, update the configuration to use contentCollection as the ACL Collection ID. The Security checkbox must be checked for this field to appear.
  4. Save the configuration.
Repeat this process for all required datasources.

If using SharePoint-Optimized and LDAP-ACLs >= v2.0.0

Recreate or update the datasources. If only updated, it is not possible to go back to the configuration of a previous plugin version.By default, the LDAP-ACLs and SharePoint-Optimized V2 datasources will index the content_documents and acl_documents to the same collection.
  1. Navigate to Indexing > Datasources.
  2. Open your SharePoint Optimized V2 or LDAP ACLs V2 datasource.
  3. Under Graph Security Filtering Configuration, select Enable security trimming.
Repeat this process for all required datasources.

Clear the datasources and perform a full crawl

  1. Navigate to Indexing > Datasources.
  2. Open your SharePoint Optimized V2 or LDAP ACLs V2 datasource.
  3. Click the Clear Datasource button, and choose yes.
  4. Navigate to Collections > Collections Manager.
  5. Verify that the job_state collection is empty.
  6. Return to your datasource.
  7. Click Run > Start to reindex your data.
Repeat this process for all required datasources.
LucidAcademyLucidworks offers free training to help you get started.The Quick Learning for Configuring Graph Security Trimming focuses on how to set up security trimming:
Configuring Graph Security TrimmingPlay Button
Visit the LucidAcademy to see the full training catalog.

Query pipeline stage condition examples

Stages can be triggered conditionally when a script in the Condition field evaluates to true. Some examples are shown below. Run this stage only for mobile clients: 
params.deviceType === "mobile"
Run this stage when debugging is enabled: 
params.debug === "true"
Run this stage when the query includes a specific term: 
params.q && params.q.includes("sale")
Run this stage when multiple conditions are met: 
request.hasParam("fusion-user-name") && request.getFirstParam("fusion-user-name").equals("SuperUser");
!request.hasParam("isFusionPluginQuery")
The first condition checks that the request parameter “fusion-user-name” is present and has the value “SuperUser”. The second condition checks that the request parameter “isFusionPluginQuery” is not present.

Configuration

When entering configuration values in the UI, use unescaped characters, such as \t for the tab character. When entering configuration values in the API, use escaped characters, such as \\t for the tab character.
I