Active Directory Security Trimming Stage
An Active Directory Security Trimming query pipeline stage retrieves an Active Directory user’s security identifiers to build a security filter. This restricts the documents in the query result to only those documents for which a user has access permissions. Security trimming is commonly used in business to authenticate between administrative users and normal users, or to limit the site access of website users according to a login/password.
Active Directory Security Trimming query stage setup:
curl -u USERNAME:PASSWORD -X POST -H 'Content-type: application/json' -d '{"id":"ADSecurity", "type": "active-directory-security-trimming", "server":"ldap://hostname:port","bindName":"ADuser@example.com","bindPassword":"login1"}' http://localhost:8764/api/query-stages/instances
{
"type" : "active-directory-security-trimming",
"id" : "ADSecurity",
"server" : "ldap://hostname:port",
"bindName" : "ADuser@example.com",
"bindPassword" : "login1",
"enableCache" : true,
"cacheSize" : 1000,
"expirationTime" : 3600,
"skip" : false,
"label" : "active-directory-security-trimming",
"type" : "active-directory-security-trimming"
}
|
When entering configuration values in the UI, use unescaped characters, such as \t for the tab character. When entering configuration values in the API, use escaped characters, such as \\t for the tab character.
|
Retrieve AD user's security identifiers and build security filter
skip - boolean
Set to true to skip this stage.
Default: false
label - string
A unique label for this stage.
<= 255 characters
condition - string
Define a conditional script that must result in true or false. This can be used to determine if the stage should process or not.
asyncConfig - Asynchronous Execution Config
enabled - boolean
Run the expensive data loading or processing part of this stage in a separate thread allowing the pipeline to continue executing. The results of this asynchronous execution can be merged into the pipeline request using a downstream "Merge Async Results" stage.
Default: false
asyncId - string
A unique value to use as reference in downstream "Merge Async Results" stages.
overrideUserIdentityHandling - boolean
Default handling first attempts to take the user identity from a 'fusion-user-id' http-header, which is the logged-in user ID from the Fusion proxy service. If that value is empty, a 'username' query parameter is tried instead. When this DataSource property is enabled, the specified source and key properties are used explicitly, without any fallback behavior.
Default: false
userIdentitySource - string
Specify whether the value comes from an http header or query parameter.
Default: query_param
Allowed values: query_paramheader
userIdentityKey - string
e.g. username, userID, etc.
Default: username
datasources - array[string]
A list of Fusion datasources to which security-trimming should be restricted, allowing content from other datasources to pass through un-filtered; if empty, all matching content is subject to filtering.
server - stringrequired
E.g. ldap://hostname:port
bindName - stringrequired
username in userPrincipalName format (e.g. user@example.com)
bindPassword - stringrequired
filterAttribute - string
Active Directory attribute to use as the security-trimming filter criterion
Allowed values: objectSidsAMAccountNameuserPrincipalName
enableCache - boolean
Default: true
cacheSize - integer
Default: 1000
expirationTime - integer
(in seconds)
Default: 3600
referral - string
The method for processing referrals encountered by the service provider
Allowed values: followignorethrow