eZ Publish Connector: Security
- Mateusz Lorc
Security in eZ Publish
eZ Publish is different from other source systems Locator connects to, because documents stored there does not contain any information about permissions. Access control is based on roles that can be assigned to users or groups. Each role contains any number of policies, which grant access to content or system function. There can be any number of limitations in the policies, for example policy can grant access to content of certain type. In order to make this security system work in Locator each document and user has to be given some virtual tokens that will match only in cases when policy assigned to user would grant access to that document.
Security in the Connector
The connector relies on the default Locator Active Directory Authentication Plugin for authentication and eZ Publish Identification Plugin. The eZ Publish Identification Plugin matches the Active Directory username with 'login' column in table 'ezuser' in the eZ Publish database.
Document Security
Scope: 'eZPublish_' + scope suffix provided in Admin Wizard
Tokens: Documents have 3 main types of tokens
- Unlimited access token - "Limit". It is added to match with users that have assigned policy content/read without any limitations.
- Single limitation - "Limit_" + Type of Limitation + "_" + Limitation Value. There are 7 types of limitations supported by the connector.
- Combination of up to 4 limitations of type Content Type, Location, Section and State. Example tokens could look like this: "Limit_ContentType=1_Location=2_Section=3_State=4", "Limit_ContentType=1_State=4", "Limit_Location=2_Section=3_State=4".
Important note: There are 3 types of limitations that are not used in the 3rd type of tokens. Reason for that is because it would greatly increased number of tokens added to documents. In best case scenario it would add hundred tokens to documents but in some cases it would be possible to add even few thousands more tokens to some group of documents. That three types of limitations: Owner, Group and Subtree are least probable to be used in conjunction with other limitations. If in your eZ Publish you are using one of these limitation with other limitation you can add support to it by adding custom Security Source.
| Limitation type | Limitation Value | Additional information |
|---|---|---|
| ContentType | Content type ID | |
| Location | Location ID | |
| Section | Section ID | |
| State | State ID | |
| Owner | Document's owner ID | |
| Group | Owner's group ID | Document gets one token for each group owner directly belongs to. |
| Subtree | Path to document | Document gets one token for each level of the path that leads to the document. |
Identification
Scope: 'eZPublish_' + scope suffix provided in Admin Wizard
Tokens: User have 2 main types of tokens
- Unlimited access token - "Limit". Added when user has content/read policy without any limitations.
- Token created from list of limitations set on policy.
Adding custom Security Source
Sometimes user can have assigned policy with combination of limitations not supported by the connector. In that case tokens generated from that policy won't match with any of the document tokens. That means it is possible that this user won't get some search hits. If user gets unsupported tokens you will see in w3wp log something like this "Via.Connector.Dbc.EzPublish.Authentication.EzPublishTokenValidator - Found 2 unsupported tokens. User won't get hits using policies with this limitation combination.". To support this you should create custom Security Source.
The easiest way to do this is to set log level to debug and let the user log in to Locator again. You will see the format of the unsupported combination of limitations for example: "Limit_ContentType=1_Section=2_Owner=1000". In that case you should create query that will add tokens with Content Type, Section and Owner limitations to documents. You can copy Custom template from the connector definition, uncomment it and remove the limitations you don't need. In example format "Limit_ContentType=1_Section=2_Owner=1000" modified query would look like this:
<add name="ContentType-Section-Owner" type="DbDocumentSecuritySource">
<GetRulesQuery>
<SqlTemplate>
SELECT DISTINCT
CONCAT('eZPublish_', '{{config.scopesuffix}}') AS SIDScope,
CONCAT
('Limit',
'_ContentType=', co.contentclass_id,
'_Section=', co.section_id,
'_Owner=', co.owner_id
) AS SID,
'DocumentAllowRule' as RuleType
FROM {{config.schema}}.ezcontentobject co
WHERE
co.id = ?
</SqlTemplate>
<TemplateParameters>
</TemplateParameters>
<CommandParameters>
<add name="@Id">
<Type value="Int32" />
<ReferenceName value="SR_id" />
</add>
</CommandParameters>
</GetRulesQuery>
</add>
Important note: If you are removing Subtree limitation you have to remove the second command parameter @Id2 (as shown in the example).
ayfie