Walkthrough: Using the Business Data Catalog Security Trimmer to Trim Search Results

Enterprise Search in Microsoft Office SharePoint Server 2007 performs query-time security trimming of search results using the security information obtained at crawl time. However, there can be scenarios in which this trimming might not be sufficient, for example, when back-end applications cannot provide security information at crawl time or when you need up-to-date security information and it is not practical to re-crawl before trimming. To address such scenarios, the Enterprise Search Query Processing engine provides a framework for plugging in dynamic query-time security trimming modules in which the specific results of a single user query can be security-trimmed before they are displayed in Search Results.

The Business Data Catalog implements the CheckAccess method to provide built-in support for security trimming per entity instance, and to ensure security at entity instance level.

The Business Data Catalog Security Trimmer allows custom security trimming of entity instances (search documents) that have been indexed by the Business Data Catalog before they are returned to the user. It trims the result set (containing entity instances) at execution time based on the current user's permissions on the back-end data, using the logic in the back-end application to determine the user's permissions. The Business Data Catalog Security Trimmer assumes that the actual back-end application will provide a public method to check the current user's permissions for one or more entity instances. The input parameters of the method should accept the IDs of the EntityInstance objects to check, and the output parameter should return the access rights for the current user as a corresponding array of long integers (or some value that can be converted to a long integer).

If such an API is available, authors of the Business Data Catalog metadata can define a MethodInstanceType called AccessChecker in the application definition file, and map it to the back-end API in much the same way as for Finder, SpecificFinder, and so on. After an AccessChecker method instance is available, the Business Data Catalog Security Trimmer can use it to determine the user's permissions via the CheckAccess method.

The Business Data Catalog Security Trimmer executes the CheckAccess method each time the Query engine returns search results that match the crawl rule that the Business Data Catalog Security Trimmer is associated with. When the Entity.CheckAccess method is called, the Business Data Catalog executes the back-end API described by the AccessChecker method instance registered for that entity. The back-end API returns the rights the current user has on the entity instance or instances. This information is relayed back to the Entity.CheckAccess method, and finally to the Security Trimmer, which uses this information to trim the results before displaying them to the user.

This walkthrough walks you through the steps to add an AccessChecker method instance to the AdventureWorksDW SQL Server 2005 Sample, register the Business Data Catalog Security Trimmer, and add crawl rules and content sources to security-trim line-of-business (LOB) data.

See Also


Walkthrough: Using a Custom Security Trimmer for Search Results
AccessChecker Samples