Knowledge:Access manager

From OpenKM Documentation
Revision as of 12:44, 28 November 2012 by Pavila (talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

By default OpenKM 6 is configured this way:

 security.access.manager = simple
 security.search.evaluation = lucene

Which provides great performance by only evaluating a single node. But if you want to evaluate every parent you can change this behavior with these settings:

 security.access.manager = recursive
 security.search.evaluation = [ am_more | am_window | am_limited ]

This will reduce OpenKM performance (at least in search) but will match customer requirements. Performance can be improved customizing com.openkm.cache.parentNodePermissions cache region definition.

Also provided a new AccessManager: read_recursive used to prevent showing documents in search results when any folder in the path has not read access for the user who run the query. Should be used in combination with am_more.

 security.access.manager = read_recursive
 security.search.evaluation = am_more

Difference between "simple" and "recursive"

Give this repository structure:

  • Folder.png okm:root
    • Folder.png level-1a
      • Folder.png level-2a
        • Folder.png level-3a
          • Document.png alpha.doc
          • Document.png beta.doc
          • Document.png gamma.doc
        • Folder.png level-3b
    • Folder.png level-1b
    • Folder.png level-1c

When using simple if you revoke permission from level-2a folder and user is viewing level-3a folder, OpenKM still be showing the documents to this user. When user search, OpenKM will return these document as search results. User can't access the documents because when OpenKM try to access the document, it will open every path location and will fail to open level-2a because the user has no grants. You need to apply revoke recursively to prevent the user to access these document, so they won't be shown in the search results.

When using recursive if you revoke permission from level-2a folder and user is viewing level-3a folder, OpenKM will five an error because Access Manager also evaluates the permission of the level-2a ancestor node. When user search, OpenKM won't show these documents in the search results. Keep on mind that this Access Manager implementation is slower because need to evaluate more nodes: the more node depth the more parents nodes need to evaluate.