Security Model

Connectivity Hub Security Model

Connectivity Hub relies on the early binding model to secure search results.

It ensures that users have access only to the items that they are authorized to see:

In the early binding model security information is stored in the search index and search results are trimmed based on the user’s permission at query time without checking each and every search results against the source system.

The benefits of this model are:

  • Easy to Implement: The security filter becomes a simple Boolean query over ACL fields
    • Search engines are very good at executing Boolean queries.
  • Accurate Counts: Because the query itself is modified, the search engine automatically computes correct counts for:
    • Total number of documents - Only those documents to which the user has read access
    • Facet counts Note: “facets” and “navigators” are the same thing in search
  • High Performance: If implemented correctly, early binding can be implemented with minimal impact on performance.

Note: In order to support ACL security with systems that have their own security model (Hummingbird, WorkSite, Documentum, and so on), you must first map the system's users and security groups to the corresponding AD entry.
For systems that already have some form of AD synchronization for their security groups, map one for one.
In most cases your BA Insight support representative must handle this process for you.

Native Security

Native Groups Security is part of the early binding mechanism. It enables you to map non-AD users and groups from source systems to Active Directory (AD) users of target systems without creating new groups in Active Directory. Native security advantages include:

  • No AD access required

    • In some environments, AD is carefully managed and for this reason, creating an AD user or group might require substantial administrative efforts.

    • In these cases, permissions to manage AD (or even part of the AD, such as a dedicated OU) might not be granted to an impersonation account.

  • Handles complex group memberships

    • Some source system installations (such as Documentum) have over 90,000 groups.

    • If a user belongs to several thousand groups or more, log-in capability might be suspended.

  • Supports multi-level security:

    • Some source systems (for example, HP Trim, Livelink, and Documentum) support multi-level security.

    • For example, in addition to roles or groups, these systems can introduce additional security barriers, such as access levels or other barriers.

    • These complex security settings cannot be expressed in terms of AD group membership.

Note: In order to implement Native Security you need to install and configure the Advanced Security Module.
For more information, see ASM.