Index Security

When it comes to centralized indexes, it is best to take measures to ensure that there is no unauthorized reconfiguring, moving or deleting of the index files. Perceptive Search will always adhere to network security, so it can not automatically override permissions to protect the indexes.

It is recommended that you store indexes in their own folders so that you can set permissions on these directories for your users without affecting other files or subfolders that may be in the same network share.

Users can be generally classed as one of the following:

• No Permissions

  These users do not have permission to see the documents that have been indexed and therefore are not given permission to the index itself.
  
  

• Read Only Users

  These are your typical searching users. They have sufficient privileges to view the documents that have been indexed, meaning they are allowed Read permissions on the index files, but are not permitted to make any changes to the index itself.
  
  

• Administrators

  These users are allowed modify permissions for the index files. This level of access should only be granted to those who have been assigned the task of creating and maintaining indexes.

Let's take a look at a real world example where it is a necessity to implement index security:

Below you can see the files that collectively make up an index.


This index has been configured to point to the three subfolders pictured. Since the index has been stored in the root of the network share, it will inherit the permissions of the parent folder. The issue with this is that anyone (regardless if they are an user or not) with sufficient permissions to modify files contained within the share is able to tamper with the index files.

To negate any possibility of this occurring, you can create a subfolder during the Indexing Wizard to house the index files. The security of this directory can be customized so that only authorized personnel have the ability to make any changes to the index. Pictured below is the folder structure of the network share with a dedicated directory for the index files.


Let's assume that the index has been created for the organization's Sales team and that there is an Active Directory group called Sales Department. In this scenario, a Sales person has unrestricted access to the documents in the network share and therefore will automatically have the same permissions to the index files. However, we do not want them to have the same rights to the index files since any tampering may leave the index unsearchable. This means we can class the Sales Department as Read Only Users since they only need to run searches on the index but not have the ability to make any changes.

Within the organization, there have been five employees that have been assigned the task of creating and maintaining indexes for the various departments. They have their own group in Active Directory called ISYS Administrators. Since the index directory will automatically inherit the permissions of the parent folder, we can use the Advanced Security Settings to disable inheritance. To achieve this, you must first be logged on to the server where the share exists and do the following:

1. Right click the index folder and select 'Sharing and Security'.
2. Switch to the 'Security' tab and click on the 'Advanced' button. You will see the dialog below.
   
   
   
3. Untick the option to inherit the parent permission entries. When prompted to either Copy or Remove the parent entries, choose Remove. There should no longer be any permissions listed. Click 'OK'.
4. You will now be back in the 'Security' tab. Click on 'Add' to enter a user/group you would like to configure permissions for. Type in 'ISYS Administrators' and click 'OK'. Select 'Full Control' as their permissions.
5. Click on 'Add' once more. Type in 'Sales Department' and click 'OK'. Select 'Read' as their permissions. The settings will look like the image below.
   
   
   

The index directory is now secured while retaining complete search functionality for the users.