I want to understand how corporate search solutions solve the problem of user rights.
My question is displaying search results to users. The naive approach displays the search results for the user, and then if the user clicks on a document that he is not allowed to, he will not be able to open it. However, it is even forbidden to display the document title or excerpt if the user does not have permission to read it. Various engines for corporate engines do the same:
- index each document along with its ACL?
- index all documents without permission information, but check each link in each search result to see if the user of the request has a request to view this link?
Option No. 2 makes more sense to me, but also looks much slower than option No. 1.
Option No. 1 suffers from the need to constantly update changes in permissions for indexed documents.
I want to understand what is the general approach in existing solutions on the market today. Is there a third option?
source
share