Renamed files and added content to ACL examples

Author: HeidiSteen

Quickstart-ACL/requirements.txt

@@ -4,6 +4,4 @@ aiohttp
 ipykernel
 dotenv
 requests
-
---extra-index-url https://pkgs.dev.azure.com/azure-sdk/public/_packaging/azure-sdk-for-python/pypi/simple/
-azure-search-documents==11.6.0a20250505003
+azure-search-documents==11.6.0b12

…start-Agentic-Retrieval/quickstart.ipynb …ieval/quickstart-agentic-retrieval.ipynbQuickstart-Agentic-Retrieval/quickstart.ipynb renamed to Quickstart-Agentic-Retrieval/quickstart-agentic-retrieval.ipynb Quickstart-Agentic-Retrieval/quickstart.ipynb renamed to Quickstart-Agentic-Retrieval/quickstart-agentic-retrieval.ipynb

@@ -5,15 +5,57 @@
    "id": "aba4346f",
    "metadata": {},
    "source": [
-    "## Document Permissions in Azure AI Search"
+    "# Document level access in Azure AI Search using the indexer pull APIs\n",
+    "\n",
+    "In Azure AI Search, you can use an indexer to pull content into a search index for indexing. This notebook shows you how index blobs that have access control lists (ACLs) in Azure Storage Data Lake Storage (ADLS) Gen2, and then query the index to return only those results that the user is authorized to view.\n",
+    "\n",
+    "The security principal behind the query access token determines the \"user\". The ACLs on folders and files determine whether the user has authorization to the content, and that metadata is pulled into the index along with document content. Internally, the search engine filters out any documents that aren't associated with the security principal.\n",
+    "\n",
+    "This feature is currently in preview.\n",
+    "\n",
+    "For an alternative approaching using push APIs to index any data, see [Quickstart-Document-Permissions-Push-API](../Quickstart-Document-Permissions-Push-API/document-permissions-push-api.ipynb).\n",
+    "\n",
+    "\n",
+    "## Prerequisites\n",
+    "\n",
+    "+ Azure AI Search, basic tier or higher, with a [system-assigned managed identity](https://learn.microsoft.com/azure/search/search-howto-managed-identities-data-sources) and [role-based access control](https://learn.microsoft.com/azure/search/search-security-enable-roles).\n",
+    "\n",
+    "+ Azure Storage, general purpose account, with a [hierarchical namespace](https://learn.microsoft.com/azure/storage/blobs/create-data-lake-storage-account).\n",
+    "\n",
+    "+ Folders and files, where each file has an [access control list specified](https://learn.microsoft.com/azure/storage/blobs/data-lake-storage-access-control). We recommend group IDs.\n",
+    "\n",
+    "We recommend creating a virtual environment to run this sample code. In Visual Studio Code, open the control palette (ctrl-shift-p) to create an environment. This notebook was tested on Python 3.10.\n",
+    "\n",
+    "## Permissions\n",
+    "\n",
+    "+ On Azure Storage, **Storage Blob Data Reader** permissions are required for both the search service identity and for your user account since you are testing locally. You also need **Storage Blob Data Contributor**. This sample includes code for creating and configuring a container and blobs used in this demonstration.\n",
+    "\n",
+    "+ On Azure AI Search, assign yourself **Search Service Contributor**, **Search Index Data Contributor**, and **Search Index Data Reader** permissions to create objects and run queries. For more information, see [Connect to Azure AI Search using roles](https://learn.microsoft.com/azure/search/search-security-rbac) and [Quickstart: Connect without keys for local testing](https://learn.microsoft.com/azure/search/search-get-started-rbac).\n",
+    "\n",
+    "## Limitations\n",
+    "\n",
+    "+ Parsing indexer options aren't currently supported."
    ]
   },
   {
    "cell_type": "markdown",
    "id": "f445040a",
    "metadata": {},
    "source": [
-    "## 1. Load Connections"
+    "## Set up connections\n",
+    "\n",
+    "Save the `sample.env` file as `.env` and then modify the environment variables to use your Azure endpoints. You need endpoints for:\n",
+    "\n",
+    "+ Azure AI Search\n",
+    "+ Azure Storage\n",
+    "\n",
+    "For Azure AI Search, find the endpoint in the [Azure portal](https://portal.azure.com), in the **Essentials** section of the Overview page.\n",
+    "\n",
+    "For Azure Storage, follow the guidance in [Get storage account configuration information](https://learn.microsoft.com/azure/storage/common/storage-account-get-info).\n",
+    "\n",
+    "## Load Connections\n",
+    "\n",
+    "Load the environment variables to set up connections and object names."
    ]
   },
   {
@@ -32,11 +74,11 @@
     "# The following variables from your .env file are used in this notebook\n",
     "endpoint = os.environ[\"AZURE_SEARCH_ENDPOINT\"]\n",
     "credential = DefaultAzureCredential()\n",
-    "index_name = os.getenv(\"AZURE_SEARCH_INDEX\", \"document-permissions-sample\")\n",
-    "indexer_name = os.getenv(\"AZURE_SEARCH_INDEXER\", \"document-permissions-sample-indexer\")\n",
-    "datasource_name = os.getenv(\"AZURE_SEARCH_DATASOURCE\", \"document-permissions-sample-datasource\")\n",
-    "adls_gen2_account_name = os.getenv(\"AZURE_STORAGE_ACCOUNT_NAME\", \"documentpermissionssample\")\n",
-    "adls_gen2_container_name = os.getenv(\"AZURE_STORAGE_CONTAINER_NAME\", \"documentpermissionssample\")\n",
+    "index_name = os.getenv(\"AZURE_SEARCH_INDEX\", \"document-permissions-indexer-idx\")\n",
+    "indexer_name = os.getenv(\"AZURE_SEARCH_INDEXER\", \"document-permissions-indexer-idxr\")\n",
+    "datasource_name = os.getenv(\"AZURE_SEARCH_DATASOURCE\", \"document-permissions-indexer-ds\")\n",
+    "adls_gen2_account_name = os.getenv(\"AZURE_STORAGE_ACCOUNT_NAME\")\n",
+    "adls_gen2_container_name = os.getenv(\"AZURE_STORAGE_CONTAINER_NAME\")\n",
     "adls_gen2_connection_string = os.environ[\"AZURE_STORAGE_CONNECTION_STRING\"]\n",
     "adls_gen2_resource_id = os.environ[\"AZURE_STORAGE_RESOURCE_ID\"]\n",
     "token_provider = get_bearer_token_provider(credential, \"https://search.azure.com/.default\")"
@@ -47,7 +89,11 @@
    "id": "2d46b940",
    "metadata": {},
    "source": [
-    "## 2. Create Index"
+    "## Create an index\n",
+    "\n",
+    "The search index must includes fields for your content and for permission metadata. Assign the new permission filter option to a string filter and make sure the field is filterable. \n",
+    "\n",
+    "For local testing, `retrievable` can be **true**, but be sure to change it back to **false** if you make the solution available to others."
    ]
   },
   {
@@ -66,8 +112,8 @@
     "    fields=[\n",
     "        SearchField(name=\"id\", type=\"Edm.String\", key=True, filterable=True, sortable=True),\n",
     "        SearchField(name=\"content\", type=\"Edm.String\", searchable=True, filterable=False, sortable=False),\n",
-    "        SearchField(name=\"oids\", type=\"Collection(Edm.String)\", filterable=True, permission_filter=PermissionFilter.USER_IDS),\n",
-    "        SearchField(name=\"groups\", type=\"Collection(Edm.String)\", filterable=True, permission_filter=PermissionFilter.GROUP_IDS),\n",
+    "        SearchField(name=\"oids\", type=\"Collection(Edm.String)\", filterable=True, retrievable=True, permission_filter=PermissionFilter.USER_IDS),\n",
+    "        SearchField(name=\"groups\", type=\"Collection(Edm.String)\", filterable=True, retrievable=True, permission_filter=PermissionFilter.GROUP_IDS),\n",
     "        SearchField(name=\"metadata_storage_path\", type=\"Edm.String\", searchable=True),\n",
     "        SearchField(name=\"metadata_storage_name\", type=\"Edm.String\", searchable=True)\n",
     "    ],\n",
@@ -83,7 +129,9 @@
    "id": "2b8945a2",
    "metadata": {},
    "source": [
-    "## 3. Create data source"
+    "## Create a data source\n",
+    "\n",
+    "Set the `IndexerPermissionOption` so that the indexer knows to retrieve the permission metadata."
    ]
   },
   {
@@ -113,7 +161,9 @@
    "id": "ff5b912d",
    "metadata": {},
    "source": [
-    "## 4. Get group ids"
+    "## Get group IDs\n",
+    "\n",
+    "This step calls the Graph APIs to get a few group IDs for your Microsoft Entra identity. Your group IDs will be added to the access control list of the objects created in the next step. Two group identifiers are retrieved. Each one is assigned to a different file."
    ]
   },
   {
@@ -136,7 +186,9 @@
    "id": "20588dc3",
    "metadata": {},
    "source": [
-    "## 5. Upload sample directory and file"
+    "## Upload sample directory and file\n",
+    "\n",
+    "This step creates the container, folders, and uploads the files into Azure Storage. It assigns your group IDs to to the access control list for each folder."
    ]
   },
   {
@@ -179,7 +231,9 @@
    "id": "ca6de2ad",
    "metadata": {},
    "source": [
-    "## 6. Run indexer"
+    "## Run the indexer\n",
+    "\n",
+    "Start the indexer to run all operations, from data retrieval to indexing. Any connection errors or permission problems become evident here."
    ]
   },
   {
@@ -210,7 +264,9 @@
    "id": "987dd496",
    "metadata": {},
    "source": [
-    "## 7. Search sample data using x-ms-query-source-authorization "
+    "## Search sample data using x-ms-query-source-authorization\n",
+    "\n",
+    "This query uses an empty search string (`*`) to provide an unqualified search. It returns the file name and permission metadata associated with each file. Notice that each file is associated with a different group ID."
    ]
   },
   {
@@ -233,7 +289,9 @@
    "id": "c712ab8c",
    "metadata": {},
    "source": [
-    "## 8. Search sample data without x-ms-query-source-authorization "
+    "## Search sample data without x-ms-query-source-authorization \n",
+    "\n",
+    "This step demonstrates the user experience when authorization fails. No results are returned in the response."
    ]
   },
   {
@@ -250,6 +308,16 @@
     "for result in results:\n",
     "    print(f\"Path: {result['metadata_storage_path']}, OID: {result['oids']}, Group: {result['groups']}\")"
    ]
+  },
+  {
+   "cell_type": "markdown",
+   "id": "e1ac3c84",
+   "metadata": {},
+   "source": [
+    "## Next steps\n",
+    "\n",
+    "To learn more, see [Document-level access control in Azure AI Search](https://learn.microsoft.com/azure/search/search-document-level-access-overview)."
+   ]
   }
  ],
  "metadata": {

Quickstart-Agentic-Retrieval/requirements.txt

@@ -0,0 +1,8 @@
+azure-identity
+aiohttp
+ipykernel
+dotenv
+requests
+msgraph-sdk
+azure-storage-file-datalake
+azure-search-documents==11.6.0b12

…t-Permissions/document-permissions.ipynb …-API/document-permissions-pull-api.ipynbQuickstart-Document-Permissions/document-permissions.ipynb renamed to Quickstart-Document-Permissions-Pull-API/document-permissions-pull-api.ipynb Quickstart-Document-Permissions/document-permissions.ipynb renamed to Quickstart-Document-Permissions-Pull-API/document-permissions-pull-api.ipynb

@@ -0,0 +1,8 @@
+AZURE_SEARCH_ENDPOINT=https://your-search-service.search.windows.net
+AZURE_SEARCH_INDEX=document-permissions-indexer-idx
+AZURE_SEARCH_INDEXER=document-permissions-indexer-idxr
+AZURE_SEARCH_DATASOURCEdocument-permissions-indexer-ds
+AZURE_STORAGE_ACCOUNT_NAME=
+AZURE_STORAGE_CONTAINER_NAME=
+AZURE_STORAGE_CONNECTION_STRING=
+AZURE_STORAGE_RESOURCE_ID=

Quickstart-Document-Permissions-Pull-API/requirements.txt

@@ -5,15 +5,33 @@
    "id": "810ce279",
    "metadata": {},
    "source": [
-    "## ACL Quickstart for Azure AI Search"
+    "# Document-level access example using the push document APIs\n",
+    "\n",
+    "In Azure AI Search, you can upload any JSON document payload to a search index for indexing. This notebook shows you how index documents that contain [user access permissions at the document level](azure/search/search-document-level-access-overview), and then query the index to return only those results that the user is authorized to view.\n",
+    "\n",
+    "The security principal behind the query access token determines the \"user\". The permission metadata in the document determines whether the user has authorization to the content. Internally, the search engine filters out any documents that aren't associated with the security principal.\n",
+    "\n",
+    "This feature is currently in preview.\n",
+    "\n",
+    "For an alternative approaching using indexers and pull API, see [Quickstart-Document-Permissions-Pull-API](../Quickstart-Document-Permissions-Pull-API/document-permissions-pull-api.ipynb).\n"
    ]
   },
   {
    "cell_type": "markdown",
    "id": "b6585426",
    "metadata": {},
    "source": [
-    "## 1. Load Connections"
+    "## Set the environment variables\n",
+    "\n",
+    "1. Rename `sample.env` to `.env`.\n",
+    "1. In the `.env` file, provide a full endpoint to your search service (https://your-search-service.search.windows.net).\n",
+    "1. Rename the default index name if you \n",
+    "\n",
+    "## Load Connections\n",
+    "\n",
+    "We recommend creating a virtual environment to run this sample code. In Visual Studio Code, open the control palette (ctrl-shift-p) to create an environment. This notebook was tested on Python 3.10.\n",
+    "\n",
+    "Once your environment is created, load the environment variables."
    ]
   },
   {
@@ -30,7 +48,7 @@
     "load_dotenv(override=True) # take environment variables from .env.\n",
     "\n",
     "# The following variables from your .env file are used in this notebook\n",
-    "endpoint = os.environ[\"AZURE_SEARCH_ENDPOINT\"]\n",
+    "endpoint = os.environ[\"AZURE_SEARCH_ENDPOINT\", \"\"]\n",
     "credential = DefaultAzureCredential()\n",
     "index_name = os.getenv(\"AZURE_SEARCH_INDEX\", \"acl-sample\")\n",
     "token_provider = get_bearer_token_provider(credential, \"https://search.azure.com/.default\")\n"
@@ -41,7 +59,11 @@
    "id": "9327cf01",
    "metadata": {},
    "source": [
-    "## 2. Create Sample Index"
+    "## Create Sample Index\n",
+    "\n",
+    "The search index must includes fields for your content and for permission metadata. Assign the new permission filter option to a string filter and make sure the field is filterable. \n",
+    "\n",
+    "For local testing, `retrievable` can be **true**, but be sure to change it back to **false** if you make the solution available to others."
    ]
   },
   {
@@ -59,8 +81,8 @@
     "    name=index_name,\n",
     "    fields=[\n",
     "        SearchField(name=\"id\", type=\"Edm.String\", key=True, filterable=True, sortable=True),\n",
-    "        SearchField(name=\"oid\", type=\"Collection(Edm.String)\", filterable=True, permission_filter=PermissionFilter.USER_IDS),\n",
-    "        SearchField(name=\"group\", type=\"Collection(Edm.String)\", filterable=True, permission_filter=PermissionFilter.GROUP_IDS),\n",
+    "        SearchField(name=\"oid\", type=\"Collection(Edm.String)\", retrievable=True, filterable=True, permission_filter=PermissionFilter.USER_IDS),\n",
+    "        SearchField(name=\"group\", type=\"Collection(Edm.String)\", retrievable=True, filterable=True, permission_filter=PermissionFilter.GROUP_IDS),\n",
     "        SearchField(name=\"name\", type=\"Edm.String\", searchable=True)\n",
     "    ],\n",
     "    permission_filter_option=SearchIndexPermissionFilterOption.ENABLED\n",
@@ -75,7 +97,9 @@
    "id": "f5cf4169",
    "metadata": {},
    "source": [
-    "## 3. Connect to Graph to find your oid and groups"
+    "## Connect to Graph to find your oid and groups\n",
+    "\n",
+    "This step calls the Graph APIs to get a few group IDs for your Microsoft Entra identity. Your group IDs will be added to the access control list of the objects created in the next step."
    ]
   },
   {
@@ -98,7 +122,9 @@
    "id": "a9ce6d0f",
    "metadata": {},
    "source": [
-    "## 4. Upload Sample Data"
+    "## Upload Sample Data\n",
+    "\n",
+    "This step creates the container, folders, and uploads documents into Azure Storage. It assigns your group IDs to to the access control list for each folder."
    ]
   },
   {
@@ -127,7 +153,9 @@
    "id": "e5c93f76",
    "metadata": {},
    "source": [
-    "## 5. Search sample data with x-ms-query-source-authorization"
+    "## Search sample data with x-ms-query-source-authorization\n",
+    "\n",
+    "This query uses an empty search string (`*`) to provide an unqualified search. It returns the file name and permission metadata associated with each file. Notice that each file is associated with a different group ID."
    ]
   },
   {
@@ -148,7 +176,9 @@
    "id": "d31b67d8",
    "metadata": {},
    "source": [
-    "## 6. Search sample data without x-ms-query-source-authorization"
+    "## Search sample data without x-ms-query-source-authorization \n",
+    "\n",
+    "This step demonstrates the user experience when authorization fails. No results are returned in the response."
    ]
   },
   {
@@ -163,6 +193,16 @@
     "for result in results:\n",
     "    print(f\"Name: {result['name']}, OID: {result['oid']}, Group: {result['group']}\")"
    ]
+  },
+  {
+   "cell_type": "markdown",
+   "id": "5ad253ec",
+   "metadata": {},
+   "source": [
+    "## Next steps\n",
+    "\n",
+    "To learn more, see [Document-level access control in Azure AI Search](https://learn.microsoft.com/azure/search/search-document-level-access-overview)."
+   ]
   }
  ],
  "metadata": {

Quickstart-Document-Permissions-Pull-API/sample.env

@@ -0,0 +1,7 @@
+azure-identity
+aiohttp
+ipykernel
+dotenv
+requests
+msgraph-sdk
+azure-search-documents==11.6.0b12

Quickstart-ACL/acl.ipynb …-API/document-permissions-push-api.ipynbQuickstart-ACL/acl.ipynb renamed to Quickstart-Document-Permissions-Push-API/document-permissions-push-api.ipynb Quickstart-ACL/acl.ipynb renamed to Quickstart-Document-Permissions-Push-API/document-permissions-push-api.ipynb

@@ -1,2 +1,2 @@
 AZURE_SEARCH_ENDPOINT=https://your-search-service.search.windows.net
-AZURE_SEARCH_INDEX_NAME=acl-sample
+AZURE_SEARCH_INDEX=acl-sample