|
| 1 | +--- |
| 2 | +title: Query-Time ACL and RBAC Enforcement in ADLS Gen2 Indexes |
| 3 | +titleSuffix: Azure AI Search |
| 4 | +description: Learn how query-time ACL and RBAC enforcement ensures secure document retrieval in Azure AI Search for indexes containing permission filters from Azure Data Lake Storage (ADLS) Gen2 data sources. |
| 5 | +ms.service: azure-ai-search |
| 6 | +ms.topic: conceptual |
| 7 | +ms.date: 04/23/2025 |
| 8 | +author: mattgotteiner |
| 9 | +ms.author: magottei |
| 10 | +--- |
| 11 | + |
| 12 | +# Query-Time ACL and RBAC enforcement in Azure AI Search |
| 13 | + |
| 14 | +Query-time access control ensures that users only retrieve search results they're authorized to access, based on their identity, group memberships, roles, or attributes. This functionality is essential for secure enterprise search and compliance-driven workflows. |
| 15 | + |
| 16 | +## Requirements |
| 17 | +- Azure Data Lake Storage (ADLS) Gen2 data source configured ACLs and/or RBAC roles at container level, or permissions manually pushed into the index. |
| 18 | +- Configure document ACL and RBAC role functionality as required using Azure AI Search [built-in indexers](search-indexer-access-control-lists-and-role-based-access.md) or when indexing the documents [using the API directly](search-index-access-control-lists-and-rbac-push-api.md). |
| 19 | + |
| 20 | + |
| 21 | +## How query-time enforcement works |
| 22 | + |
| 23 | +This section lists the order of operations for ACL enforcement at query time. |
| 24 | + |
| 25 | +### 1. User permissions input |
| 26 | +The end-user application sends user permission as part of the search query request. The following table lists the source of the user permissions Azure AI Search uses for ACL enforcement: |
| 27 | + |
| 28 | +| Permission type | Source | |
| 29 | +| - | - | |
| 30 | +| userIds | `oid` from `x-ms-query-source-authorization` token | |
| 31 | +| groupIds | Group membership fetched using the [Microsoft Graph](/graph/api/resources/groups-overview) API | |
| 32 | +| rbacScope | Permissions the user from `x-ms-query-source-authorization` has on a storage container | |
| 33 | + |
| 34 | +### 2. Security filter construction |
| 35 | +Azure AI Search dynamically constructs security filters based on the user permissions provided. These security filters are automatically appended to any filters that might come in with the query if the index has the permission filter option enabled. |
| 36 | + |
| 37 | +### 3. Results filtering |
| 38 | +The security filter efficiently matches the userIds, groupIds, and rbacScope from the user against each list of ACLs in every document in the search index to limit the results returned to ones the user has access to. It's important to note that each filter is applied independently and a document is considered authorized if any filter succeeds. For example, if a user has access to a document through userIds but not through groupIds, the document is still considered valid and returned to the user. |
| 39 | + |
| 40 | +## Limitations |
| 41 | +- If ACL evaluation fails (for example, Graph API is unavailable), the service returns **5xx** and does **not** return a partially filtered result set. |
| 42 | +- Document visibility requires both: |
| 43 | + - the calling application’s RBAC role (Authorization header), and |
| 44 | + - the user identity carried by **x-ms-query-source-authorization**. |
| 45 | + |
| 46 | +## Next steps |
| 47 | +* [How to Index Permission Information](tutorial-adls-gen2-indexer-acls.md) provides a detailed walkthrough of how to set up an index with ACLs using Azure Search indexers. |
| 48 | +* [Indexing ACLs and RBAC using Push API in Azure AI Search](search-index-access-control-lists-and-rbac-push-api.md) provides a walkthrough of how to set up an index with ACLs using the push API. |
0 commit comments