You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/search/search-query-access-control-rbac-enforcement.md
+7-9Lines changed: 7 additions & 9 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -22,28 +22,26 @@ Query-time access control ensures that users only retrieve search results they'r
22
22
23
23
This section lists the order of operations for ACL enforcement at query time.
24
24
25
-
### 1. User Permissions Input
25
+
### 1. User permissions input
26
26
The end-user application sends user permission as part of the search query request. The following table lists the source of the user permissions Azure AI Search uses for ACL enforcement:
27
27
28
-
| Permission Type| Source |
28
+
| Permission type| Source |
29
29
| - | - |
30
30
| userIds |`oid` from `x-ms-query-source-authorization` token |
31
31
| groupIds | Group membership fetched using the [Microsoft Graph](/graph/api/resources/groups-overview) API |
32
32
| rbacScope | Permissions the user from `x-ms-query-source-authorization` has on a storage container |
33
33
34
-
### 2. Security Filter Construction
34
+
### 2. Security filter construction
35
35
Azure AI Search dynamically constructs security filters based on the user permissions provided. These security filters are automatically appended to any filters that might come in with the query if the index has the permission filter option enabled.
36
36
37
-
### 3. Results Filtering
37
+
### 3. Results filtering
38
38
The security filter efficiently matches the userIds, groupIds, and rbacScope from the user against each list of ACLs in every document in the search index to limit the results returned to ones the user has access to. It's important to note that each filter is applied independently and a document is considered authorized if any filter succeeds. For example, if a user has access to a document through userIds but not through groupIds, the document is still considered valid and returned to the user.
39
39
40
-
---
41
-
42
40
## Limitations
43
41
- If ACL evaluation fails (for example, Graph API is unavailable), the service returns **5xx** and does **not** return a partially filtered result set.
44
-
- Document visibility requires both:
45
-
1) the calling application’s RBAC role (Authorization header), and
46
-
2) the user identity carried by **x-ms-query-source-authorization**.
42
+
- Document visibility requires both:
43
+
- the calling application’s RBAC role (Authorization header), and
44
+
- the user identity carried by **x-ms-query-source-authorization**.
47
45
48
46
## Next steps
49
47
*[How to Index Permission Information](tutorial-adls-gen2-indexer-acls.md) provides a detailed walkthrough of how to set up an index with ACLs using Azure Search indexers.
0 commit comments