You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/search/search-query-acls-rbac-enforcement.md
+9-7Lines changed: 9 additions & 7 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,7 +1,7 @@
1
1
---
2
-
title: Query-Time ACL and RBAC Enforcement in Azure AI Search
2
+
title: Query-Time ACL and RBAC Enforcement in ADLS Gen2 Indexes
3
3
titleSuffix: Azure AI Search
4
-
description: Learn how query-time ACL and RBAC enforcement ensures secure document retrieval in Azure AI Search.
4
+
description: Learn how query-time ACL and RBAC enforcement ensures secure document retrieval in Azure AI Search for indexes containing permission filters from Azure Data Lake Storage (ADLS) Gen2 data sources.
5
5
ms.service: azure-ai-search
6
6
ms.topic: conceptual
7
7
ms.date: 04/23/2025
@@ -11,21 +11,24 @@ ms.author: magottei
11
11
12
12
# Query-Time ACL and RBAC Enforcement in Azure AI Search
13
13
14
-
Query-time Access Control ensures that users only retrieve search results they are authorized to access, based on their identity, group memberships, roles, or attributes. This functionality is essential for secure enterprise search and compliance-driven workflows.
14
+
Query-time access control ensures that users only retrieve search results they are authorized to access, based on their identity, group memberships, roles, or attributes. This functionality is essential for secure enterprise search and compliance-driven workflows.
15
15
16
16
## Requirements
17
-
- ADLS Gen2 data source configured ACLs and/or RBAC roles at container level, or permissions manually pushed into the index.
17
+
-Azure Data Lake Storage (ADLS) Gen2 data source configured ACLs and/or RBAC roles at container level, or permissions manually pushed into the index.
18
18
- Configure document ACL and RBAC role functionality as required using Azure AI Search [built-in indexers](search-indexer-acls-rbac.md) or when indexing the documents [using the API directly](search-indexing-acls-rbac-push-api.md).
19
19
20
20
21
-
## How Query-Time Enforcement Works
21
+
## How query-time enforcement works
22
+
23
+
This section lists the order of operations for ACL enforcement at query time.
24
+
22
25
### 1. User Permissions Input
23
26
The end-user application sends user permission as part of the search query request. The following table lists the source of the user permissions Azure AI Search uses for ACL enforcement:
24
27
25
28
| Permission Type | Source |
26
29
| - | - |
27
30
| userIds |`oid` from `x-ms-query-source-authorization` token |
28
-
| groupIds | Group membership fetched using the [Microsoft Graph](https://learn.microsoft.com/graph/api/resources/groups-overview?view=graph-rest-1.0&tabs=http) API |
31
+
| groupIds | Group membership fetched using the [Microsoft Graph](/graph/api/resources/groups-overview) API |
29
32
| rbacScope | Permissions the user from `x-ms-query-source-authorization` has on a storage container |
30
33
31
34
### 2. Security Filter Construction
@@ -37,7 +40,6 @@ The security filter efficiently matches the userIds, groupIds and rbacScope from
37
40
---
38
41
39
42
## Limitations
40
-
- Provide limitations of the features
41
43
- If ACL evaluation fails (for example, Graph API is unavailable), the service returns **5xx** and does **not** return a partially filtered result set.
42
44
- Document visibility requires both:
43
45
1) the calling application’s RBAC role (Authorization header), and
0 commit comments