You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/search/search-document-level-access-overview.md
+8-6Lines changed: 8 additions & 6 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -4,7 +4,7 @@ titleSuffix: Azure AI Search
4
4
description: Conceptual overview of document-level permissions in Azure AI Search.
5
5
author: gmndrg
6
6
ms.author: gimondra
7
-
ms.date: 06/06/2025
7
+
ms.date: 07/03/2025
8
8
ms.service: azure-ai-search
9
9
ms.topic: conceptual
10
10
ms.custom:
@@ -20,11 +20,11 @@ Azure AI Search supports document-level access control, enabling organizations t
20
20
| Approach | Description |
21
21
|----------|-------------|
22
22
| Security filters | String comparison. Your application passes in a user or group identity as a string, which populates a filter on a query, excluding any documents that don't match on the string. <br><br>Security filters are a technique for achieving document-level access control. This approach isn't bound to an API so you can use any version or package. |
23
-
| ACLs (preview) | Microsoft Entra ID security principal behind the query token is compared to the permission metadata of documents returned in search results, excluding any documents that don't match on permissions. <br><br>Built-in access control list (ACL) support for principals is in preview, available in REST APIs and prerelease Azure SDK packages that provide the feature. |
23
+
| ACLs / RBAC scopes (preview) | Microsoft Entra ID security principal behind the query token is compared to the permission metadata of documents returned in search results, excluding any documents that don't match on permissions. <br><br>Built-in support for preserving Access Control Lists (ACLs) and Azure Data Lake Storage (ADLS) Gen2 Role-Based Access Control (RBAC) container scopes at the file level for security principals is in preview, available in REST APIs and prerelease Azure SDK packages that provide the feature. |
24
24
25
25
## Pattern for security trimming using filters
26
26
27
-
For scenarios where native ACL integration isn't viable, we recommend security filters for trimming results based on exclusion criteria. The pattern includes the following components:
27
+
For scenarios where native ACL/RBAC scopes integration isn't viable, we recommend security filters for trimming results based on exclusion criteria. The pattern includes the following components:
28
28
29
29
- Create a string field in the index to store strings of user or group identities.
30
30
- Load the index with source documents that include a field containing the identities.
@@ -36,9 +36,11 @@ You can use push or pull model APIs. Because this approach is API agnostic, you
36
36
37
37
This approach is useful for systems with custom access models or non-Microsoft security frameworks. For more information this approach, see [Security filters for trimming results in Azure AI Search](search-security-trimming-for-azure-search.md).
38
38
39
-
## Pattern for native support for POSIX-like ACL permissions (preview)
39
+
## Pattern for native support for POSIX-like ACL and RBAC scope permissions (preview)
40
40
41
-
Native support is based on Microsoft Entra ID user and group access IDs affiliated with documents that you want to index and query. We recommend group access IDs for ease of management. The pattern includes the following components:
41
+
Native support is based on Microsoft Entra ID user and group access IDs affiliated with documents that you want to index and query. ADLS container RBAC scopes preservation at document level is also supported.
42
+
43
+
For ACLs, we recommend group access IDs for ease of management. The pattern includes the following components:
42
44
43
45
- Start with documents or files that have ACL assignments.
44
46
-[Enable permission filters](/rest/api/searchservice/indexes/create-or-update?view=rest-searchservice-2025-05-01-preview&preserve-view=true#searchindexpermissionfilteroption) in the index.
@@ -99,4 +101,4 @@ Take a closer look at document-level access control in Azure AI Search with more
99
101
100
102
-[How to index document-level permissions using push API](search-index-access-control-lists-and-rbac-push-api.md)
101
103
-[How to index document-level permissions using the ADLS Gen2 indexer](search-indexer-access-control-lists-and-role-based-access.md)
102
-
-[How to query using Microsoft Entra token-based permissions](https://aka.ms/azs-query-preserving-permissions)
104
+
-[How to query using Microsoft Entra token-based permissions](https://aka.ms/azs-query-preserving-permissions)
![prmerger-automator[bot]](https://avatars.githubusercontent.com/u/22479449?v=4&size=40){kind=avatar}
0 commit comments