|
1 | 1 | --- |
2 | | -title: Query-Time ACL and RBAC Enforcement in ADLS Gen2 Indexes |
| 2 | +title: Query-Time ACL and RBAC Enforcement |
3 | 3 | titleSuffix: Azure AI Search |
4 | | -description: Learn how query-time ACL and RBAC enforcement ensures secure document retrieval in Azure AI Search for indexes containing permission filters from Azure Data Lake Storage (ADLS) Gen2 data sources. |
| 4 | +description: Learn how query-time ACL and RBAC enforcement ensures secure document retrieval in Azure AI Search for indexes containing permission filters, such as those from Azure Data Lake Storage (ADLS) Gen2 data sources. |
5 | 5 | ms.service: azure-ai-search |
6 | 6 | ms.topic: conceptual |
7 | | -ms.date: 04/23/2025 |
| 7 | +ms.date: 05/15/2025 |
8 | 8 | author: mattgotteiner |
9 | 9 | ms.author: magottei |
10 | 10 | --- |
11 | 11 |
|
12 | 12 | # Query-Time ACL and RBAC enforcement in Azure AI Search |
13 | 13 |
|
14 | | -Query-time access control ensures that users only retrieve search results they're authorized to access, based on their identity, group memberships, roles, or attributes. This functionality is essential for secure enterprise search and compliance-driven workflows. |
| 14 | +Query-time access control ensures that users only retrieve search results they're authorized to access, based on their identity, group memberships, roles, or attributes. This functionality is essential for secure enterprise search and compliance-driven workflows. |
15 | 15 |
|
16 | | -## Requirements |
17 | | -- Azure Data Lake Storage (ADLS) Gen2 data source configured ACLs and/or RBAC roles at container level, or permissions manually pushed into the index. |
18 | | -- Configure document ACL and RBAC role functionality as required using Azure AI Search [built-in indexers](search-indexer-access-control-lists-and-role-based-access.md) or when indexing the documents [using the API directly](search-index-access-control-lists-and-rbac-push-api.md). |
| 16 | +Azure Data Lake Storage (ADLS) Gen2 provides an access model that makes fine-grained access control easier to implement, but you can use other data sources, providing you use the push APIs and you send documents that include permission metadata alongside other indexable fields. |
19 | 17 |
|
| 18 | +## Requirements |
| 19 | + |
| 20 | +- Permission metadata must be in `filterable` string fields. |
| 21 | + |
| 22 | +- Permission metadata must consist of either POSIX-style permissions that identify the level of access and the group or user ID, or the resource ID of the container or blob in ADLS Gen2 if you're using `rbacscope` and A |
| 23 | + |
| 24 | +- For ADLS Gen2 data sources, you must have configured Access Control Lists (ACLs) and/or Azure role-based access control (RBAC) roles at the container level. You can use a [built-in indexer](search-indexer-access-control-lists-and-role-based-access.md) or [Push APIs](search-index-access-control-lists-and-rbac-push-api.md) to index permission metadata in your index. |
| 25 | + |
| 26 | +- Use the 2025-05-01-preview REST API or a prerelease package of an Azure SDK to query the index. |
20 | 27 |
|
21 | 28 | ## How query-time enforcement works |
22 | 29 |
|
|
0 commit comments