Merge pull request #231947 from HeidiSteen/heidist-refresh

Court72 · web-flow · commit aeebcdf06ad8 · 2023-03-24T16:15:33.000-06:00
[azure search] Security trimming doc updates
diff --git a/articles/search/TOC.yml b/articles/search/TOC.yml
@@ -238,7 +238,7 @@
       items:
       - name: Security filters
         href: search-security-trimming-for-azure-search.md
-      - name: Filter on user identities
+      - name: Security filters with Azure AD
         href: search-security-trimming-for-azure-search-with-aad.md
   - name: Development
     items:
diff --git a/articles/search/search-security-trimming-for-azure-search-with-aad.md b/articles/search/search-security-trimming-for-azure-search-with-aad.md
@@ -7,15 +7,16 @@ manager: nitinme
 author: HeidiSteen
 ms.author: heidist
 ms.service: cognitive-search
-ms.topic: conceptual
-ms.date: 01/30/2023
+ms.topic: how-to
+ms.date: 03/24/2023
 ms.custom: devx-track-csharp
 ---
 # Security filters for trimming Azure Cognitive Search results using Active Directory identities
 
 This article demonstrates how to use Azure Active Directory (AD) security identities together with filters in Azure Cognitive Search to trim search results based on user group membership.
 
 This article covers the following tasks:
+
 > [!div class="checklist"]
 > - Create Azure AD groups and users
 > - Associate the user with the group you have created
@@ -30,23 +31,23 @@ This article covers the following tasks:
 
 Your index in Azure Cognitive Search must have a [security field](search-security-trimming-for-azure-search.md) to store the list of group identities having read access to the document. This use case assumes a one-to-one correspondence between a securable item (such as an individual's college application) and a security field specifying who has access to that item (admissions personnel).
 
-You must have Azure AD administrator permissions (Owner or administrator), required in this walkthrough for creating users, groups, and associations. 
+You must have Azure AD administrator permissions (Owner or administrator) to create users, groups, and associations. 
 
 Your application must also be registered with Azure AD as a multi-tenant app, as described in the following procedure.
 
 ### Register your application with Azure Active Directory
 
 This step integrates your application with Azure AD for the purpose of accepting sign-ins of user and group accounts. If you aren't a tenant admin in your organization, you might need to [create a new tenant](../active-directory/develop/quickstart-create-new-tenant.md) to perform the following steps.
 
-1. In [Azure portal](https://portal.azure.com), find the Azure Active Directory resource for your subscription.
+1. In [Azure portal](https://portal.azure.com), find the Azure Active Directory tenant.
 
 1. On the left, under **Manage**, select **App registrations**, and then select **New registration**.
 
-1. Give the registration a name, perhaps a name that is similar to the search application name. Select **Register**.
+1. Give the registration a name, perhaps a name that's similar to the search application name. Select **Register**.
 
-1. Once the app registration is created, copy the Application ID. You'll need to provide this string to your application.
+1. Once the app registration is created, copy the Application (client) ID. You'll need to provide this string to your application.
 
-   If you're stepping through the [DotNetHowToSecurityTrimming](https://github.com/Azure-Samples/search-dotnet-getting-started/tree/master/DotNetHowToEncryptionUsingCMK), paste this value into the **app.config** file.
+   If you're stepping through the [DotNetHowToSecurityTrimming](https://github.com/Azure-Samples/search-dotnet-getting-started/tree/master/DotNetHowToSecurityTrimming), paste this value into the **app.config** file.
 
    Repeat for the Tenant ID.
 
@@ -62,7 +63,9 @@ This step integrates your application with Azure AD for the purpose of accepting
    - **Group.ReadWrite.All**
    - **User.ReadWrite.All**
 
-Microsoft Graph provides an API that allows programmatic access to Azure AD through a REST API. The code sample for this walkthrough uses the permissions to call the Microsoft Graph API for creating groups, users, and associations. The APIs are also used to cache group identifiers for faster filtering.
+    Microsoft Graph provides an API that allows programmatic access to Azure AD through a REST API. The code sample for this walkthrough uses the permissions to call the Microsoft Graph API for creating groups, users, and associations. The APIs are also used to cache group identifiers for faster filtering.
+
+1. Select **Grant admin consent for tenant** to complete the consent process.
 
 ## Create users and groups
 
@@ -143,7 +146,7 @@ IndexDocumentsResult result = searchClient.IndexDocuments(batch);
 
 ## Issue a search request
 
-For security trimming purposes, the values in your security field in the index are static values used for including or excluding documents in search results. For example, if the group identifier for Admissions is "A11B22C33D44-E55F66G77-H88I99JKK", any documents in an Azure Cognitive Search index having that identifier in the security filed are included (or excluded) in the search results sent back to the requestor.
+For security trimming purposes, the values in your security field in the index are static values used for including or excluding documents in search results. For example, if the group identifier for Admissions is "A11B22C33D44-E55F66G77-H88I99JKK", any documents in an Azure Cognitive Search index having that identifier in the security field are included (or excluded) in the search results sent back to the caller.
 
 To filter documents returned in search results based on groups of the user issuing the request, review the following steps.
 
diff --git a/articles/search/search-security-trimming-for-azure-search.md b/articles/search/search-security-trimming-for-azure-search.md
@@ -7,61 +7,89 @@ manager: nitinme
 author: HeidiSteen
 ms.author: heidist
 ms.service: cognitive-search
-ms.topic: conceptual
-ms.date: 01/30/2023
+ms.topic: how-to
+ms.date: 03/24/2023
 ---
 
 # Security filters for trimming results in Azure Cognitive Search
 
-You can apply security filters to trim search results in Azure Cognitive Search based on user identity. This search experience generally requires comparing the identity of whoever requests the search against a field containing the principals who have permissions to the document. When a match is found, the user or principal (such as a group or role) has access to that document.
+Cognitive Search doesn't provide document-level permissions and can't vary search results from within the same index by user permissions. As a workaround, you can create a filter that trims search results based on a string containing a group or user identity.
 
-One way to achieve security filtering is through a complicated disjunction of equality expressions: for example, `Id eq 'id1' or Id eq 'id2'`, and so forth. This approach is error-prone, difficult to maintain, and in cases where the list contains hundreds or thousands of values, slows down query response time by many seconds. 
+This article describes a pattern for security filtering that includes following steps:
 
-A simpler and faster approach is through the `search.in` function. If you use `search.in(Id, 'id1, id2, ...')` instead of an equality expression, you can expect sub-second response times.
-
-This article shows you how to accomplish security filtering using the following steps:
 > [!div class="checklist"]
-> * Create a field that contains the principal identifiers 
-> * Push or update existing documents with the relevant principal identifiers
-> * Issue a search request with `search.in` `filter`
+> * Assemble source documents with the required content
+> * Create a field for the principal identifiers 
+> * Push the documents to the search index for indexing
+> * Query the index with the `search.in` filter function
+
+## About the security filter pattern
+
+Although Cognitive Search doesn't integrate with security subsystems for access to content within an index, many customers who have document-level security requirements have found that filters can meet their needs.
+
+In Cognitive Search, a security filter is a regular OData filter that includes or excludes a search result based on a matching value, except that in a security filter, the criteria is a string consisting of a security principal. There's no authentication or authorization through the security principal. The principal is just a string, used in a filter expression, to include or exclude a document from the search results.
 
->[!NOTE]
-> The process of retrieving the principal identifiers is not covered in this document. You should get it from your identity service provider.
+There are several ways to achieve security filtering. One way is through a complicated disjunction of equality expressions: for example, `Id eq 'id1' or Id eq 'id2'`, and so forth. This approach is error-prone, difficult to maintain, and in cases where the list contains hundreds or thousands of values, slows down query response time by many seconds. 
+
+A better solution is using the `search.in` function for security filters, as described in this article. If you use `search.in(Id, 'id1, id2, ...')` instead of an equality expression, you can expect subsecond response times.
 
 ## Prerequisites
 
-This article assumes you have an [Azure subscription](https://azure.microsoft.com/pricing/free-trial/?WT.mc_id=A261C142F), an[Azure Cognitive Search service](search-create-service-portal.md), and an [index](search-what-is-an-index.md).  
+* The field containing group or user identity must be a string with the "filterable" attribute. It should be a collection. It shouldn't allow nulls.
+
+* Other fields in the same document should provide the content that's accessible to that group or user. In the following JSON documents, the "security_id" fields contain identities used in a security filter, and the name, salary, and marital status will be included if the identity of the caller matches the "security_id" of the document.
+
+    ```json
+    {  
+        "Employee-1": {  
+            "id": "100-1000-10-1-10000-1",
+            "name": "Abram",   
+            "salary": 75000,   
+            "married": true,
+            "security_id": "10011"
+        },
+        "Employee-2": {  
+            "id": "200-2000-20-2-20000-2",
+            "name": "Adams",   
+            "salary": 75000,   
+            "married": true,
+            "security_id": "20022"
+        } 
+    }  
+    ```
+
+   >[!NOTE]
+   > The process of retrieving the principal identifiers and injecting those strings into source documents that can be indexed by Cognitive Search isn't covered in this article. Refer to the documentation of your identity service provider for help with obtaining identifiers.
 
 ## Create security field
 
-Your documents must include a field specifying which groups have access. This information becomes the filter criteria against which documents are selected or rejected from the result set returned to the issuer.
-Let's assume that we have an index of secured files, and each file is accessible by a different set of users.
+In the search index, within the field collection, you need one field that contains the group or user identity, similar to the fictitious "security_id" field in the previous example.
+
+1. Add a security field as a `Collection(Edm.String)`. Make sure it has a `filterable` attribute set to `true` so that search results are filtered based on the access the user has. For example, if you set the `group_ids` field to `["group_id1, group_id2"]` for the document with `file_name` "secured_file_b", only users that belong to group IDs "group_id1" or "group_id2" have read access to the file.
 
-1. Add field `group_ids` (you can choose any name here) as a `Collection(Edm.String)`. Make sure the field has a `filterable` attribute set to `true` so that search results are filtered based on the access the user has. For example, if you set the `group_ids` field to `["group_id1, group_id2"]` for the document with `file_name` "secured_file_b", only users that belong to group IDs "group_id1" or "group_id2" have read access to the file.
-   
-   Make sure the field's `retrievable` attribute is set to `false` so that it isn't returned as part of the search request.
+   Set the field's `retrievable` attribute to `false` so that it isn't returned as part of the search request.
 
-2. Also add `file_id` and `file_name` fields for the sake of this example.  
+1. Indexes require a document key. The "file_id" field satisfies that requirement. Indexes should also contain searchable content. The "file_name" and "file_description" fields represent that in this example.  
 
-    ```JSON
-    {
+   ```https
+   POST https://[search service].search.windows.net/indexes/securedfiles/docs/index?api-version=2020-06-30
+   {
         "name": "securedfiles",  
         "fields": [
-            {"name": "file_id", "type": "Edm.String", "key": true, "searchable": false, "sortable": false, "facetable": false},
-            {"name": "file_name", "type": "Edm.String"},
-            {"name": "group_ids", "type": "Collection(Edm.String)", "filterable": true, "retrievable": false}
+            {"name": "file_id", "type": "Edm.String", "key": true, "searchable": false },
+            {"name": "file_name", "type": "Edm.String", "searchable": true },
+            {"name": "file_description", "type": "Edm.String", "searchable": true },
+            {"name": "group_ids", "type": "Collection(Edm.String)", "filterable": true, "retrievable": false }
         ]
     }
-    ```
+   ```
 
-## Pushing data into your index using the REST API
+## Push data into your index using the REST API
   
-Issue an HTTP POST request to your index's URL endpoint. The body of the HTTP request is a JSON object containing the documents to be added:
+Issue an HTTP POST request to your index's URL endpoint. The body of the HTTP request is a JSON object containing the documents to be indexed:
 
 ```http
 POST https://[search service].search.windows.net/indexes/securedfiles/docs/index?api-version=2020-06-30  
-Content-Type: application/json
-api-key: [admin key]
 ```
 
 In the request body, specify the content of your documents:
@@ -73,18 +101,21 @@ In the request body, specify the content of your documents:
             "@search.action": "upload",
             "file_id": "1",
             "file_name": "secured_file_a",
+            "file_description": "File access is restricted to the Human Resources.",
             "group_ids": ["group_id1"]
         },
         {
             "@search.action": "upload",
             "file_id": "2",
             "file_name": "secured_file_b",
+            "file_description": "File access is restricted to Human Resources and Recruiting.",
             "group_ids": ["group_id1", "group_id2"]
         },
         {
             "@search.action": "upload",
             "file_id": "3",
             "file_name": "secured_file_c",
+            "file_description": "File access is restricted to Operations and Logistics.",
             "group_ids": ["group_id5", "group_id6"]
         }
     ]
@@ -105,15 +136,16 @@ If you need to update an existing document with the list of groups, you can use
 }
 ```
 
-For full details on adding or updating documents, you can read [Edit documents](/rest/api/searchservice/addupdate-or-delete-documents).
+For more information on uploading documents, see [Add, Update, or Delete Documents (REST)](/rest/api/searchservice/addupdate-or-delete-documents).
 
-## Apply the security filter
+## Apply the security filter in the query
 
 In order to trim documents based on `group_ids` access, you should issue a search query with a `group_ids/any(g:search.in(g, 'group_id1, group_id2,...'))` filter, where 'group_id1, group_id2,...' are the groups to which the search request issuer belongs.
 
 This filter matches all documents for which the `group_ids` field contains one of the given identifiers.
 For full details on searching documents using Azure Cognitive Search, you can read [Search Documents](/rest/api/searchservice/search-documents).
-Note that this sample shows how to search documents using a POST request.
+
+This sample shows how to set up query using a POST request.
 
 Issue the HTTP POST request:
 
@@ -154,7 +186,7 @@ You should get the documents back where `group_ids` contains either "group_id1"
 
 This article described a pattern for filtering results based on user identity and the `search.in()` function. You can use this function to pass in principal identifiers for the requesting user to match against principal identifiers associated with each target document. When a search request is handled, the `search.in` function filters out search results for which none of the user's principals have read access. The principal identifiers can represent things like security groups, roles, or even the user's own identity.
 
-For an alternative pattern based on Active Directory, or to revisit other security features, see the following links.
+For an alternative pattern based on Azure Active Directory, or to revisit other security features, see the following links.
 
 * [Security filters for trimming results using Active Directory identities](search-security-trimming-for-azure-search-with-aad.md)
 * [Security in Azure Cognitive Search](search-security-overview.md)
