Initial draft of changes to first security trimming article

HeidiSteen · HeidiSteen · commit b2e071d71285 · 2023-03-23T20:02:46.000-07:00
diff --git a/articles/search/search-security-trimming-for-azure-search.md b/articles/search/search-security-trimming-for-azure-search.md
@@ -8,60 +8,88 @@ author: HeidiSteen
 ms.author: heidist
 ms.service: cognitive-search
 ms.topic: conceptual
-ms.date: 01/30/2023
+ms.date: 03/24/2023
 ---
 
 # Security filters for trimming results in Azure Cognitive Search
 
-You can apply security filters to trim search results in Azure Cognitive Search based on user identity. This search experience generally requires comparing the identity of whoever requests the search against a field containing the principals who have permissions to the document. When a match is found, the user or principal (such as a group or role) has access to that document.
+Cognitive Search doesn't provide document-level permissions and can't vary search results based on user permissions. As a workaround, you can create a filter that trims search results based on a string consisting of user identity information.
 
-One way to achieve security filtering is through a complicated disjunction of equality expressions: for example, `Id eq 'id1' or Id eq 'id2'`, and so forth. This approach is error-prone, difficult to maintain, and in cases where the list contains hundreds or thousands of values, slows down query response time by many seconds. 
+This article describes a pattern for security filtering that includes following steps:
 
-A simpler and faster approach is through the `search.in` function. If you use `search.in(Id, 'id1, id2, ...')` instead of an equality expression, you can expect sub-second response times.
-
-This article shows you how to accomplish security filtering using the following steps:
 > [!div class="checklist"]
-> * Create a field that contains the principal identifiers 
-> * Push or update existing documents with the relevant principal identifiers
-> * Issue a search request with `search.in` `filter`
+> * Assemble source documents that contain the required content
+> * Create a field in your search index to contain the principal identifiers 
+> * Push the documents to the search index for indexing
+> * Query the index with `search.in` filter function
+
+## Choosing the security filter pattern
+
+Although Cognitive Search doesn't integrate with security subsystems at query time, many customers who have document-level security requirements have found that filters can meet their needs.
+
+In Cognitive Search, a security filter is a regular OData filter that includes or excludes a search result based on a matching value. The security principal is just a string. There's no authentication or authorization. The service uses the string as filter criteria to include or exclude a document from the search results.
 
->[!NOTE]
-> The process of retrieving the principal identifiers is not covered in this document. You should get it from your identity service provider.
+There are several ways to achieve security filtering. One way is through a complicated disjunction of equality expressions: for example, `Id eq 'id1' or Id eq 'id2'`, and so forth. This approach is error-prone, difficult to maintain, and in cases where the list contains hundreds or thousands of values, slows down query response time by many seconds. 
+
+A better solution is using the `search.in` function for security filters. This solution is described in this article. If you use `search.in(Id, 'id1, id2, ...')` instead of an equality expression, you can expect subsecond response times.
 
 ## Prerequisites
 
-This article assumes you have an [Azure subscription](https://azure.microsoft.com/pricing/free-trial/?WT.mc_id=A261C142F), an[Azure Cognitive Search service](search-create-service-portal.md), and an [index](search-what-is-an-index.md).  
+* You must have a [search index](search-what-is-an-index.md) that you can modify. 
+
+* You must also have source documents that include a field containing a group or user identity having access to the document. This information becomes the filter criteria against which documents are selected or rejected from the result set returned to the issuer. In the following JSON documents, the "security_id" fields contain an identity string that can be used in a security filter.
+
+    ```json
+    {  
+        "Employee-1": {  
+            "id": "000-0000-00-0-00000-1",
+            "name": "Sanchez",   
+            "salary": 75000,   
+            "married": true,
+            "security_id": "10011"
+        },
+        "Employee-2": {  
+            "id": "000-0000-00-0-00000-2",
+            "name": "Smith",   
+            "salary": 75000,   
+            "married": true,
+            "security_id": "20022"
+        } 
+    }  
+    ```
+
+   >[!NOTE]
+   > The process of retrieving the principal identifiers and injecting those strings into source documents that can be indexed by Cognitive Search isn't covered in this article. See the documentation of your identity service provider for help with obtaining identifiers.
 
 ## Create security field
 
-Your documents must include a field specifying which groups have access. This information becomes the filter criteria against which documents are selected or rejected from the result set returned to the issuer.
-Let's assume that we have an index of secured files, and each file is accessible by a different set of users.
+In the search index, within the field collection, you need one field that contains the group or user identity, similar to the fictitious "security_id" field in the previous example.
+
+1. Add a security field as a `Collection(Edm.String)`. Make sure it has a `filterable` attribute set to `true` so that search results are filtered based on the access the user has. For example, if you set the `group_ids` field to `["group_id1, group_id2"]` for the document with `file_name` "secured_file_b", only users that belong to group IDs "group_id1" or "group_id2" have read access to the file.
 
-1. Add field `group_ids` (you can choose any name here) as a `Collection(Edm.String)`. Make sure the field has a `filterable` attribute set to `true` so that search results are filtered based on the access the user has. For example, if you set the `group_ids` field to `["group_id1, group_id2"]` for the document with `file_name` "secured_file_b", only users that belong to group IDs "group_id1" or "group_id2" have read access to the file.
-   
-   Make sure the field's `retrievable` attribute is set to `false` so that it isn't returned as part of the search request.
+   Set the field's `retrievable` attribute to `false` so that it isn't returned as part of the search request.
 
-2. Also add `file_id` and `file_name` fields for the sake of this example.  
+1. Indexes require a document key. The "file_id" field satisfies that requirement. Indexes should also contain searchable content. The "file_name" and "file_description" fields represent that in this example.  
 
-    ```JSON
-    {
+   ```https
+   POST https://[search service].search.windows.net/indexes/securedfiles/docs/index?api-version=2020-06-30
+   {
         "name": "securedfiles",  
         "fields": [
-            {"name": "file_id", "type": "Edm.String", "key": true, "searchable": false, "sortable": false, "facetable": false},
-            {"name": "file_name", "type": "Edm.String"},
-            {"name": "group_ids", "type": "Collection(Edm.String)", "filterable": true, "retrievable": false}
+            {"name": "file_id", "type": "Edm.String", "key": true, "searchable": false },
+            {"name": "file_name", "type": "Edm.String", "searchable": true },
+            {"name": "file_description", "type": "Edm.String", "searchable": true },
+            {"name": "group_ids", "type": "Collection(Edm.String)", "filterable": true, "retrievable": false }
         ]
     }
-    ```
+   ```
 
-## Pushing data into your index using the REST API
+## Push data into your index using the REST API
   
-Issue an HTTP POST request to your index's URL endpoint. The body of the HTTP request is a JSON object containing the documents to be added:
+Issue an HTTP POST request to your index's URL endpoint. The body of the HTTP request is a JSON object containing the documents to be indexed:
 
 ```http
 POST https://[search service].search.windows.net/indexes/securedfiles/docs/index?api-version=2020-06-30  
-Content-Type: application/json
-api-key: [admin key]
 ```
 
 In the request body, specify the content of your documents:
@@ -73,18 +101,21 @@ In the request body, specify the content of your documents:
             "@search.action": "upload",
             "file_id": "1",
             "file_name": "secured_file_a",
+            "file_description": "File access is restricted to the Human Resources.",
             "group_ids": ["group_id1"]
         },
         {
             "@search.action": "upload",
             "file_id": "2",
             "file_name": "secured_file_b",
+            "file_description": "File access is restricted to Human Resources and Recruiting.",
             "group_ids": ["group_id1", "group_id2"]
         },
         {
             "@search.action": "upload",
             "file_id": "3",
             "file_name": "secured_file_c",
+            "file_description": "File access is restricted to Operations and Logistics.",
             "group_ids": ["group_id5", "group_id6"]
         }
     ]
@@ -105,15 +136,16 @@ If you need to update an existing document with the list of groups, you can use
 }
 ```
 
-For full details on adding or updating documents, you can read [Edit documents](/rest/api/searchservice/addupdate-or-delete-documents).
+For more information on uploading documents, see [Add, Update, or Delete Documents (REST)](/rest/api/searchservice/addupdate-or-delete-documents).
 
-## Apply the security filter
+## Apply the security filter in the query
 
 In order to trim documents based on `group_ids` access, you should issue a search query with a `group_ids/any(g:search.in(g, 'group_id1, group_id2,...'))` filter, where 'group_id1, group_id2,...' are the groups to which the search request issuer belongs.
 
 This filter matches all documents for which the `group_ids` field contains one of the given identifiers.
 For full details on searching documents using Azure Cognitive Search, you can read [Search Documents](/rest/api/searchservice/search-documents).
-Note that this sample shows how to search documents using a POST request.
+
+This sample shows how to set up query using a POST request.
 
 Issue the HTTP POST request:
 
@@ -154,7 +186,7 @@ You should get the documents back where `group_ids` contains either "group_id1"
 
 This article described a pattern for filtering results based on user identity and the `search.in()` function. You can use this function to pass in principal identifiers for the requesting user to match against principal identifiers associated with each target document. When a search request is handled, the `search.in` function filters out search results for which none of the user's principals have read access. The principal identifiers can represent things like security groups, roles, or even the user's own identity.
 
-For an alternative pattern based on Active Directory, or to revisit other security features, see the following links.
+For an alternative pattern based on Azure Active Directory, or to revisit other security features, see the following links.
 
 * [Security filters for trimming results using Active Directory identities](search-security-trimming-for-azure-search-with-aad.md)
 * [Security in Azure Cognitive Search](search-security-overview.md)
