Roles
As of version 1.9.0, Discovery Search supports role-based access control (RBAC). Roles allow administrators to increase their control over settings and access for each user by assigning specific roles in the system. These roles are based on each user’s active directory group.
This guide is to help get started with roles and to help explain any differences between previous versions of Discovery Search.
Create a Role
From the Admin Panel, click Roles
Click + Add role to create a new role
Enter a Name that is easy to distinguish and represents the role’s usage/settings (for example, Data Steward, Regular User, etc.)
Enter at least one valid Active Directory Group path for Group Name
Click + to add another Active Directory Group to this role
Click Add to create the role
Find the newly created role based on the Name entered in Step 3 and Select “Edit” to start configuring
Configure a Role
To configure a role, locate the role based on the Name provided at the time of creation and click Edit. The following options are configurable.
Role settings
Edit or update the display name for this role in Role name.
Active directory groups
Edit current Active Directory Groups or add Active Directory Groups to this role in Group name.
Data enrichment
Enable or disable access to data enrichment features.
For more information about data enrichment features, see Enrichment tags.
Role customization
Advanced Search Configuration
Create an Advanced Search form that allows users to perform searches against an index facet (for example, fileType). Configure supporting fields on this form to align with the type of index facet.
Click + Add form
Enter a value in Title for the name of the form that you want users to see when selecting an Advanced Search form
Fields
In the Fields section, select a value from Index field name
Select a value from the Type dropdown for how users will interact with the form
If Range is selected, check Show tick marks on or off then enter values for Min, Max, Step (increment), and Unit
If Autocomplete or Dropdown is selected, submit a list of values that should be returned dynamically in the form
Select Custom list
Enter text under VALUES
Click + to enter another value
Or select File
Paste the path of the file that contains a json-formatted list of values, for example
JSON[ "well", "recovery", "pipeline" ]
Enter a Display name value for what users will see as a representation for the selected Index field name (for example, display “Tags” for index field enrichmentTags)
Select a Size for the width of the field appearing on the form
Save or continue to Hidden Fields
Hidden Fields
Hidden fields are included in an advanced search but are not shown as options to users. For example, add a hidden field in order to pre-filter result sets on behalf of end users.
Filters configuration
Click + Add filter set
Source: Enables the filter for a specific content source only or allows for it to be set as a default that displays for all content sources
Index field name: The index item to be used (for example, creationTimeUtc or extension)
Type: Determines how a filter is used (i.e. date, dropdown, or text field)
Default to open: Sets filters as expanded by default
Language: Sets the language displayed in the filter
Title: Displays as the heading for the filter on the results page
Click + Add filter set to add another filter
Click Save when ready to save these settings to the role
Sources configuration
Click + Add source
Name: The name of the source for internal administration
Indicies: The name of the configured index generated from the Cognitive Toolkit
Language: The language the source title displays in
Title: The visible name of this source for users to see in their UI
Repeat the above steps for each index this role needs access to
Select “Save changes” to save these settings to the role
Source groups configuration
Ensure at least one source is configured for this role before proceeding
Click + Add Source
Select the Source you want to group from the dropdown
Click + to add this source to a group
Group Label: The parent group’s name that will be displayed to users with a drop-down to sub-sources
Select + to add another source to this group
Repeat until all sources for this group are added
Click Save changes when ready to save these settings to the role
Once all settings and configurations are complete, click Save to ensure all changes are updated
To confirm changes made to Source groups, launch Discovery Search and click on Source in the search bar.
What’s changed with the introduction of RBAC?
Default Role
The default role is where any migrated settings for Advanced search configuration, Filters configuration, Sources configuration, and Source groups configuration are now set up to ensure no settings are lost compared to the past system settings. The Default role serves as a role to which any user without a specific role will be defaulted to and can be used as a normal user to match functionality for users to a pre-roles state. It is recommended to configure specific roles and not assign end-users only to the default role.
Roles can be assigned to users
A user is assigned a role by administrators based on their current active directory groups and roles. When creating a new role the Group Name configuration value must align to a currently existing Active Directory group in the client’s system. When a user launches the system they will be assigned the role that most closely matches their current Active Directory group. If a user is part of multiple Active Directory groups/roles that are also aligned to more than one Discovery Search role, they can switch between all available roles from Preferences in their user menu.
Specific settings are now role-dependent
Advanced search configuration, Filters configuration, Sources configuration, and Source groups configuration no longer exist in the top-level admin panel. They now exist in Roles>Edit Role (per role). This means that each setting is now configured per role and each new role can have different configurations. As of Discovery Search version 1.10.0, the new Data enrichment feature is also configured per role.
Data enrichment access will technically allow users to interact with the index.
Recommendations and notes for RBAC
When to use new roles
Each new role should align to some difference in settings for any or all of: Advanced search configuration, Filters configuration, Sources configuration, or Source groups configuration.
Example use case
One set of users should have access to Index A only, but another set of users should have access to Index B only. Each set of users should have their own role where the source configuration aligns (Role A has Index A configured under sources, Role B has Index B configured under sources, etc.). Note that all users assigned a specific role must also be part of the Active Directory Group(s) aligned to that role in Discovery Search because users can only access and use roles that match their Active Directory Group.
Active Directory alignment
All users assigned a specific role in Discovery Search must also be part of the Active Directory Group(s) aligned to that role because users can only access and use roles that match their Active Directory Group.
Example
If I am part of the Human Resources Active Directory Group, I can only use and be assigned roles in Discovery Search that are configured to align with the Human Resources Active Directory Group. Administrators can align any Active Directory Group to match their needs.
Administrators
Administrators need early access to set up each role, source, and setting so the designation of administrative users has not changed. You must set ActiveDirectoryAdminGroup in web.config in the main directory where Discovery Search is installed to designate which users have administrative access.