Discovery Search supports role-based access control (RBAC). Roles allow administrators to increase their control over settings and access for each user by assigning specific roles in the system. These roles are based on each user’s active directory group.
Creating a Role
From the Admin Panel, click Roles
Click + Add role to create a new role
Enter a Name that is easy to distinguish and represents the role’s usage/settings (for example, “Data Steward” or “Regular User”)
Enter at least one valid Active Directory Group path for Group Name
Click + to add another Active Directory Group to this role
Click Add to create the role
Find the newly created role based on the Name entered in Step 3 and Select “Edit” to start configuring
Configuring a Role
To configure a role, locate the role based on the Name provided at the time of creation and click Edit. The following options are configurable.
Edit or update the display name for this role in Role name.
Active directory groups
Edit current Active Directory Groups or add Active Directory Groups to this role in Group name.
Enable or disable access to data enrichment features.
Enable automatic Microsoft login prompts within Search, to ensure results from a Microsoft online source (for example, SharePoint or Exchange) are not returned if the user is not logged in to their Microsoft account.
If this setting is enabled, users performing a search while they are logged out of their Microsoft Online account will see the Microsoft Online Login screen before the results are returned. After users log into their account the Search results are returned.
We recommend Administrators enable this feature for roles that have connections to Microsoft Online sources, such as SharePoint or Exchange.
If the setting is not enabled when Microsoft Online sources are connected, the system may not behave as expected. Results may be hidden from results until configured.
Customizing a Role
Configuring an Advanced Search Form
Create an Advanced Search form that allows users to perform searches against an index facet (for example, fileType). Configure supporting fields on this form to align with the type of index facet.
Click + Add form
Enter a value in Title for the name of the form that you want users to see when selecting an Advanced Search form
In the Fields section, select a value from Index field name
Select a value from the Type dropdown for how users will interact with the form
If Range is selected, check Show tick marks on or off then enter values for Min, Max, Step (increment), and Unit
If Autocomplete or Dropdown is selected, submit a list of values that should be returned dynamically in the form
Select Custom list
Enter text under VALUES
Click + to enter another value
Or select File
Paste the path of the file that contains a JSON-formatted list of values, for exampleJSON
[ "well", "recovery", "pipeline" ]
Enter a Display name value for what users will see as a representation for the selected Index field name (for example, display “Tags” for index field enrichmentTags)
Select a Size for the width of the field appearing on the form
Save or continue to Hidden Fields
Hidden fields are included in an advanced search but are not shown as options to users. For example, add a hidden field to pre-filter result sets on behalf of end users.
Click + Add filter set
Select the Source you want the filter set to be associated with
Select an Index field name that you want configure for the filter set (for example, extension)
Select the Type of filter that is most appropriate (for example, dropdown or text field)
Check whether or not the filter to be visible by default
Select the Language that the filter, visible to the user, is in
Enter a Title, the filter name that will be visible to users in the filter set
Click + Add filter to add another filter to the filter set
Click Save changes
Click + Add source
Enter a Name for the source
Enter the name of the index that was generated from Cognitive Toolkit in Indices
Select the Language that Title, visible in the search bar Sources dropdown, is in
Enter a Title, the name that will be visible to users in the search bar sources dropdown
Repeat these steps for each index this role needs access to
Click Save changes
Configuring Source groups
At least one source must be configured for this role before proceeding.
Click + Add Source
Select the Source you want to group from the dropdown
Click + to add this source to a group
Enter a Group Label, the name that will be visible to users in the search bar sources dropdown
Select + to add another source to this group
Repeat until all sources for this group are added
Click Save changes
Once all settings and configurations are complete, click Save to ensure all changes are updated
To confirm changes made to Source groups, launch Discovery Search and click on Source in the search bar.
What is RBAC?
The default role is where Advanced search configuration, Filters configuration, Sources configuration, and Source groups configuration are set up. The Default role serves as a role to which any user without a specific role will be defaulted to and can be used as a normal user to match functionality for users to a pre-roles state. It is recommended to configure specific roles and not assign end-users only to the default role.
Roles can be assigned to users
A user can be assigned a role by administrators based on their current active directory groups and roles. When creating a new role, the Group Name value must align to a currently existing Active Directory group in the client’s system. When a user launches the system they will be assigned the role that most closely matches their current Active Directory group. If a user is part of multiple Active Directory groups/roles that are also aligned to more than one Discovery Search role, they can switch between all available roles from Preferences in their user menu.
Specific settings are role-dependent
Advanced search configuration, Filters configuration, Sources configuration, and Source groups configuration are configured in Roles > Edit Role (per role). Each setting is configured per role and each new role can have different configurations.
As of Discovery Search version 1.10.0, the new Data enrichment feature is configured per role.
Data enrichment access will technically allow users to interact with the index.
Recommendations and notes for RBAC
When to use new roles
Each new role should align to some difference in settings for any or for all of Advanced search configuration, Filters configuration, Sources configuration, and Source groups configuration.
Example use case
One set of users should have access to Index A only, but another set of users should have access to Index B only. Each set of users should have their own role where the source configuration aligns (Role A has Index A configured under sources, Role B has Index B configured under sources, etc.). Note that all users assigned a specific role must also be part of the Active Directory Group(s) aligned to that role in Discovery Search because users can only access and use roles that match their Active Directory Group.
Active Directory alignment
All users assigned a specific role in Discovery Search must also be part of the Active Directory Group(s) aligned to that role because users can only access and use roles that match their Active Directory Group.
Example use case
If I am part of the Human Resources Active Directory Group, I can only use and be assigned roles in Discovery Search that are configured to align with the Human Resources Active Directory Group. Administrators can align any Active Directory Group to match their needs.
Administrators need early access to set up each role, source, and setting so the designation of administrative users has not changed. You must set the
ActiveDirectoryAdminGroup in web.config, accessible via the Internet Information Services (IIS) Manager, in the main directory where Discovery Search is installed to designate which users have administrative access.