Configuring Roles

Discovery Search supports role-based access control (RBAC). Roles allow administrators to increase their control over settings and access for each user by assigning specific roles in the system. These roles are based on each user’s active directory group.

Creating a Role

1. From the Admin Panel, click Roles

2. Click + Add role to create a new role

   1. Enter a Name that is easy to distinguish and represents the role’s usage/settings (for example, “Data Steward” or “Regular User”)

   2. Enter at least one valid Active Directory Group path for Group Name

   3. Click + to add another Active Directory Group to this role

   4. Click Add to create the role

3. Find the newly created role based on the Name entered in Step 3 and Select “Edit” to start configuring

Configuring a Role

To configure a role, locate the role based on the Name provided at the time of creation and click Edit. The following options are configurable.

Role settings

Edit or update the display name for this role in Role name.

Active directory groups

Edit current Active Directory Groups or add Active Directory Groups to this role in Group name.

Data enrichment

Enable or disable access to data enrichment features.

For more information about data enrichment features, see Configuring Enrichment tags.

Microsoft Online

Enable automatic Microsoft login prompts within Search, to ensure results from a Microsoft online source (for example, SharePoint or Exchange) are not returned if the user is not logged in to their Microsoft account.

If this setting is enabled, users performing a search while they are logged out of their Microsoft Online account will see the Microsoft Online Login screen before the results are returned. After users log into their account the Search results are returned.

We recommend Administrators enable this feature for roles that have connections to Microsoft Online sources, such as SharePoint or Exchange.

If the setting is not enabled when Microsoft Online sources are connected, the system may not behave as expected. Results may be hidden from results until configured.

Customizing a Role

Configuring an Advanced Search Form

Create an Advanced Search form that allows users to perform searches against an index facet (for example, fileType). Configure supporting fields on this form to align with the type of index facet.

1. Click + Add form

2. Enter a value in Title for the name of the form that you want users to see when selecting an Advanced Search form

Configuring Fields

1. In the Fields section, select a value from Index field name

2. Select a value from the Type dropdown for how users will interact with the form

   1. If Range is selected, check Show tick marks on or off then enter values for Min, Max, Step (increment), and Unit

   2. If Autocomplete or Dropdown is selected, submit a list of values that should be returned dynamically in the form

      1. Select Custom list

      2. Enter text under VALUES

      3. Click + to enter another value

      4. Or select File

      5. Paste the path of the file that contains a JSON-formatted list of values, for example

         JSON

         [
           "well",
           "recovery",
           "pipeline"
         ]

3. Enter a Display name value for what users will see as a representation for the selected Index field name (for example, display “Tags” for index field enrichmentTags)

4. Select a Size for the width of the field appearing on the form

5. Save or continue to Hidden Fields

Hidden Fields

Hidden fields are included in an advanced search but are not shown as options to users. For example, add a hidden field to pre-filter result sets on behalf of end users.

Configuring Filters

1. Click + Add filter set

2. Select the Source you want the filter set to be associated with

3. Select an Index field name that you want configure for the filter set (for example, extension)

4. Select the Type of filter that is most appropriate (for example, dropdown or text field)

5. Check whether or not the filter to be visible by default

6. Select the Language that the filter, visible to the user, is in

7. Enter a Title, the filter name that will be visible to users in the filter set

8. Click + Add filter to add another filter to the filter set

9. Click Save changes

Configuring Sources

1. Click + Add source

2. Enter a Name for the source

3. Enter the name of the index that was generated from Cognitive Toolkit in Indices

4. Select the Language that Title, visible in the search bar Sources dropdown, is in

5. Enter a Title, the name that will be visible to users in the search bar sources dropdown

6. Repeat these steps for each index this role needs access to

7. Click Save changes

Configuring Source groups

At least one source must be configured for this role before proceeding.

1. Click + Add Source

2. Select the Source you want to group from the dropdown

3. Click + to add this source to a group

4. Enter a Group Label, the name that will be visible to users in the search bar sources dropdown

5. Select + to add another source to this group

6. Repeat until all sources for this group are added

7. Click Save changes

8. Once all settings and configurations are complete, click Save to ensure all changes are updated

To confirm changes made to Source groups, launch Discovery Search and click on Source in the search bar.

What is RBAC?

Default Role

The default role is where Advanced search configuration, Filters configuration, Sources configuration, and Source groups configuration are set up. The Default role serves as a role to which any user without a specific role will be defaulted to and can be used as a normal user to match functionality for users to a pre-roles state. It is recommended to configure specific roles and not assign end-users only to the default role.

Roles can be assigned to users

A user can be assigned a role by administrators based on their current active directory groups and roles. When creating a new role, the Group Name value must align to a currently existing Active Directory group in the client’s system. When a user launches the system they will be assigned the role that most closely matches their current Active Directory group. If a user is part of multiple Active Directory groups/roles that are also aligned to more than one Discovery Search role, they can switch between all available roles from Preferences in their user menu.

Specific settings are role-dependent

Advanced search configuration, Filters configuration, Sources configuration, and Source groups configuration are configured in Roles > Edit Role (per role). Each setting is configured per role and each new role can have different configurations.

As of Discovery Search version 1.10.0, the new Data enrichment feature is configured per role.

Data enrichment access will technically allow users to interact with the index.

Recommendations and notes for RBAC

When to use new roles

Each new role should align to some difference in settings for any or for all of Advanced search configuration, Filters configuration, Sources configuration, and Source groups configuration.

Example use case

One set of users should have access to Index A only, but another set of users should have access to Index B only. Each set of users should have their own role where the source configuration aligns (Role A has Index A configured under sources, Role B has Index B configured under sources, etc.). Note that all users assigned a specific role must also be part of the Active Directory Group(s) aligned to that role in Discovery Search because users can only access and use roles that match their Active Directory Group.

Active Directory alignment

All users assigned a specific role in Discovery Search must also be part of the Active Directory Group(s) aligned to that role because users can only access and use roles that match their Active Directory Group.

Example use case

If I am part of the Human Resources Active Directory Group, I can only use and be assigned roles in Discovery Search that are configured to align with the Human Resources Active Directory Group. Administrators can align any Active Directory Group to match their needs.

Administrators

Administrators need early access to set up each role, source, and setting so the designation of administrative users has not changed. You must set the ActiveDirectoryAdminGroup in web.config, accessible via the Internet Information Services (IIS) Manager, in the main directory where Discovery Search is installed to designate which users have administrative access.