FAST Search Authorization (FSA) overview
Published: May 12, 2010
Most Microsoft FAST Search Server 2010 for SharePoint systems provide various content sources for searching. These include public documents and proprietary or classified items. FAST Search Server 2010 for SharePoint includes a security module named FAST Search Authorization (FSA) which contributes to creating a secure search system with item level security and security trimming. FSA limits user access to items in search results that they are authorized to see.
In this article:
Use and benefits of FSA
Item level security operates in two phases:
Phase 1, Indexing: Content repositories are traversed and indexes are created. Authorization information is added to each item’s authorization managed properties (the item’s ACL, or access control list), identifying users and groups that are granted or denied access to the item.
Phase 2, Searching: A user submits a query and the indexes find search results. In this phase, the query processing service rewrites the user’s query so that the user only sees items that he is authorized to see. This security trimming is performed with the help of a user search security filter, which is created by FSA based on the user’s specific content permissions. By checking item managed properties (item ACLs which define who has permissions to view each item) against that user’s search security filter, unsuitable search results are filtered or trimmed out.
FSA does not authenticate users. Authentication is performed by the SharePoint Server search front-end. See Plan authentication (SharePoint Server 2010).
To generate a user’s security filter, the FSA worker component uses the information that is contained in the user’s claim. Claims-based authentication is a set of operations that establishes trust relationships between claims providers and applications. When a claim arrives, the user has already been authenticated, and FSA makes an access control decision based on that claim, which is provided by the SharePoint front-end. See Configure claims authentication (SharePoint Server 2010) and Create a FAST Search Center site (FAST Search Server 2010 for SharePoint) for more information.
FSA has two components: the FSA manager service (one per FAST Search Server 2010 for SharePoint system) and the FSA worker (one on each server that processes queries).
The FSA manager service receives security changes from indexing connectors and pushes the updates to all the query processing nodes in the system. The FSA manager also keeps the security-related configuration of these nodes consistent by administering the FSA workers and synchronizing changes across the nodes.
The FSA worker is part of the Query and Result Service (query processing node). FSA workers generate user search security filters based on user credentials. To do this, the FSA worker obtains group membership information for users from the FSA user stores and uses principal aliasing to map users/groups from one store to another.
When you install FAST Search Server 2010 for SharePoint, the FSA manager and worker services are installed automatically as Windows Services on the administration server:
FAST Search for SharePoint Sam Admin
FAST Search for SharePoint Sam Worker
When you configure an additional query processing node, another FSA worker service is started on the new node.