To
enable current credentials to be validated when a user
searches documents that were crawled by a Windows file system crawler, you must configure
domain account information on both the crawler server and Microsoft Windows server.
When you configure a Windows file system crawler,
you specify whether you want to crawl subdirectories on the local
computer or subdirectories on a remote computer. If security is enabled
for the collection, you can also specify options for controlling access
to documents in the crawled subdirectories.
If you choose to
enforce access controls by validating the user's
current credentials when the user submits a query, you must ensure
that domain accounts are correctly configured. Requirements for setting
up domain accounts for files that were crawled on the local computer
are different from requirements for files that were crawled on a remote
Windows server.
Important: User credentials cannot
be validated during
query processing if both of the following conditions are true:
- The
Windows server to be crawled is not a member of a domain.
- The
directory to be crawled is a remote directory, such as \\servername\hostname.
Validation with local access control data
To
validate current user credentials, the system uses both local user
account information and domain account information (if the computer
belongs to a Windows domain). To validate credentials during query
processing, both user names must be listed in the security information
for the documents to be searched.
For a local account, the user
name is in the following format:
COMPUTER NAME\USERNAME
For
a domain account, the user name is in the following format:
DOMAIN NAME\USERNAME
To
log in, users specify only the user name, but the properly specified
Windows user rights assignment uses the full name. For example, if
the local account user name is abcuser, the full account name might
be WINSERVER1\abcuser.
When users access an application and
configure a profile for searching secure documents on a local system,
they must specify the user name that they use to log in to Windows
(for example, abcuser).
To enforce current credential validation
on local computers, the user accounts that are used by the crawler
server must have the following Windows user rights. To assign user
rights, use the Windows Administrative Tools: .
- The user ID that the crawler server is running
as must have the Act
as part of the operating system right. This right is configured
for the administrative user on the crawler server when Watson Explorer Content Analytics is installed.
- Users
must have the Log on Locally user right.
Validation with remote domain access control data
For
the Windows operating system, any directory that starts with
\\servername is
considered a remote directory. For example:
\\software\utilities\IBM
To
access a remote directory, users specify their user names in the following
format:
USERNAME@DOMAIN NAME
When
users access an application and configure a profile that enables them
to search secure documents on a remote system, they must specify the
user name that they use to access the remote Windows system (for example,
abcuser@win1.company.com).
To enforce current credential validation
on remote computers, user accounts must have the following Windows
user rights. To assign user rights, use the Windows Administrative
Tools: .
- The
crawler server and the Windows server to be searched must
be members of the same domain.
- The user ID that the crawler
server is running as must have the Act
as part of the operating system right. This right is configured
for the administrative user on the crawler server when Watson Explorer Content Analytics is installed.
- Users
must have the Log on as a batch job user right.
Use the following guidelines
for remote Windows file systems:
- When Watson Explorer Content Analytics crawls
a Windows server as a remote file system, it collects the ACL from
the configured domain, but it does not collect ACLs from local domains
or multiple domains. Only domain groups and users are supported for
secure search of remote folders. Local groups and users are not supported,
regardless whether the groups are user-defined or built in (such as
Administrators, Users, Domain Users, Everyone, and Authenticated Users).
- If you use the Identity Management Component (IMC), specify user
names without the domain (for example, username,
not username@domain).
- If you create
the users's security context XML string instead
of using the provided IMC, add the domain groups that the user belongs
to in the USC XML string. Users will then be able to search files
on a remote Windows server.