Enforcement of document-level security for Windows file system documents

To enable current credentials to be validated when a user searches documents that were crawled by a Windows file system crawler, you must configure domain account information on both the crawler server and Microsoft Windows server.

When you configure a Windows file system crawler, you specify whether you want to crawl subdirectories on the local computer or subdirectories on a remote computer. If security is enabled for the collection, you can also specify options for controlling access to documents in the crawled subdirectories.

If you choose to enforce access controls by validating the user's current credentials when the user submits a query, you must ensure that domain accounts are correctly configured. Requirements for setting up domain accounts for files that were crawled on the local computer are different from requirements for files that were crawled on a remote Windows server.

Important: User credentials cannot be validated during query processing if both of the following conditions are true:

The Windows server to be crawled is not a member of a domain.
The directory to be crawled is a remote directory, such as \\servername\hostname.

Validation with local access control data

To validate current user credentials, the system uses both local user account information and domain account information (if the computer belongs to a Windows domain). To validate credentials during query processing, both user names must be listed in the security information for the documents to be searched.

For a local account, the user name is in the following format:

COMPUTER NAME\USERNAME

For a domain account, the user name is in the following format:

DOMAIN NAME\USERNAME

To log in, users specify only the user name, but the properly specified Windows user rights assignment uses the full name. For example, if the local account user name is abcuser, the full account name might be WINSERVER1\abcuser.

When users access an application and configure a profile for searching secure documents on a local system, they must specify the user name that they use to log in to Windows (for example, abcuser).

To enforce current credential validation on local computers, the user accounts that are used by the crawler server must have the following Windows user rights. To assign user rights, use the Windows Administrative Tools: Administrative Tools > Local Security Policy > Local Policies > Local User Rights Assignment.

The user ID that the crawler server is running as must have the Act as part of the operating system right. This right is configured for the administrative user on the crawler server when Watson Explorer Content Analytics is installed.
Users must have the Log on Locally user right.

Validation with remote domain access control data

For the Windows operating system, any directory that starts with \\servername is considered a remote directory. For example:

\\software\utilities\IBM

To access a remote directory, users specify their user names in the following format:

USERNAME@DOMAIN NAME

When users access an application and configure a profile that enables them to search secure documents on a remote system, they must specify the user name that they use to access the remote Windows system (for example, abcuser@win1.company.com).

To enforce current credential validation on remote computers, user accounts must have the following Windows user rights. To assign user rights, use the Windows Administrative Tools: Administrative Tools > Domain Security Policy.

The crawler server and the Windows server to be searched must be members of the same domain.
The user ID that the crawler server is running as must have the Act as part of the operating system right. This right is configured for the administrative user on the crawler server when Watson Explorer Content Analytics is installed.
Users must have the Log on as a batch job user right.

Use the following guidelines for remote Windows file systems:

When Watson Explorer Content Analytics crawls a Windows server as a remote file system, it collects the ACL from the configured domain, but it does not collect ACLs from local domains or multiple domains. Only domain groups and users are supported for secure search of remote folders. Local groups and users are not supported, regardless whether the groups are user-defined or built in (such as Administrators, Users, Domain Users, Everyone, and Authenticated Users).
If you use the Identity Management Component (IMC), specify user names without the domain (for example, username, not username@domain).
If you create the users's security context XML string instead of using the provided IMC, add the domain groups that the user belongs to in the USC XML string. Users will then be able to search files on a remote Windows server.