To enforce document-level security for remote Windows file systems, the Watson Explorer Content Analytics system supports access
control list (ACL) verification across trusted domains.
Configuring the crawler
To configure the
Windows file system crawler to
support trusted domains, you must specify options in a new configuration
file. There is no support for configuring this capability in the administration
console.
- To support the document-level security across trusted Windows domains, edit the following file:
ES_NODE_ROOT/master_config/session_ID/winfscrawler_ext.xml
Tip: To determine the session ID for the Windows file system crawler that you want
to configure, you can monitor the crawler details in the administration
console or use the esadmin report collections command.
- Specify the Windows domain
name and the NETBIOS name of the Active Directory. For example:
<ExtendedProperties>
<SetAttribute XPath="/Crawler/DataSources/Server/Target"
Name="Domain">ExampleCo.com
</SetAttribute>
<SetAttribute XPath="/Crawler/DataSources/Server/Target"
Name="NetBIOSDomain>EXC1
</SetAttribute>
</ExtendedProperties>
- Stop and restart the crawler for the changes to become effective.
Restrictions
- Documents cannot include ACLs from multiple Windows domains. Domain users and groups
must belong to one Windows domain
per collection.
- To support remote file system access verification, the Windows servers must run in the
same Windows domain or in
trusted Windows domains.
- The Windows file system
crawler reads the NETBIOS name of the Active Directory associated
with the Windows server to
be crawled and uses the NETBIOS name to filter the file ACL. The Active
Directory that the crawler server joins trusts the other Active Directory
that defines user accounts and group accounts.
- The user account that you specify for the crawler to use to access
a remote Windows server must
belong to the Windows domain
where you want to enforce and verify access control.
- The Windows operating
system allows only one account to connect network folders on one file
server. Other accounts cannot connect to the same file server at the
same time. Therefore, you cannot configure different accounts for
different crawlers to crawl the same Windows server,
even if the crawlers are in different collections.