Security settings for searches on repositories

You can use the IBM Content Navigator administration tool to modify the security of the users and groups who need to create and use searches and cross-repository searches on your repositories.

Overview of the security model for searches

The security of the Stored Search document class determines whether users can save or use searches on the repository. However, the security settings for a specific search determine the privileges that a user or group has on the search. The user who creates a search determines who has access to the search.

After the IBM Content Navigator search add-on is run on the repository, you can use the administration tool to specify the users and groups who can create and use searches.

Tip: It is recommended that you specify groups rather than users to simplify search security management.

In the IBM Content Navigator administration tool, if you create multiple repositories that point to the same object store, the security that you set for one of these repositories is used by all of the repositories that point to that object store.

Search roles

When you assign a user or group to search role, the user or group is given the appropriate security settings on the Stored Search document class. The changes to the security are applied after you save your changes to the repository configuration in the IBM Content Navigator administration tool.

The IBM Content Navigator administration tool defines the following search roles:
Search administrator
Users who have Full Control permissions for the repository (object store). You cannot change the list of search administrators from the administration tool.

Search administrators can delete or modify any search. The user that creates a search does not need to share the search with search administrators.

Search creator
Users who can create a search on the repository. When you designate a user or group as a search creator, the user or group is given View all properties, Create Instance, and Read Permissions security on the Stored Search document class.
Search user
Users who can run searches but cannot save searches. When you designate a user or group as a search user, the user or group is given View all properties and Read Permissions security on the Saved Search document class.

If you want all of the users in your environment to be able to use searches, you can add the #REALM-USERS(ManagedDirectory) pseudo-account to the search user role.

By default, a search user can create searches and cross-repository searches but cannot save the searches. You can prevent users from creating searches by having them use a desktop for which the following options are selected:
  • Prevent users from creating searches
  • Prevent users from creating cross-repository searches