Configuring CAS Resource Access Control (CRAC)

You can define users and groups that can have access to a domain by using CRAC API Custom Resource (CR).

To configure CAS to restrict specific users to specific CAS domains, follow these steps:

  1. Open the IBM Fusion UI.
  2. Go to Content-aware Storage > Domains.
  3. Click the domain name that you want to open.
  4. Click Actions and select Share search access.

    The Share search access dialog opens.

  5. In the Username or Group field, add the username or group name to which you want to grant the domain access.
  6. From the Choose type dropdown, select the type as User or Group.
    Tip: To add all users or groups at the same time, click Add.
  7. Click Share.
    Note: When IDP CR is configured on your system, you can provide the external IDP token to the query search API for semantic search execution.

Granting global access to all authenticated users

To simplify access control, you can grant domain access to all authenticated users at once by using the cas-all-authenticated special group. This approach removes the need to add individual users or groups.
Important: The cas-all-authenticated group grants access to any user with a valid OpenShift® or identity provider (IDP) authentication token. Specific user and group assignments provide more granular security control and are recommended when restricted access is required.

Removing search access

You can remove users and groups that have access to specific domains.

To remove users or groups from specific CAS domains, follow these steps:

  1. Open the IBM Fusion UI.
  2. Go to Content-aware Storage > Domains.
  3. Click the domain name that you want to open.
  4. Click Actions and select Remove search access.

    The Remove search access dialog opens.

  5. Select the users or groups whose search access is to be removed.
  6. Click Remove.

    Removed users and groups lose authorization to access the query search API for the domain.