Secure search of Exchange Server content
If security is enabled for a collection, the Exchange Server crawler can obtain the access control lists (ACLs) for items that it crawls and associate security data with documents in the index. This data enables applications to enforce access controls based on the stored ACLs or security tokens.
You can also configure the crawler to validate user credentials when a user submits a query. In this case, instead of comparing user credentials to indexed security data (pre-filtering), the system compares the credentials to current access control lists that are maintained by the original data source (post-filtering).
The Exchange Server crawler supports BASIC authentication, Digest authentication, and NT LAN Manager (NTLM) authentication through Internet Information Services (IIS) version 6.x and version 7.x.
Supported permissions
- MailboxPermission
- MailboxFolderPermission
- Delegation
Deny ACL
- The read access permission for Default and groups that the user belongs to is set to FullDetails.
- The read access permission of the user is set to None.
However, Watson Explorer Content Analytics cannot deny users who search those items as part of the pre-filtering process. To ensure that users see only the items that they can view through Outlook, configure post-filtering security options when you configure the crawler to ensure that the user's current access controls are validated.
This issue does not affect ACLs where the permission is set to MailboxPermission.
Private items
Exchange Server users can set a private flag for items to prevent other users from seeing the item. When a user has access to another user's mailboxes or folders, through MailboxPermission or Delegation with private access rights, the user can see private items in those mailboxes and folders through Outlook. When a user has MailboxFolderPermission or Delegation with no private access rights, the user cannot see private items under another user's mailboxes and folders.
Watson Explorer Content Analytics can behave the same way as Outlook, and allow users who have access to another user's mailboxes or folders, through MailboxPermission or Delegation with private access rights, to search private items in those mailboxes and folders. However, when Delegation with private access rights is assigned to a group, the users who belong to the group cannot search private items because the crawler cannot obtain the name of a group that has Delegation settings. To obtain the list of users who belong to a group, the crawler must know the group name.
Through Exchange Web Services (EWS) 2010, users who have any permission to search content can see private items. When the Exchange Server crawler uses EWS as a post-filtering process, post-filtering does not work the same way that it does in Outlook. For secure search, you must enable pre-filtering security options when you configure the crawler.
The following table summarizes the differences between Exchange Server permissions to access private items and Watson Explorer Content Analytics secure search.
| Exchange Server: Outlook | Exchange Server: EWS | Secure search: permission assigned to a user | Secure search: permission assigned to a group | |
|---|---|---|---|---|
| MailboxPermission | Yes | Yes | Yes | Yes |
| MailboxFolderPermission | No | Yes | No | No |
| Delegation with private access rights | Yes | Yes | Yes | No |
| Delegation without private access rights | No | Yes | No | No |