Security on search
The search features in Genus Desktop are powerful and easy to use, and it is therefore important to consider the security settings for objects and user groups.
- Which users should be able to view the different data
- Which object should be searchable
- Which properties should be searchable
- Which objects should be searchable using advanced search
- Which related data sources should be available when searching for a certain object
Permissions on data
The Genus desktop client offers several ways to search and view data, and the permissions on data are therefore the most important aspect to consider when limiting access to data. Permissions can be set on both Object Classes and individual Properties.
Search on object class properties and named search fields
By enabling search on an object class and setting common search properties you can define what objects and properties should be available for standard searches. Searchable properties can also be defined through named search fields in table views.
Search views
Basic Views and Table Views that are enabled as Search View, are available for use with search in the search task pane.
Searching based on other data sources
Genus allows you to search for data in a data source based on search criteria on other data sources. It is important to be aware of some security limitations when enabling this type of search feature. When criteria are set in other data sources, permissions on the objects in the other data sources is NOT checked. This is due to performance issues.
For example:
An application model consists of Activity and Note. Activity is readable for everyone, but a note is personal and can only be viewed by the creator of the note. When searching for an activity by setting criteria on note, the user can indirectly check for content in the note without having read access to the note itself. Let us say the user is searching for activities, with a note containing the string "Secret", and the result is that an activity is found. The user is not able to read the actual note, but knows that one of the notes on the activity contains the search string. This is a very specific case, but should be taken into consideration if dealing with very sensitive data.
In this example, a solution may be to remove the ability to search for Activity based on criteria on Notes, and remove the permission Set Search Criteriafor Note. Instead the users that needs this functionality, can search directly for Notes, and then explore Activities from the search result.
Advanced search
The Set Search Criteria permission makes an object class available in Advanced Search. Note that, when this permission is set, all properties the user has access to in the object class, is searchable in advanced search. Search paths are used to make related object classes available in advanced search. This allows for finding objects given search criteria on related data sources.
Search folders
Search Folders are pre-defined searches, and these can have specific permissions to limit access to certain user groups. See Security Permissions for information on how to set permissions on Search Folders.
Search in history
Users with permissions can search their own history. The privilege Combine event history for all users can be granted to specific user groups to give access to searching for events logged by any user. Searching in history can be time consuming and incur performance penalties depending on the amount of logged data. This is especially true for searches across many users.