How to add user / group permission to search Workplace Search using Network data connector as data source

I can add user to have access to Workplace search and search documents from the index created by Network Drive Connector.
Basically I add user SID and email in identity_mappings.csv file and run ees_network_drive permission-sync .
When I do the same with AD group, members in the AD group cannot search.
Question: How can I give permission to AD group so member of the AD group can use Workplace Search?

Hey there. This GitHub - elastic/enterprise-search-network-drive-connector: Official Enterprise Search | Workplace Search - Network Drives Connector is a custom content source type: Managing document access & permissions for content sources | Workplace Search documentation [8.7] | Elastic So this is the relevant guide to help you with attaching this to the Workplace Search experience.

@Serena_Chou
I read all above.
My documents has user level and AD group level permissions.
When user gets to workplace search can search document successfully that have user level permission.
So far so good.
But if other user who is the member of the group cannot search the document.
Example:
-Document1
-Permissions: user1 and group1

In above example user1 and group1 have permission to Document1
user2 is a member of group1

If user1 searches the document, he can get to the document.
Bu if user2 (who is the member of group1) searches the Document1, cannot find Document1.
Basically members of the groups cannot search documents, although their group have permission to the document.

@aldol have you added the user's group SIDs (mapped to their email addresses) in your identity_mappings.csv as well? Note from this document: GitHub - elastic/enterprise-search-network-drive-connector: Official Enterprise Search | Workplace Search - Network Drives Connector

Copy to your server a CSV file that provides the mapping of user identities. The file must follow this format:

  • First column: network drive user's/group's SID
  • Second column: Elastic username

@Sean_Story Yes I did. I added the SID which is clear what is it and next to it I added the Name coming from the Powershell script below:
get-adgroup MY-GROUP | Select Name,SID,ObjectGUID | FL
So Whatever comes out Select Name in above is added with the same format I added individuals.

S-1-5-21-212344-4355-3455-81545,MY-GROUP

What would be the Second column: Elastic username
Email of the Group or the Group Name?

@aldol it sounds like you added extra columns, instead of extra rows. In your above example of user1 and user2 who are both in group1, your CSV should look like:

user1,elastic-user1
group1,elastic-user1
user2,elastic-user2
group1,elastic-user2

NOT

user1,group1,elastic-user1
user2,group1,elastic-user2

@Sean_Story
I have 2 users and 1 group as below:
USER | SID | Email
USER1 | SID1 | USER1@aaa.com
USER2 | SID2 | USER2@aaa.com
GROUP1| SID3 | GROUP1@aaa.com

On each row I have USER , SID and email.
USER2 is a member in GROUP1

What would be my identity_mappings.csv?

I have below for user one and it is working:
SID1,USER1@aaa.com

For GROUP1 what should I add?
SID3,GROUP1
or
SID3,USER2@aaa.com
or
GROUP1@aaa.com,USER2@aaa.com
Or something else

Please write the identity_mapping for above 3 rows so USER2 which is the member of GROUP1 can see documents permitted for GROUP1
Remember GROUP1 is Windows AD group and USER1, USER2 are Windows AD users.

As explained above, it would not be 3 rows, it would be 4. A single user will have multiple rows - one row for their user SID, and another row for each group they are a part of. For the example you've given in your latest message, your CSV should be:

SID1,USER1@aaa.com
SID3,USER1@aaa.com
SID2,USER2@aaa.com
SID3,USER2@aaa.com

@Sean_Story
The issue is resolved by the above example.
The statement below in site was not very clear:
*Copy to your server a CSV file that provides the mapping of user identities. The file must follow this format: *

*First column: network drive user's/group's SID *

Second column: Elastic username

Some samples next to the statement could help a lot :slightly_smiling_face:
Thanks for your help :slightly_smiling_face:

2 Likes

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.