Is it possible to apply document-level permissions to Google Drive synchronized documents?

Hello.
I'm using WorkplaceSearch of v.8.12.0 Elastic Cloud.
I have connected WorkplaceSearch and Google Drive with Google Drive connector.

Is there a way to give the WorkplaceSearch user the same permission as the Google Drive account?
Therefore the user can only search and get results of permitted documents in the Google Drive account.

Hi Mizuki Amano,

It should be possible, but you will need to do identity mapping on your side using this API.

It can be trivial if your login on Elasticsearch and email in Google Drive are the same - e.g. johndoe in Elasticsearch and johndoe@gmail.com in Google Drive, but even in this case you'll need to do it on your side via a script.

Hi.
I have already done the API but it looks did not work. :cry:
The user can still get non-permitted documents as a search result.

The return from the API looks like it has no error though.

{"content_source_id":"<content-source-id>","external_user_id":"<the email of Google Drive>","external_user_properties":[{"attribute_name":"_elasticsearch_username","attribute_value":"<the Elasticsearch username>"}],"permissions":[]}

As you said the email of the Elasticsearch user and the email in Google Drive are the same.

@Artem_Shelkovnikov
Hi.
I also wonder if there are other ways to apply document-level permission and get the search results by not creating new users one by one for Workplacesearch.
Because there are many users and the number of users will continue to increase.

It's good to use this page as a starting point of investigation.

  1. You will need to look at the documents that the user sees that they should not see. What is inside _allow_access_control and _deny_access_control fields for this documents? Is the user that you are using in these fields? Are these fields even present?
  2. How do you query the documents for the user? Do you use UI, do you use API for it?

There is no other way - identity mapping is not a trivial process and it's really easy to make a mistake there that will cause users see documents that they should not see, if done automatically.

This needs to happen on your side - either by having a file with your identity mapping that you store under version control - or by having a script that contains the logic to do the mapping and send API requests to Workplace Search.