WO2008086380A1 - Integrating enterprise search systems with custom access control application programming interfaces - Google Patents

Integrating enterprise search systems with custom access control application programming interfaces Download PDF

Info

Publication number
WO2008086380A1
WO2008086380A1 PCT/US2008/050552 US2008050552W WO2008086380A1 WO 2008086380 A1 WO2008086380 A1 WO 2008086380A1 US 2008050552 W US2008050552 W US 2008050552W WO 2008086380 A1 WO2008086380 A1 WO 2008086380A1
Authority
WO
WIPO (PCT)
Prior art keywords
api
call
document
access rights
exposed
Prior art date
Application number
PCT/US2008/050552
Other languages
French (fr)
Inventor
Arshish Cyrus Kapadia
Jonah Sarbin Burke
Original Assignee
Microsoft Corporation
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Microsoft Corporation filed Critical Microsoft Corporation
Priority to CN2008800019388A priority Critical patent/CN101583952B/en
Priority to KR1020097014290A priority patent/KR101458234B1/en
Priority to JP2009545650A priority patent/JP2010518467A/en
Priority to EP08705786.5A priority patent/EP2118786B1/en
Publication of WO2008086380A1 publication Critical patent/WO2008086380A1/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6236Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database between heterogeneous systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/448Execution paradigms, e.g. implementations of programming paradigms
    • G06F9/4482Procedural
    • G06F9/4484Executing subprograms
    • G06F9/4486Formation of subprogram jump address

Definitions

  • Enterprise search systems allow content stored within an organization to be indexed, searched, and displayed to authorized users within the organization.
  • enterprise search engines typically must index and query against structured and unstructured data and documents stored by multiple, independent, third- party enterprise software applications and systems.
  • an enterprise search system must index and query against data stored in intranets, document and content management systems, file servers, corporate desktops, business applications such as customer relationship management and business intelligence applications, and other types of content stores.
  • enterprise search systems In contrast to public search engines that search publicly available data and allow virtually any user to execute queries on the data, such as World Wide Web (“Web”) search engines, enterprise search systems generally index data for which access may be limited. For instance, a document indexed by an enterprise search system may have an associated access control list (“ACL") that includes one or more access control entries (“ACEs”) that identify the access rights a user has to the document.
  • ACL access control list
  • ACEs access control entries
  • an enterprise search system may retrieve and store the access rights for a document at the time the document is added to the search index. At query time, the enterprise search system can utilize the previously stored access rights to determine if the user executing the query has sufficient rights to view the search results. Alternatively, an enterprise search system may query the back-end system at which each document in a set of search results is stored for access rights to the document for the user at the time the query is performed. A combination of these methods may also be utilized to minimize drawbacks present in each method.
  • enterprise search systems must interface with the back-end computer systems at which the indexed documents are stored in order to retrieve the access rights.
  • security sub-systems of each third-party back-end computer system utilize application programming interfaces ("APIs") that are disparate, arcane, and proprietary.
  • APIs application programming interfaces
  • a declarative metadata model is utilized to create and store data defining a custom API exposed by a back-end content store for retrieving access rights for documents stored therein.
  • a normalized API for obtaining access rights for a document is also exposed.
  • the stored data is utilized to transform the call to the normalized API into a call to the custom API. In this manner, access may be had to access rights stored by a proprietary back-end computing system without writing any program code.
  • data is created and stored that defines a custom API exposed by a back-end computing system for obtaining access rights for a document.
  • the stored data may include information, for instance, identifying parameters of a method exposed by the custom API for obtaining access rights and data indicating whether each of the parameters is an input parameter or an output parameter.
  • One of the parameters may also be tagged to indicate that the parameter corresponds to an identifier for the document for which access rights are requested.
  • Another of the parameters may be tagged to indicate that it corresponds to a system-supplied value, such as the user identifier for the current user. Default values may also be specified and stored for each of the parameters.
  • a normalized API may be exposed to applications executing within an enterprise search system for obtaining access rights for a document.
  • the interface presented by the normalized API is a consistent interface that various applications executing within the enterprise search system may utilize to obtain access rights for a document, regardless of the back-end content store on which the document resides.
  • a search crawler program and a query processor program may both utilize a method exposed by the normalized API to obtain access rights for documents.
  • the method exposed by the normalized API receives a parameter identifying the document for which access rights are requested and may, optionally, receive a user identifier for authentication purposes.
  • the call to the normalized API is dynamically transformed into a call to the appropriate custom API using the stored data.
  • the stored data may be utilized to instantiate a call to a method exposed by the custom API using the default values for its parameters.
  • the parameter identifying the document for which access rights are requested that is received with the call to the normalized API is then substituted for the default value of the parameter tagged as corresponding to the document identifier in the custom API.
  • the user identifier for the current user may also be substituted for the default value of the parameter tagged as corresponding to a system- supplied value.
  • the call to the custom API is executed.
  • the custom API then returns the requested access rights in response to the call.
  • the access rights returned from the custom API are then returned in response to the original call to the normalized API.
  • FIGURE 1 is a network and software architecture diagram showing an illustrative operating environment for the processes and computer systems described herein, and several of the software components utilized by the computer systems described herein;
  • FIGURE 2 is a software architecture diagram showing aspects of an API transformer program provided in one embodiment described herein;
  • FIGURES 3 and 4 are flow diagrams illustrating processes provided herein according to embodiments for obtaining access rights for a document at the time the document is added to a search index and for obtaining access rights for a document at search time, respectively;
  • FIGURE 5 is a computer architecture diagram showing a computer architecture suitable for implementing the various computer systems described herein.
  • FIGURE 1 is a computer software architecture and network diagram illustrating one operating environment 100 for the subject matter described herein that includes a client computer 102, a network 122, and one or more Web server computers 104A-104B.
  • the client computer 102 and the Web server computers 104A-104B are communicatively coupled to one another through respective connections to the network 122.
  • the network 122 comprises the Internet.
  • the network 122 may comprise a LAN, WAN, or other type of network suitable for connecting the client computer 102 and the Web server computers 104A-104B.
  • the Web server computers 104A-104B are also coupled to a back-end system 112.
  • the back-end system 112 is a computing system capable of storing documents in a content store 114.
  • the term document means any indexable unit of data. Additional details regarding the operation of the back- end system 112 are provided below.
  • FIGURE 1 also illustrates a number of software components utilized by the client computer 102 and the Web server computers 104A-104B.
  • the Web server computers 104A-104B are operative to execute the search crawlers 106A-106B, respectively.
  • the search crawlers 106A-106B are application programs designed to gather documents from a variety of sources, such as documents stored in the content store 114 of the back-end system 112.
  • the back-end system 112 may comprise any type of computing system utilized to store content, such as an intranet server, a document or content management system, a file server, a corporate desktop, a business application such as a customer relationship management application or a business intelligence application, or another type of content store.
  • the search crawlers 106A-106B are seeded with information about content stores.
  • the search crawlers 106A-106B then retrieve documents from the content stores, index the documents, and store the indexed content and any associated metadata in a database called the search index 108.
  • the search crawlers 106A-106B may also identify links to other documents contained in each document and follow the links to obtain and index additional documents. This process is referred to as "crawling.”
  • the search crawlers 106A-106B may also obtain the access rights for each document that is indexed. For instance, the search crawlers 106A- 106B may obtain a list of authorized users for each document. According to one implementation, the access rights are obtained by utilizing the appropriate API transformer 11 OA-11OB to query the back-end system 112 for the list of authorized users. Additional details regarding the use and operation of the API transformers 11 OA- 11 OB are provided below.
  • the client computer 102 includes a Web browser program (referred to herein as a "browser") 116.
  • the browser 116 is operative to request, receive, and display information pages, such as Web pages, from the server computers 104A-104B.
  • the browser 116 is operative to establish a connection with one of the Web server applications 118A-118B executing on the server computes 104A-104B.
  • the browser 116 may request a Web page for executing a query of the search index 108.
  • Such a query request is processed by a query processor 120A- 120B executing on the Web server computer 104A-104B that fields the query request.
  • the query processors 120A- 120B respond to user queries by identifying the documents in the search index 108 that contain the keywords in the user query.
  • the query processors 120A- 120B also evaluate whether or not each document should be returned as a search result based upon whether the user performing the query has sufficient access rights to view each document.
  • each query processor 120A- 120B may dynamically query the back-end system 112 for access rights indicating whether the user executing the query has permissions to view each document in the search results. This query is invoked through the appropriate API transformer 11 OA-11OB.
  • the API transformers 11 OA- 11 OB expose a normalized API for obtaining the access rights for documents.
  • the API transformers 11 OA- 11 OB expose a method for use by the search crawlers 106A-106B for retrieving access rights for documents discovered during the crawl process.
  • the API transformers 11 OA- HOB translate the normalized call received from the search crawler to the specific custom access rights API exposed by the back-end system 112. The access rights returned from the back-end system are then returned to the calling search crawler.
  • the normalized API exposed by the API transformers 11 OA- 11 OB may also be utilized by the query processors 120A- 120B at query time to retrieve the access rights for documents identified in query search results.
  • the query processors 120A- 120B may call the normalized API exposed by the respective API transformer 11 OA- HOB.
  • the API transformers 11 OA-11OB translate the normalized call received from the search crawler into a call to the specific custom access rights API exposed by the back-end system 112.
  • the access rights returned from the back-end system 112 are then returned to the calling query processor. Additional details regarding the use and operation of the API transformers 11 OA-11OB are provided below. It should be appreciated that although only two Web server computers 104A-104B, one back-end system 112, and one client computer 102 have been illustrated in FIGURE 1, any number of these computing devices may be present.
  • FIGURE 2 a software architecture diagram showing aspects of an illustrative software architecture 200 for an enterprise search system that includes an API transformer 110 will be described.
  • the API transformer 110 exposes a normalized API for retrieving the access rights for a document.
  • the normalized interface presented by the normalized API is a consistent interface that various applications executing within the enterprise search system may utilize to obtain access rights for a document, regardless of the back-end content store on which the document resides.
  • a search crawler 106 and a query processor 120 may both utilize a method exposed by the normalized API to obtain access rights for documents.
  • the methods exposed by the normalized API receive a parameter identifying the document for which access rights are requested and may, optionally, receive a user identifier for authentication purposes.
  • the normalized API exposed by the API transformer 110 includes a CHECKACCESS method by which the access rights to a group of documents may be retrieved for a single user.
  • the CHECKACCSS method takes an array of document identifiers as a parameter and returns a long value that indicates whether the current user has access to each of the referenced documents.
  • the CHECKACCESS method is typically utilized by the query processor 120 to determine if the current user has access rights to view a collection of search results.
  • the normalized API exposed by the API transformer 110 may also include a PERMITTEDUSERS method by which the access rights for all users for a collection of documents may be retrieved. This method takes an array of document identifiers as input and returns a string indicting the access rights of all users to each document identified in the array.
  • the PERMITTEDUSERS method is typically utilized by the search crawler 106 to retrieve the access rights for all users to view documents retrieved during crawling.
  • the API transformer 110 is operative to dynamically transform calls to the normalized APIs into calls compatible with the custom APIs exposed by the back-end systems 112A-112B. [0032] As mentioned above, the back-end systems 112A-112B may expose custom
  • APIs for retrieving access rights data for documents stored in the content stores 114A- 114B may expose a GETDISPLAYABLECUSTOMERS method for retrieving the access rights for a user to one or more customers. This method takes as input an end user identity and a customer number, and returns a Boolean value indicating whether the end user has rights to view the customer.
  • a SAP system may also expose a
  • GETAUTHOPJZEDUSERSFORCUSTOMER method by which all of the access rights to a particular customer may be retrieved. This method takes as input a customer number and returns a list of strings indicating the access rights to the referenced customer.
  • the API transformer 110 dynamically transforms this call into a call in the form of GETAUTHORIZEDUSERSFORCUSTOMER(36) directed to the back-end system 112B.
  • the API transformer 110 utilizes metadata stored in the metadata store 202 to transform a call to the normalized API into a call to the custom API exposed by the back-end systems 112A-112B.
  • the metadata store 202 is utilized to store data that describes the actual APIs exposed by the back-end systems 112A-112B and the type of connections required to communicate with each of the back- end systems 112A-112B.
  • a user familiar with the back-end system 112A may create a description of the actual APIs exposed by the system and the connection information in an extensible markup language (“XML”) file.
  • the XML file is uploaded to the enterprise search system and stored in the metadata store 202.
  • the connection to the access rights APIs provided by the back-end system 112A are immediately available for use.
  • no coding is required to interface with a new type of back-end content storage system.
  • the data stored in the metadata store 202 for each back- end system 112 includes data identifying each of the parameters in the API exposed by the back-end system.
  • the parameters may be defined through the use of complex types that represent the parameters of a concrete API defined as aggregations of atomic types, such as strings or integers. Collections may be defined as groups of complex types.
  • the data stored in the metadata store 202 may also include data indicating whether each parameter is an input parameter or an output parameter and default values for some or all of the parameters.
  • the data stored in the metadata store 202 for each back-end system 112 may also include the definition of each data type provided by the back-end system 112 and which fields uniquely identify an instance of the data type. For instance, data may be stored indicating that the data type is a customer in a SIEBEL back-end system or an order in an SAP system. Linkages, called tags, may also be stored in the metadata store 202 for the primitive types of the custom API and the parameters in the API corresponding to an instance of the data type. For instance, a parameter that is utilized to uniquely identify a document in the API may be tagged as such.
  • the API transformer 110 can insert the document identifier in the appropriate location in the call to the API provided by the back-end system 112. Additional details regarding this process are provided below.
  • the parameters of the back-end API that correspond to system-supplied values may also be tagged as such in the metadata store 202.
  • the system- supplied value is a parameter identifying a current user.
  • the query processor 120 can provide the identity of the current user to the API transformer 110.
  • the API transformer 110 can then substitute the identity of the current user for the appropriate parameter in the call to the back-end system 112. Additional details regarding this process are provided below.
  • the data stored in the metadata store 202 for each back-end system 112 may also include connection information for a third-party data store system so that a connection may be made to the system for executing the access check.
  • the data may also include the type of protocol necessary to execute the back-end API. For instance, in implementations, a remote procedure call ("RPC") or a Web service may be utilized to execute the call to the back-end API.
  • RPC remote procedure call
  • Web service may be utilized to execute the call to the back-end API.
  • the data stored in the metadata store 202 is organized as a series of data tables. For instance, one table may be utilized to store data identifying the various back-end systems and another table may be utilized to store information identifying the data type stored in each content store. Another table may be utilized to store data identifying the security methods exposed by each content store by data type. For instance, access to sales orders in a back-end system may utilize a different API than for accessing customers. A table may also be utilized to store data identifying each of the parameters of the custom back-end API, and other tables may be utilized to store information defining the atomic data types utilized by each parameter. It should be appreciated that the metadata store 202 may be organized in a variety of other manners.
  • the API transformer 110 utilizes one or more shims 204A-204N to perform the protocol-specific calls to the custom APIs exposed by the back-end systems 112 A.
  • a Web service shim 204 A may be provided for making Web service calls
  • an RPC shim 204B may be provided for remote procedure calls
  • a database shim 204C may be provided for interfacing with a database.
  • Other shims 204N may also be utilized.
  • data defining the particular shim 204A-204N to use for each back-end system 112A or data type may be stored in the metadata store 202.
  • data may be stored indicating that the Web service shim 204 A should be utilized for certain types of documents stored in the content store 114A of the back-end system 112 A.
  • Data may also be stored in the metadata store 202 indicating that the database shim 204C should be utilized for retrieving access rights for documents stored in the content store 114B of the back-end system 112B.
  • FIGURE 3 is a flow diagram illustrating the operation of an enterprise search system including an API transformer 110 for obtaining access rights to a document at crawl time.
  • the logical operations described herein are implemented (1) as a sequence of computer implemented acts or program modules running on a computing system and/or (2) as interconnected machine logic circuits or circuit modules within the computing system. The implementation is a matter of choice dependent on the performance requirements of the computing system. Accordingly, the logical operations described herein are referred to variously as operations, structural devices, acts, or modules. These operations, structural devices, acts and modules may be implemented in software, in firmware, in special purpose digital logic, and any combination.
  • the routine 300 continues to operation 308.
  • the API transformer 110 instantiates a call to the appropriate back-end system method.
  • the call is instantiated using default values for each of the parameters stored in the metadata store 202.
  • the routine 300 then continues to operation 310, where the API transformer 110 substitutes the document identifier received with the call to the normalized API for the appropriate parameter of the instantiated call to the back-end system API.
  • the API transformer 110 utilizes data stored in the metadata store 202 to identify the correct location for the document identifier parameter.
  • a user identifier received with the call to the normalized API may also be inserted into the appropriate location in the call to the back-end system API.
  • routine 300 continues to operation 312, where the API transformer 110 executes the call against the appropriate back-end system 112.
  • the appropriate shim 204A-204N may be utilized to actually perform the remote method call.
  • the back-end system returns the requested access rights at operation 314.
  • the API transformer 110 then provides the returned access rights to the search crawler 106 in response to the original call to the normalized API exposed by the API transformer 110. This occurs at operation 316.
  • the search crawler 106 stores the returned access rights in the search index 108, or other appropriate data store.
  • the query processor 120 may utilize this information to trim search results at query time without requiring communication with the back-end system that provided the access rights. From operation 318, the routine 300 continues to operation 320, where it ends.
  • routine 400 for obtaining access rights to a document at search time in an enterprise search system that includes an API transformer 110.
  • the routine 400 begins at operation 402, where the client computer 102 executes a search query at the query processor 120.
  • the routine 400 continues from operation 402 to operation 404, where the query processor 120 retrieves the URLs of documents matching the specified search terms from the search index 108.
  • the query processor 120 then calls the normalized API exposed by the API transformer 110 with the identified URLs. This occurs at operation 406.
  • the routine 400 continues to operation 410.
  • the API transformer 110 instantiates a call to the appropriate back-end system method.
  • the call is instantiated using default values for each of the parameters stored in the metadata store 202.
  • the routine 400 then continues to operation 412, where the API transformer 110 inserts the document identifier and the user identifier received with the call to the normalized API into the appropriate location in the call to the back-end system API.
  • the routine 400 continues to operation 414, where the API transformer 110 executes the call against the appropriate back-end system 112. As described above, the appropriate shim 204A-204N may be utilized to perform the remote method call. In response to execution of the method, the back-end system returns the requested access rights at operation 416. The API transformer 110 then provides the returned access rights to the query processor 120 in response to the original call to the normalized API exposed by the API transformer 110. At operation 418, the query processor 120 trims the search results based on the returned access rights. For instance, results that the current user does not have permission to read will not be displayed while results that the current user does have permission to read will be displayed. From operation 418, the routine 400 continues to operation 420, where it ends.
  • FIGURE 5 an illustrative computer architecture for a computer 500 utilized in the various embodiments presented herein will be discussed.
  • the computer architecture shown in FIGURE 5 illustrates a conventional desktop, laptop computer, or server computer.
  • the computer architecture shown in FIGURE 5 includes a central processing unit 502 ("CPU"), a system memory 508, including a random access memory 514 (“RAM”) and a read-only memory (“ROM”) 516, and a system bus 504 that couples the memory to the CPU 502.
  • a basic input/output system containing the basic routines that help to transfer information between elements within the computer 500, such as during startup, is stored in the ROM 516.
  • the computer 500 further includes a mass storage device 510 for storing an operating system 518, application programs, and other program modules, which will be described in greater detail below.
  • the mass storage device 510 is connected to the CPU 502 through a mass storage controller (not shown) connected to the bus 504.
  • the mass storage device 510 and its associated computer-readable media provide non- volatile storage for the computer 500.
  • computer-readable media can be any available media that can be accessed by the computer 500.
  • computer-readable media may include volatile and non-volatile, removable and non-removable media implemented in any method or technology for storage of information such as computer-readable instructions, data structures, program modules or other data.
  • computer-readable media includes, but is not limited to, RAM, ROM, EPROM, EEPROM, flash memory or other solid state memory technology, CD-ROM, digital versatile disks ("DVD”), HD-DVD, BLU-RAY, or other optical storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other medium which can be used to store the desired information and which can be accessed by the computer 500.
  • the computer 500 may operate in a networked environment using logical connections to remote computers through a network 122, such as the Internet.
  • the computer 500 may connect to the network 122 through a network interface unit 506 connected to the bus 504. It should be appreciated that the network interface unit 506 may also be utilized to connect to other types of networks and remote computer systems.
  • the computer 500 may also include an input/output controller 512 for receiving and processing input from a number of other devices, including a keyboard, mouse, or electronic stylus (not shown in FIGURE 5). Similarly, an input/output controller may provide output to a display screen, a printer, or other type of output device (also not shown in FIGURE 5).
  • a number of program modules and data files may be stored in the mass storage device 510 and RAM 514 of the computer 500, including an operating system 518 suitable for controlling the operation of a networked desktop or server computer, such as the WINDOWS XP or WINDOWS VISTA operating systems from MICROSOFT CORPORATION of Redmond, Washington.
  • an operating system 518 suitable for controlling the operation of a networked desktop or server computer, such as the WINDOWS XP or WINDOWS VISTA operating systems from MICROSOFT CORPORATION of Redmond, Washington.
  • Other operating systems such as the LINUX operating system or the OSX operating system from APPLE COMPUTER, INC. may be utilized.
  • LINUX operating system or the OSX operating system from APPLE COMPUTER, INC.
  • the mass storage device 510 and RAM 514 may also store one or more program modules.
  • the mass storage device 510 and the RAM 514 may store a Web browser 116, a Web server application 118, and the other program modules described above with respect to FIGURES 1 and 2.
  • Other program modules may also be stored in the mass storage device 510 and utilized by the computer 500.

Landscapes

  • Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Databases & Information Systems (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Storage Device Security (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

Methods and computer-readable media are provided herein for integrating enterprise search systems with proprietary back-end content store access control APIs. A declarative metadata model is utilized to create and store data defining a custom API exposed by a back-end content store for retrieving access rights for documents stored therein. A normalized API for obtaining access rights for a document is also exposed. When a call is made to the normalized API, the stored data is utilized to transform the call to the normalized API into a call to the custom API.

Description

INTEGRATING ENTERPRISE SEARCH SYSTEMS WITH CUSTOM ACCESS
CONTROL APPLICATION PROGRAMMING INTERFACES
BACKGROUND
[0001] Enterprise search systems allow content stored within an organization to be indexed, searched, and displayed to authorized users within the organization. In order to provide this functionality, enterprise search engines typically must index and query against structured and unstructured data and documents stored by multiple, independent, third- party enterprise software applications and systems. For instance, in many cases an enterprise search system must index and query against data stored in intranets, document and content management systems, file servers, corporate desktops, business applications such as customer relationship management and business intelligence applications, and other types of content stores.
[0002] In contrast to public search engines that search publicly available data and allow virtually any user to execute queries on the data, such as World Wide Web ("Web") search engines, enterprise search systems generally index data for which access may be limited. For instance, a document indexed by an enterprise search system may have an associated access control list ("ACL") that includes one or more access control entries ("ACEs") that identify the access rights a user has to the document. As a result, when an enterprise search system executes a query, it must ensure that the user executing the query has sufficient access rights to view the search results returned in response to the query.
[0003] In order to determine whether a user has sufficient access rights to view search results, an enterprise search system may retrieve and store the access rights for a document at the time the document is added to the search index. At query time, the enterprise search system can utilize the previously stored access rights to determine if the user executing the query has sufficient rights to view the search results. Alternatively, an enterprise search system may query the back-end system at which each document in a set of search results is stored for access rights to the document for the user at the time the query is performed. A combination of these methods may also be utilized to minimize drawbacks present in each method. [0004] Regardless of whether the access rights are retrieved at the time a document is added to the search index or at query time, enterprise search systems must interface with the back-end computer systems at which the indexed documents are stored in order to retrieve the access rights. Often, however, the security sub-systems of each third-party back-end computer system utilize application programming interfaces ("APIs") that are disparate, arcane, and proprietary. As a result, it may be necessary to create custom program code to interface with each back-end security sub-system API each time a new type of back-end content store is added to an enterprise search system. This generally makes the integration between enterprise search systems and third-party data store systems difficult, expensive, and time consuming.
[0005] It is with respect to these considerations and others that the disclosure made herein is provided.
SUMMARY
[0006] Methods and computer-readable media are provided herein for integrating enterprise search systems with custom APIs exposed by back-end content stores for obtaining access rights data. According to aspects presented herein, a declarative metadata model is utilized to create and store data defining a custom API exposed by a back-end content store for retrieving access rights for documents stored therein. A normalized API for obtaining access rights for a document is also exposed. When a call is made to the normalized API, the stored data is utilized to transform the call to the normalized API into a call to the custom API. In this manner, access may be had to access rights stored by a proprietary back-end computing system without writing any program code.
[0007] According to one aspect presented herein, data is created and stored that defines a custom API exposed by a back-end computing system for obtaining access rights for a document. The stored data may include information, for instance, identifying parameters of a method exposed by the custom API for obtaining access rights and data indicating whether each of the parameters is an input parameter or an output parameter. One of the parameters may also be tagged to indicate that the parameter corresponds to an identifier for the document for which access rights are requested. Another of the parameters may be tagged to indicate that it corresponds to a system-supplied value, such as the user identifier for the current user. Default values may also be specified and stored for each of the parameters.
[0008] According to other aspects, a normalized API may be exposed to applications executing within an enterprise search system for obtaining access rights for a document. The interface presented by the normalized API is a consistent interface that various applications executing within the enterprise search system may utilize to obtain access rights for a document, regardless of the back-end content store on which the document resides. For instance, a search crawler program and a query processor program may both utilize a method exposed by the normalized API to obtain access rights for documents. The method exposed by the normalized API receives a parameter identifying the document for which access rights are requested and may, optionally, receive a user identifier for authentication purposes.
[0009] When a call is received to the method exposed by the normalized API for retrieving access rights for a specified document, the call to the normalized API is dynamically transformed into a call to the appropriate custom API using the stored data. For instance, the stored data may be utilized to instantiate a call to a method exposed by the custom API using the default values for its parameters. The parameter identifying the document for which access rights are requested that is received with the call to the normalized API is then substituted for the default value of the parameter tagged as corresponding to the document identifier in the custom API.
[0010] According to implementations, the user identifier for the current user may also be substituted for the default value of the parameter tagged as corresponding to a system- supplied value. Once the parameters have been specified, the call to the custom API is executed. The custom API then returns the requested access rights in response to the call. The access rights returned from the custom API are then returned in response to the original call to the normalized API.
[0011] The above-described subject matter may also be implemented as a computer- controlled apparatus, a computer process, a computing system, or as an article of manufacture such as a computer-readable medium. These and various other features will be apparent from a reading of the following Detailed Description and a review of the associated drawings. [0012] This Summary is provided to introduce a selection of concepts in a simplified form that are further described below in the Detailed Description. This Summary is not intended to identify key features or essential features of the claimed subject matter, nor is it intended to be used to limit the scope of the claimed subject matter. Furthermore, the claimed subject matter is not limited to implementations that solve any or all disadvantages noted in any part of this disclosure.
BRIEF DESCRIPTION OF THE DRAWINGS
[0013] FIGURE 1 is a network and software architecture diagram showing an illustrative operating environment for the processes and computer systems described herein, and several of the software components utilized by the computer systems described herein;
[0014] FIGURE 2 is a software architecture diagram showing aspects of an API transformer program provided in one embodiment described herein;
[0015] FIGURES 3 and 4 are flow diagrams illustrating processes provided herein according to embodiments for obtaining access rights for a document at the time the document is added to a search index and for obtaining access rights for a document at search time, respectively; and
[0016] FIGURE 5 is a computer architecture diagram showing a computer architecture suitable for implementing the various computer systems described herein.
DETAILED DESCRIPTION
[0017] The following detailed description is directed to systems, methods, and computer-readable media for integrating enterprise search systems with custom back-end content store access control APIs. While the subject matter described herein is presented in the general context of program modules that execute in conjunction with the execution of an operating system and application programs on a computer system, those skilled in the art will recognize that other implementations may be performed in combination with other types of program modules. [0018] Generally, program modules include routines, programs, components, data structures, and other types of structures that perform particular tasks or implement particular abstract data types. Moreover, those skilled in the art will appreciate that the subject matter described herein may be practiced with other computer system configurations, including hand-held devices, multiprocessor systems, microprocessor- based or programmable consumer electronics, minicomputers, mainframe computers, and the like.
[0019] The subject matter described herein is also described as being practiced in a distributed computing environment where tasks are performed by remote processing devices that are linked through a communications network and wherein program modules may be located in both local and remote memory storage devices. It should be appreciated, however, that the implementations described herein may also be utilized in conjunction with stand-alone computer systems and other types of computing devices. It should also be appreciated that the embodiments presented herein may be utilized with any type of local area network ("LAN") or wide area network ("WAN").
[0020] In the following detailed description, references are made to the accompanying drawings that form a part hereof, and which are shown by way of illustration specific embodiments or examples. Referring now to the drawings, in which like numerals represent like elements through the several figures, aspects of a computing system and methodology for integrating enterprise search systems with custom back-end content store access control APIs will be described. In particular, FIGURE 1 is a computer software architecture and network diagram illustrating one operating environment 100 for the subject matter described herein that includes a client computer 102, a network 122, and one or more Web server computers 104A-104B.
[0021] As shown in FIGURE 1, the client computer 102 and the Web server computers 104A-104B are communicatively coupled to one another through respective connections to the network 122. According to one implementation, the network 122 comprises the Internet. However, it should be appreciated that the network 122 may comprise a LAN, WAN, or other type of network suitable for connecting the client computer 102 and the Web server computers 104A-104B. The Web server computers 104A-104B are also coupled to a back-end system 112. The back-end system 112 is a computing system capable of storing documents in a content store 114. As used herein, the term document means any indexable unit of data. Additional details regarding the operation of the back- end system 112 are provided below.
[0022] FIGURE 1 also illustrates a number of software components utilized by the client computer 102 and the Web server computers 104A-104B. In particular, the Web server computers 104A-104B are operative to execute the search crawlers 106A-106B, respectively. The search crawlers 106A-106B are application programs designed to gather documents from a variety of sources, such as documents stored in the content store 114 of the back-end system 112. The back-end system 112 may comprise any type of computing system utilized to store content, such as an intranet server, a document or content management system, a file server, a corporate desktop, a business application such as a customer relationship management application or a business intelligence application, or another type of content store.
[0023] In order to perform this document identification and indexing process, the search crawlers 106A-106B are seeded with information about content stores. The search crawlers 106A-106B then retrieve documents from the content stores, index the documents, and store the indexed content and any associated metadata in a database called the search index 108. The search crawlers 106A-106B may also identify links to other documents contained in each document and follow the links to obtain and index additional documents. This process is referred to as "crawling."
[0024] During the crawl process, the search crawlers 106A-106B may also obtain the access rights for each document that is indexed. For instance, the search crawlers 106A- 106B may obtain a list of authorized users for each document. According to one implementation, the access rights are obtained by utilizing the appropriate API transformer 11 OA-11OB to query the back-end system 112 for the list of authorized users. Additional details regarding the use and operation of the API transformers 11 OA- 11 OB are provided below.
[0025] According to one implementation, the client computer 102 includes a Web browser program (referred to herein as a "browser") 116. The browser 116 is operative to request, receive, and display information pages, such as Web pages, from the server computers 104A-104B. In particular, the browser 116 is operative to establish a connection with one of the Web server applications 118A-118B executing on the server computes 104A-104B. Through the connection, the browser 116 may request a Web page for executing a query of the search index 108. Such a query request is processed by a query processor 120A- 120B executing on the Web server computer 104A-104B that fields the query request.
[0026] The query processors 120A- 120B respond to user queries by identifying the documents in the search index 108 that contain the keywords in the user query. The query processors 120A- 120B also evaluate whether or not each document should be returned as a search result based upon whether the user performing the query has sufficient access rights to view each document. As will be described in greater detail below, each query processor 120A- 120B may dynamically query the back-end system 112 for access rights indicating whether the user executing the query has permissions to view each document in the search results. This query is invoked through the appropriate API transformer 11 OA-11OB.
[0027] As will be discussed in greater detail herein, the API transformers 11 OA- 11 OB expose a normalized API for obtaining the access rights for documents. For instance, in one implementation, the API transformers 11 OA- 11 OB expose a method for use by the search crawlers 106A-106B for retrieving access rights for documents discovered during the crawl process. In response to a call to such a method, the API transformers 11 OA- HOB translate the normalized call received from the search crawler to the specific custom access rights API exposed by the back-end system 112. The access rights returned from the back-end system are then returned to the calling search crawler.
[0028] According to other aspects, the normalized API exposed by the API transformers 11 OA- 11 OB may also be utilized by the query processors 120A- 120B at query time to retrieve the access rights for documents identified in query search results. In this case, the query processors 120A- 120B may call the normalized API exposed by the respective API transformer 11 OA- HOB. In response to such a call, the API transformers 11 OA-11OB translate the normalized call received from the search crawler into a call to the specific custom access rights API exposed by the back-end system 112. The access rights returned from the back-end system 112 are then returned to the calling query processor. Additional details regarding the use and operation of the API transformers 11 OA-11OB are provided below. It should be appreciated that although only two Web server computers 104A-104B, one back-end system 112, and one client computer 102 have been illustrated in FIGURE 1, any number of these computing devices may be present.
[0029] Turning now to FIGURE 2, a software architecture diagram showing aspects of an illustrative software architecture 200 for an enterprise search system that includes an API transformer 110 will be described. In particular, as shown in FIGURE 2, the API transformer 110 exposes a normalized API for retrieving the access rights for a document. The normalized interface presented by the normalized API is a consistent interface that various applications executing within the enterprise search system may utilize to obtain access rights for a document, regardless of the back-end content store on which the document resides. For instance, a search crawler 106 and a query processor 120 may both utilize a method exposed by the normalized API to obtain access rights for documents. As will be described in greater detail herein, the methods exposed by the normalized API receive a parameter identifying the document for which access rights are requested and may, optionally, receive a user identifier for authentication purposes.
[0030] In one implementation, the normalized API exposed by the API transformer 110 includes a CHECKACCESS method by which the access rights to a group of documents may be retrieved for a single user. In one implementation, the CHECKACCSS method takes an array of document identifiers as a parameter and returns a long value that indicates whether the current user has access to each of the referenced documents. The CHECKACCESS method is typically utilized by the query processor 120 to determine if the current user has access rights to view a collection of search results.
[0031] The normalized API exposed by the API transformer 110 may also include a PERMITTEDUSERS method by which the access rights for all users for a collection of documents may be retrieved. This method takes an array of document identifiers as input and returns a string indicting the access rights of all users to each document identified in the array. The PERMITTEDUSERS method is typically utilized by the search crawler 106 to retrieve the access rights for all users to view documents retrieved during crawling. As will be described in greater detail below, the API transformer 110 is operative to dynamically transform calls to the normalized APIs into calls compatible with the custom APIs exposed by the back-end systems 112A-112B. [0032] As mentioned above, the back-end systems 112A-112B may expose custom
APIs for retrieving access rights data for documents stored in the content stores 114A- 114B. For instance, in one implementation, a system that utilizes software from SAP AG may expose a GETDISPLAYABLECUSTOMERS method for retrieving the access rights for a user to one or more customers. This method takes as input an end user identity and a customer number, and returns a Boolean value indicating whether the end user has rights to view the customer. A SAP system may also expose a
GETAUTHOPJZEDUSERSFORCUSTOMER method by which all of the access rights to a particular customer may be retrieved. This method takes as input a customer number and returns a list of strings indicating the access rights to the referenced customer.
[0033] In one implementation, if the API transformer 110 receives a call to the CHECKACCESS method, it dynamically transforms the call into a call compatible with the GETDISPLAYABLECUSTOMERS method. For instance, if the received call is PERMITTEDUSERS(BDC ://HOST/123/456?ID=34) (where the back-end system 112A is identified by the number 123), the API transformer 110 dynamically transforms this call into GETDISPLAY ABLECUSTOMERS(34). The call is then executed at the back-end system 112A. The API transformer 110 will generate multiple calls to the GETDISPLAYABLECUSTOMERS method since this API gets results for a single customer document, whereas the CHECKACCESS method typically requests authorization check in batches. The API transformer 110 will also translate the implicit identity of the end user, contained in the operating system thread, to a string identity value that the back-end system utilizes.
[0034] If the API transformer 110 receives a call to the CHECKACCESS method such as CHECKACCESS(BDC://HOST/333/456?ID=36) (where the back-end system 112B is identified by the number 333), the API transformer 110 dynamically transforms this call into a call in the form of GETAUTHORIZEDUSERSFORCUSTOMER(36) directed to the back-end system 112B. It should be appreciated that these back-end APIs are merely illustrative and that the embodiments presented herein may be utilized with any custom API for retrieving access rights to a document.
[0035] In order to perform this processing, the API transformer 110 utilizes metadata stored in the metadata store 202 to transform a call to the normalized API into a call to the custom API exposed by the back-end systems 112A-112B. The metadata store 202 is utilized to store data that describes the actual APIs exposed by the back-end systems 112A-112B and the type of connections required to communicate with each of the back- end systems 112A-112B. For instance, in one implementation, a user familiar with the back-end system 112A may create a description of the actual APIs exposed by the system and the connection information in an extensible markup language ("XML") file. The XML file is uploaded to the enterprise search system and stored in the metadata store 202. Once the XML file has been uploaded, the connection to the access rights APIs provided by the back-end system 112A are immediately available for use. By allowing a user to declaratively define the interface to retrieve access rights from a back-end system, and processing the metadata in the manner described herein, no coding is required to interface with a new type of back-end content storage system.
[0036] In one implementation, the data stored in the metadata store 202 for each back- end system 112 includes data identifying each of the parameters in the API exposed by the back-end system. For instance, the parameters may be defined through the use of complex types that represent the parameters of a concrete API defined as aggregations of atomic types, such as strings or integers. Collections may be defined as groups of complex types. The data stored in the metadata store 202 may also include data indicating whether each parameter is an input parameter or an output parameter and default values for some or all of the parameters.
[0037] According to implementations, the data stored in the metadata store 202 for each back-end system 112 may also include the definition of each data type provided by the back-end system 112 and which fields uniquely identify an instance of the data type. For instance, data may be stored indicating that the data type is a customer in a SIEBEL back-end system or an order in an SAP system. Linkages, called tags, may also be stored in the metadata store 202 for the primitive types of the custom API and the parameters in the API corresponding to an instance of the data type. For instance, a parameter that is utilized to uniquely identify a document in the API may be tagged as such. When the search crawler 106 or the query processor 120 provides an identifier for the document for which access rights are requested, the API transformer 110 can insert the document identifier in the appropriate location in the call to the API provided by the back-end system 112. Additional details regarding this process are provided below. [0038] According to implementations, the parameters of the back-end API that correspond to system-supplied values may also be tagged as such in the metadata store 202. For instance, according to one implementation, the system- supplied value is a parameter identifying a current user. In this manner, the query processor 120 can provide the identity of the current user to the API transformer 110. The API transformer 110 can then substitute the identity of the current user for the appropriate parameter in the call to the back-end system 112. Additional details regarding this process are provided below.
[0039] According to other aspects, the data stored in the metadata store 202 for each back-end system 112 may also include connection information for a third-party data store system so that a connection may be made to the system for executing the access check. The data may also include the type of protocol necessary to execute the back-end API. For instance, in implementations, a remote procedure call ("RPC") or a Web service may be utilized to execute the call to the back-end API.
[0040] In one implementation, the data stored in the metadata store 202 is organized as a series of data tables. For instance, one table may be utilized to store data identifying the various back-end systems and another table may be utilized to store information identifying the data type stored in each content store. Another table may be utilized to store data identifying the security methods exposed by each content store by data type. For instance, access to sales orders in a back-end system may utilize a different API than for accessing customers. A table may also be utilized to store data identifying each of the parameters of the custom back-end API, and other tables may be utilized to store information defining the atomic data types utilized by each parameter. It should be appreciated that the metadata store 202 may be organized in a variety of other manners.
[0041] As also illustrated in FIGURE 2, the API transformer 110 utilizes one or more shims 204A-204N to perform the protocol-specific calls to the custom APIs exposed by the back-end systems 112 A. For instance, a Web service shim 204 A may be provided for making Web service calls, an RPC shim 204B may be provided for remote procedure calls, and a database shim 204C may be provided for interfacing with a database. Other shims 204N may also be utilized. As discussed briefly above, data defining the particular shim 204A-204N to use for each back-end system 112A or data type may be stored in the metadata store 202. For instance, data may be stored indicating that the Web service shim 204 A should be utilized for certain types of documents stored in the content store 114A of the back-end system 112 A. Data may also be stored in the metadata store 202 indicating that the database shim 204C should be utilized for retrieving access rights for documents stored in the content store 114B of the back-end system 112B.
[0042] Referring now to FIGURE 3, additional details will be provided regarding the embodiments presented herein for integrating enterprise search systems with custom back- end content store access control APIs. In particular, FIGURE 3 is a flow diagram illustrating the operation of an enterprise search system including an API transformer 110 for obtaining access rights to a document at crawl time. It should be appreciated that the logical operations described herein are implemented (1) as a sequence of computer implemented acts or program modules running on a computing system and/or (2) as interconnected machine logic circuits or circuit modules within the computing system. The implementation is a matter of choice dependent on the performance requirements of the computing system. Accordingly, the logical operations described herein are referred to variously as operations, structural devices, acts, or modules. These operations, structural devices, acts and modules may be implemented in software, in firmware, in special purpose digital logic, and any combination.
[0043] The routine 300 begins at operation 302, where the search crawler 106 requests a document from one of the back-end systems 112A-112B. The routine 300 then continues to operation 302, where the search crawler 106 calls the API transformer 110 with the uniform resource ("URL") of the retrieved document. The routine 300 then continues to operation 306, where the API transformer 110 extracts the back-end system reference, the data type of the document, and the document identifier for the document from the received URL. For instance, if the received URL is bdc://hostname/123/456?id=34, the back-end system reference is 123, the data type is 456, and the document identifier is 34. Data in the metadata store 202 may then be referenced to determine that the back-end system is an SAP system, the data type is a customer in SAP, and the document identifier refers to a customer with customer number 34.
[0044] Once the back-end system reference, data type, and document identifier have been extracted, the routine 300 continues to operation 308. At operation 308, the API transformer 110 instantiates a call to the appropriate back-end system method. In one implementation, the call is instantiated using default values for each of the parameters stored in the metadata store 202. The routine 300 then continues to operation 310, where the API transformer 110 substitutes the document identifier received with the call to the normalized API for the appropriate parameter of the instantiated call to the back-end system API. The API transformer 110 utilizes data stored in the metadata store 202 to identify the correct location for the document identifier parameter. In an embodiment, a user identifier received with the call to the normalized API may also be inserted into the appropriate location in the call to the back-end system API.
[0045] Once the call to the custom API provided by the back-end system has been instantiated and all of the parameters have been set, the routine 300 continues to operation 312, where the API transformer 110 executes the call against the appropriate back-end system 112. As described above, the appropriate shim 204A-204N may be utilized to actually perform the remote method call. In response to execution of the method, the back-end system returns the requested access rights at operation 314.
[0046] The API transformer 110 then provides the returned access rights to the search crawler 106 in response to the original call to the normalized API exposed by the API transformer 110. This occurs at operation 316. At operation 318, the search crawler 106 stores the returned access rights in the search index 108, or other appropriate data store. The query processor 120 may utilize this information to trim search results at query time without requiring communication with the back-end system that provided the access rights. From operation 318, the routine 300 continues to operation 320, where it ends.
[0047] Referring now to FIGURE 4, an illustrative routine 400 will be described for obtaining access rights to a document at search time in an enterprise search system that includes an API transformer 110. In particular, the routine 400 begins at operation 402, where the client computer 102 executes a search query at the query processor 120. In response to the execution of the search query, the routine 400 continues from operation 402 to operation 404, where the query processor 120 retrieves the URLs of documents matching the specified search terms from the search index 108. The query processor 120 then calls the normalized API exposed by the API transformer 110 with the identified URLs. This occurs at operation 406. [0048] From operation 406, the routine 400 continues to operation 408, where the API transformer 110 extracts the back-end system reference, the data type of the document, and the document identifier for the document from the received URLs. For instance, if the received URL is bdc://hostname/123/456?id=34, the back-end system reference is 123, the data type is 456, and the document identifier is 34. Data in the metadata store 202 may then be referenced to determine that the back-end system is an SAP system, the data type is a customer in SAP, and the document identifier refers to a customer with customer number 34.
[0049] Once the back-end system reference, data type, and document identifier have been extracted, the routine 400 continues to operation 410. At operation 410, the API transformer 110 instantiates a call to the appropriate back-end system method. In one implementation, the call is instantiated using default values for each of the parameters stored in the metadata store 202. The routine 400 then continues to operation 412, where the API transformer 110 inserts the document identifier and the user identifier received with the call to the normalized API into the appropriate location in the call to the back-end system API.
[0050] Once the call to the custom API provided by the back-end system has been instantiated and all of the parameters have been set, the routine 400 continues to operation 414, where the API transformer 110 executes the call against the appropriate back-end system 112. As described above, the appropriate shim 204A-204N may be utilized to perform the remote method call. In response to execution of the method, the back-end system returns the requested access rights at operation 416. The API transformer 110 then provides the returned access rights to the query processor 120 in response to the original call to the normalized API exposed by the API transformer 110. At operation 418, the query processor 120 trims the search results based on the returned access rights. For instance, results that the current user does not have permission to read will not be displayed while results that the current user does have permission to read will be displayed. From operation 418, the routine 400 continues to operation 420, where it ends.
[0051] Referring now to FIGURE 5, an illustrative computer architecture for a computer 500 utilized in the various embodiments presented herein will be discussed. The computer architecture shown in FIGURE 5 illustrates a conventional desktop, laptop computer, or server computer. The computer architecture shown in FIGURE 5 includes a central processing unit 502 ("CPU"), a system memory 508, including a random access memory 514 ("RAM") and a read-only memory ("ROM") 516, and a system bus 504 that couples the memory to the CPU 502. A basic input/output system containing the basic routines that help to transfer information between elements within the computer 500, such as during startup, is stored in the ROM 516. The computer 500 further includes a mass storage device 510 for storing an operating system 518, application programs, and other program modules, which will be described in greater detail below.
[0052] The mass storage device 510 is connected to the CPU 502 through a mass storage controller (not shown) connected to the bus 504. The mass storage device 510 and its associated computer-readable media provide non- volatile storage for the computer 500. Although the description of computer-readable media contained herein refers to a mass storage device, such as a hard disk or CD-ROM drive, it should be appreciated by those skilled in the art that computer-readable media can be any available media that can be accessed by the computer 500.
[0053] By way of example, and not limitation, computer-readable media may include volatile and non-volatile, removable and non-removable media implemented in any method or technology for storage of information such as computer-readable instructions, data structures, program modules or other data. For example, computer-readable media includes, but is not limited to, RAM, ROM, EPROM, EEPROM, flash memory or other solid state memory technology, CD-ROM, digital versatile disks ("DVD"), HD-DVD, BLU-RAY, or other optical storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other medium which can be used to store the desired information and which can be accessed by the computer 500.
[0054] According to various embodiments, the computer 500 may operate in a networked environment using logical connections to remote computers through a network 122, such as the Internet. The computer 500 may connect to the network 122 through a network interface unit 506 connected to the bus 504. It should be appreciated that the network interface unit 506 may also be utilized to connect to other types of networks and remote computer systems. The computer 500 may also include an input/output controller 512 for receiving and processing input from a number of other devices, including a keyboard, mouse, or electronic stylus (not shown in FIGURE 5). Similarly, an input/output controller may provide output to a display screen, a printer, or other type of output device (also not shown in FIGURE 5).
[0055] As mentioned briefly above, a number of program modules and data files may be stored in the mass storage device 510 and RAM 514 of the computer 500, including an operating system 518 suitable for controlling the operation of a networked desktop or server computer, such as the WINDOWS XP or WINDOWS VISTA operating systems from MICROSOFT CORPORATION of Redmond, Washington. Other operating systems, such as the LINUX operating system or the OSX operating system from APPLE COMPUTER, INC. may be utilized. It should be appreciated that although the embodiments presented herein are described in the context of a desktop or laptop client computer 102 and a remote server computer 104, many other types of computing devices and systems may be utilized to embody the various aspects presented herein.
[0056] The mass storage device 510 and RAM 514 may also store one or more program modules. In particular, the mass storage device 510 and the RAM 514 may store a Web browser 116, a Web server application 118, and the other program modules described above with respect to FIGURES 1 and 2. Other program modules may also be stored in the mass storage device 510 and utilized by the computer 500.
[0057] Based on the foregoing, it should be appreciated that systems, methods, and computer-readable media for integrating enterprise search systems with custom back-end content store access control APIs are provided herein. Although the subject matter presented herein has been described in language specific to computer structural features, methodological acts, and computer readable media, it is to be understood that the invention defined in the appended claims is not necessarily limited to the specific features, acts, or media described herein. Rather, the specific features, acts and mediums are disclosed as example forms of implementing the claims.
[0058] The subject matter described above is provided by way of illustration only and should not be construed as limiting. Various modifications and changes may be made to the subject matter described herein without following the example embodiments and applications illustrated and described, and without departing from the true spirit and scope of the present invention, which is set forth in the following claims.

Claims

What is claimed is:
1. A method for integrating enterprise search with a custom document access control application programming interface (API), the method comprising: storing data (202) defining a custom API for obtaining one or more access rights for a document; exposing a normalized API for obtaining access rights for a document; receiving (304) a call to a method exposed by the normalized API requesting access rights for a specified document; in response to receiving the call to the method exposed by the normalized API, transforming (310) the call to the method exposed by the normalized API into a call to a method exposed by the custom API for obtaining the access rights for the specified document; receiving (314) the access rights in response to the call to the method exposed by the custom API; and returning (316) the requested access rights in response to the call to the method exposed by the normalized API.
2. The method of claim 1, wherein the data defining the custom API comprises data identifying one or more parameters of the method exposed by the custom API and data indicating whether each of the parameters is an input parameter or an output parameter.
3. The method of claim 2, wherein the data defining the custom API further comprises default values for the parameters.
4. The method of claim 3, wherein the data defining the custom API further comprises data identifying one of the parameters as corresponding to an identifier for a document for which access rights are requested, and wherein the method exposed by the normalized API receives a parameter identifying the document for which access rights are requested.
5. The method of claim 4, wherein transforming the call to the method exposed by the normalized API into a call to the method exposed by the custom API for the requested access rights for the specified document comprises: instantiating the call to the method exposed by the custom API using the default values for the parameters; substituting the parameter identifying the document for which access rights are requested received with the call to the normalized API for the default value of the parameter corresponding to an identifier for a document for which access rights are requested; and executing the call to the method exposed by the custom API.
6. The method of claim 5, wherein the data defining the custom API further comprises data identifying one of the parameters as corresponding to a system supplied value, and wherein the method exposed by the normalized API receives a parameter identifying a current user.
7. The method of claim 6, wherein transforming the call to the method exposed by the normalized API into a call to the method exposed by the custom API for the access rights for the specified document further comprises: substituting the parameter identifying a current user for the default value of the parameter corresponding to a system supplied value.
8. The method of claim 3, wherein the call to the method exposed by the normalized API is generated by a search crawler program.
9. The method of claim 3, wherein the call to the method exposed by the normalized API is generated by a search query processor.
10. A computer-readable medium having computer-executable instructions stored thereon which, when executed by a computer, cause the computer to: expose a normalized application programming interface (API) for obtaining one or more access rights for a document; receive (302) a call to a method exposed by the normalized API for retrieving access rights for a document, the call including a document identifier for a document and a user identifier; construct (310) a call to a method exposed by a custom API for obtaining access rights for a document in response to the call to the method exposed by the normalized API, the call constructed using stored data defining one or more parameters of the method exposed by the custom API, the document identifier, and the user identifier; execute (312) the call to the method exposed by the custom API; receive (316) the access rights for the document in response to the call to the method exposed by the custom API; and to return (318) the access rights for the document in response to the call to the method exposed by the normalized API.
11. The computer-readable medium of claim 10, wherein the data defining the one or more parameters of the method exposed by the custom API further comprises default values for the one or more parameters.
12. The computer-readable medium of claim 11, wherein the data defining the one or more parameters of the method exposed by the custom API further comprises data identifying one of the parameters as corresponding to the document identifier and one of the parameters as corresponding to the user identifier.
13. The computer-readable medium of claim 12, wherein the method exposed by the normalized API comprises a method for retrieving access rights for a plurality of documents, wherein the method exposed by the custom API comprises a method for retrieving access rights for a single document, and wherein the computer-readable medium has further computer-executable instructions stored thereon for constructing a separate call to the method exposed by the custom API for each of the plurality of documents identified in a call to the method exposed by the normalized API.
14. The computer-readable medium of claim 12, wherein the call to the method exposed by the normalized API is received from a search crawler program.
15. The computer-readable medium of claim 12, wherein the call to the method exposed by the normalized API is received from a search query processor.
16. A method for integrating enterprise search with a custom document access control application programming interface (API), the method comprising: storing data (202) that defines one or more methods exposed by a custom document access control API, the data comprising default values for one or more parameters used by the methods, data identifying the parameters that correspond to a document identifier, and data identifying the parameters that correspond to a user identifier; exposing a normalized API for obtaining one or more access rights for a document, the access rights being stored in a back-end computing system (112) and accessed using one of the methods exposed by the custom document access control API; receiving (302) a call to a method exposed by the normalized API, the call including a document identifier corresponding to a document for which access rights should be obtained and a user identifier for a current user; in response to the call to the method exposed by the normalized API, translating (310) the call to the method exposed by the normalized API into a call to a method exposed by the custom document access control API using the default values, the document identifier, and the user identifier; in response to the call to the method exposed by the custom document access control API, receiving (316) one or more access rights for the document; and returning (318) the access rights for the document in response to the call to the method exposed by the normalized API.
17. The method of claim 16, wherein the call to the method exposed by the normalized API is generated by a search crawler program.
18. The method of claim 17, wherein the method exposed by the normalized API is operative to retrieve the access rights for one or more users to a single document.
19. The method of claim 16, wherein the call to the method exposed by the normalized API is generated by a search query processor.
20. The method of claim 18, wherein the method exposed by the normalized API is operative to retrieve the access rights to one or more documents for a current user of the search query processor.
PCT/US2008/050552 2007-01-10 2008-01-09 Integrating enterprise search systems with custom access control application programming interfaces WO2008086380A1 (en)

Priority Applications (4)

Application Number Priority Date Filing Date Title
CN2008800019388A CN101583952B (en) 2007-01-10 2008-01-09 Integrating enterprise search systems with custom access control application programming interfaces
KR1020097014290A KR101458234B1 (en) 2007-01-10 2008-01-09 Integrating enterprise search systems with custom access control application programming interfaces
JP2009545650A JP2010518467A (en) 2007-01-10 2008-01-09 How to integrate an enterprise search system with a custom access control application programming interface
EP08705786.5A EP2118786B1 (en) 2007-01-10 2008-01-09 Integrating enterprise search systems with custom access control application programming interfaces

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US11/651,657 US8341651B2 (en) 2007-01-10 2007-01-10 Integrating enterprise search systems with custom access control application programming interfaces
US11/651,657 2007-01-10

Publications (1)

Publication Number Publication Date
WO2008086380A1 true WO2008086380A1 (en) 2008-07-17

Family

ID=39595143

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2008/050552 WO2008086380A1 (en) 2007-01-10 2008-01-09 Integrating enterprise search systems with custom access control application programming interfaces

Country Status (7)

Country Link
US (1) US8341651B2 (en)
EP (1) EP2118786B1 (en)
JP (1) JP2010518467A (en)
KR (1) KR101458234B1 (en)
CN (1) CN101583952B (en)
RU (1) RU2446456C2 (en)
WO (1) WO2008086380A1 (en)

Families Citing this family (46)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9177124B2 (en) * 2006-03-01 2015-11-03 Oracle International Corporation Flexible authentication framework
US8433712B2 (en) * 2006-03-01 2013-04-30 Oracle International Corporation Link analysis for enterprise environment
US8027982B2 (en) * 2006-03-01 2011-09-27 Oracle International Corporation Self-service sources for secure search
US8005816B2 (en) * 2006-03-01 2011-08-23 Oracle International Corporation Auto generation of suggested links in a search system
US8868540B2 (en) 2006-03-01 2014-10-21 Oracle International Corporation Method for suggesting web links and alternate terms for matching search queries
US8214394B2 (en) 2006-03-01 2012-07-03 Oracle International Corporation Propagating user identities in a secure federated search system
US8875249B2 (en) 2006-03-01 2014-10-28 Oracle International Corporation Minimum lifespan credentials for crawling data repositories
US8332430B2 (en) 2006-03-01 2012-12-11 Oracle International Corporation Secure search performance improvement
US7941419B2 (en) 2006-03-01 2011-05-10 Oracle International Corporation Suggested content with attribute parameterization
US8707451B2 (en) 2006-03-01 2014-04-22 Oracle International Corporation Search hit URL modification for secure application integration
US7996392B2 (en) * 2007-06-27 2011-08-09 Oracle International Corporation Changing ranking algorithms based on customer settings
US8316007B2 (en) * 2007-06-28 2012-11-20 Oracle International Corporation Automatically finding acronyms and synonyms in a corpus
US9489177B2 (en) * 2008-02-25 2016-11-08 Adventive, Inc. Methods for integrating and managing one or more features in an application and systems thereof
US20100005085A1 (en) * 2008-07-03 2010-01-07 Oracle International Corporation Creating relationship maps from enterprise application system data
US9639609B2 (en) 2009-02-24 2017-05-02 Microsoft Technology Licensing, Llc Enterprise search method and system
US20110106853A1 (en) * 2009-10-30 2011-05-05 Microsoft Corporation Declarative model security pattern
US20110137884A1 (en) * 2009-12-09 2011-06-09 Anantharajan Sathyakhala Techniques for automatically integrating search features within an application
US8527556B2 (en) * 2010-09-27 2013-09-03 Business Objects Software Limited Systems and methods to update a content store associated with a search index
CN102075560A (en) * 2010-11-19 2011-05-25 福建富士通信息软件有限公司 Fukutomi enterprise search engine technology based on system coupling
US9043358B2 (en) 2011-03-09 2015-05-26 Microsoft Technology Licensing, Llc Enterprise search over private and public data
US9244984B2 (en) 2011-03-31 2016-01-26 Microsoft Technology Licensing, Llc Location based conversational understanding
US10642934B2 (en) * 2011-03-31 2020-05-05 Microsoft Technology Licensing, Llc Augmented conversational understanding architecture
US9760566B2 (en) 2011-03-31 2017-09-12 Microsoft Technology Licensing, Llc Augmented conversational understanding agent to identify conversation context between two humans and taking an agent action thereof
US9842168B2 (en) 2011-03-31 2017-12-12 Microsoft Technology Licensing, Llc Task driven user intents
US9298287B2 (en) 2011-03-31 2016-03-29 Microsoft Technology Licensing, Llc Combined activation for natural user interface systems
US9858343B2 (en) 2011-03-31 2018-01-02 Microsoft Technology Licensing Llc Personalization of queries, conversations, and searches
US11841912B2 (en) 2011-05-01 2023-12-12 Twittle Search Limited Liability Company System for applying natural language processing and inputs of a group of users to infer commonly desired search results
US8326862B2 (en) 2011-05-01 2012-12-04 Alan Mark Reznik Systems and methods for facilitating enhancements to search engine results
US9064006B2 (en) 2012-08-23 2015-06-23 Microsoft Technology Licensing, Llc Translating natural language utterances to keyword search queries
US9454962B2 (en) 2011-05-12 2016-09-27 Microsoft Technology Licensing, Llc Sentence simplification for spoken language understanding
EP2831766B1 (en) * 2012-03-27 2019-01-23 Varonis Systems, Ltd. A method and apparatus for enterprise-level filtered search
US9542473B2 (en) * 2013-04-30 2017-01-10 Microsoft Technology Licensing, Llc Tagged search result maintainance
RU2602972C2 (en) * 2015-03-12 2016-11-20 Публичное акционерное общество "Татнефть" им. В.Д. Шашина(ПАО "Татнефть" им. В.Д. Шашина) System for managing enterprise intellectual resources
CN106611118B (en) * 2015-10-27 2020-05-12 北京国双科技有限公司 Method and device for applying login credentials
CN105653363B (en) * 2015-12-28 2018-10-26 北京致远互联软件股份有限公司 A kind of interface function implementation method and device
US10176232B2 (en) 2016-03-01 2019-01-08 Microsoft Technology Licensing, Llc Blending enterprise content and web results
US10397189B1 (en) * 2016-09-27 2019-08-27 Amazon Technologies, Inc. Peered virtual private network endpoint nodes
EP3388954A1 (en) * 2017-04-12 2018-10-17 Siemens Aktiengesellschaft Method of operating a data storage system, computer program for implementing the method and data storage system operating according to the method
KR102258241B1 (en) * 2019-11-18 2021-06-01 주식회사 오픈드래프트 Server side data component for support of development and management and method for perform the data component
KR102549006B1 (en) * 2020-12-11 2023-06-27 주식회사 포인트테크놀러지스 System for company search using automatic correction of query vectors based on user behavior and method of the same
US11790104B2 (en) 2021-02-18 2023-10-17 Glean Technologies, Inc. Permissions-aware search with document verification
US11995135B2 (en) 2021-02-18 2024-05-28 Glean Technologies, Inc. Permissions-aware search with user suggested results
US11593409B2 (en) 2021-02-19 2023-02-28 Glean Technologies, Inc. Permissions-aware search with intelligent activity tracking and scoring across group hierarchies
CA3223309A1 (en) * 2021-06-18 2022-12-22 James Douglas Beecham Security driver external functions
US11797612B2 (en) 2021-09-29 2023-10-24 Glean Technologies, Inc. Identification of permissions-aware enterprise-specific term substitutions
US12050712B2 (en) 2021-09-30 2024-07-30 Glean Technologies, Inc. Enterprise knowledge assistant with permissions-aware automated responses

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6182142B1 (en) * 1998-07-10 2001-01-30 Encommerce, Inc. Distributed access management of information resources
US20030014656A1 (en) 2001-06-29 2003-01-16 International Business Machines Corporation User registry adapter framework
US20050262190A1 (en) * 2003-08-27 2005-11-24 Ascential Software Corporation Client side interface for real time data integration jobs
US20050262189A1 (en) * 2003-08-27 2005-11-24 Ascential Software Corporation Server-side application programming interface for a real time data integration service

Family Cites Families (22)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5761669A (en) 1995-06-06 1998-06-02 Microsoft Corporation Controlling access to objects on multiple operating systems
US5675782A (en) * 1995-06-06 1997-10-07 Microsoft Corporation Controlling access to objects on multiple operating systems
US5903720A (en) 1996-12-13 1999-05-11 Novell, Inc. Object system capable of using different object authorization systems
US7031954B1 (en) 1997-09-10 2006-04-18 Google, Inc. Document retrieval system with access control
EP0944257A1 (en) 1998-03-06 1999-09-22 CANAL+ Société Anonyme Multimedia terminal adapted for multiple users
EP0989743A1 (en) 1998-09-25 2000-03-29 CANAL+ Société Anonyme Application data table for a multiservice digital transmission system
US6928469B1 (en) 1998-12-29 2005-08-09 Citrix Systems, Inc. Apparatus and method for determining a program neighborhood for a client node in a client-server network using markup language techniques
US6643690B2 (en) 1998-12-29 2003-11-04 Citrix Systems, Inc. Apparatus and method for determining a program neighborhood for a client node in a client-server network
US6381602B1 (en) 1999-01-26 2002-04-30 Microsoft Corporation Enforcing access control on resources at a location other than the source location
RU2237275C2 (en) 1999-02-18 2004-09-27 Ситрикс Системз, Инк. Server and method (variants) for determining software surroundings of client node in a network having client/server architecture
US6934859B2 (en) 2000-06-09 2005-08-23 Northrop Grumman Corporation Authenticated search engines
US7426730B2 (en) * 2001-04-19 2008-09-16 Wre-Hol Llc Method and system for generalized and adaptive transaction processing between uniform information services and applications
EP1399846B1 (en) 2001-06-26 2013-02-13 Sealedmedia Limited Search engine and digital rights management
US20030135582A1 (en) 2001-12-21 2003-07-17 Docomo Communications Laboratories Usa, Inc. Context aware search service
US6944613B2 (en) 2002-12-13 2005-09-13 Sciquest, Inc. Method and system for creating a database and searching the database for allowing multiple customized views
US20050060286A1 (en) 2003-09-15 2005-03-17 Microsoft Corporation Free text search within a relational database
US7716324B2 (en) * 2004-05-12 2010-05-11 Baytsp.Com, Inc. Identification and tracking of digital content distributors on wide area networks
US20060036748A1 (en) 2004-07-28 2006-02-16 Nusbaum Edward S Apparatus and method for computerized information management
US20060080316A1 (en) 2004-10-08 2006-04-13 Meridio Ltd Multiple indexing of an electronic document to selectively permit access to the content and metadata thereof
US20060155581A1 (en) 2005-01-10 2006-07-13 George Eisenberger Systems with user selectable data attributes for automated electronic search, identification and publication of relevant data from electronic data records at multiple data sources
US7549144B2 (en) * 2005-02-22 2009-06-16 Microsoft Corporation Custom API modeling for source code static analysis simulator
CN100336339C (en) * 2005-09-02 2007-09-05 清华大学 Method for model postil and operation transmission in universal type synergic communion system

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6182142B1 (en) * 1998-07-10 2001-01-30 Encommerce, Inc. Distributed access management of information resources
US20030014656A1 (en) 2001-06-29 2003-01-16 International Business Machines Corporation User registry adapter framework
US20050262190A1 (en) * 2003-08-27 2005-11-24 Ascential Software Corporation Client side interface for real time data integration jobs
US20050262189A1 (en) * 2003-08-27 2005-11-24 Ascential Software Corporation Server-side application programming interface for a real time data integration service

Also Published As

Publication number Publication date
RU2446456C2 (en) 2012-03-27
JP2010518467A (en) 2010-05-27
US8341651B2 (en) 2012-12-25
EP2118786A1 (en) 2009-11-18
CN101583952A (en) 2009-11-18
RU2009126367A (en) 2011-01-20
KR20100014305A (en) 2010-02-10
KR101458234B1 (en) 2014-11-04
EP2118786B1 (en) 2017-12-27
EP2118786A4 (en) 2011-06-22
US20080168037A1 (en) 2008-07-10
CN101583952B (en) 2011-10-05

Similar Documents

Publication Publication Date Title
EP2118786B1 (en) Integrating enterprise search systems with custom access control application programming interfaces
JP4726545B2 (en) Method, system and apparatus for discovering and connecting data sources
US8903853B2 (en) Federated search
US8429740B2 (en) Search result presentation
US9098558B2 (en) Enhanced flexibility for users to transform XML data to a desired format
US7979458B2 (en) Associating security trimmers with documents in an enterprise search system
US20140337287A1 (en) Virtual repository management
US7831552B2 (en) System and method for querying file system content
US20060004759A1 (en) System and method for file system content processing
US20080201330A1 (en) Software repositories
EP2041672A1 (en) Methods and apparatus for reusing data access and presentation elements
US7792857B1 (en) Migration of content when accessed using federated search
US7562286B2 (en) Apparatus, system, method and computer program product for document management
US6735598B1 (en) Method and apparatus for integrating data from external sources into a database system
US8903846B2 (en) Method and apparatus for integrating data from external sources into a database system
Chiu et al. Enabling ad hoc queries over low-level scientific data sets
CN113806366B (en) Atlas-based method for realizing multidimensional metadata joint query
Tao An XML deployment and search framework

Legal Events

Date Code Title Description
WWE Wipo information: entry into national phase

Ref document number: 200880001938.8

Country of ref document: CN

121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 08705786

Country of ref document: EP

Kind code of ref document: A1

WWE Wipo information: entry into national phase

Ref document number: 3693/CHENP/2009

Country of ref document: IN

WWE Wipo information: entry into national phase

Ref document number: 1020097014290

Country of ref document: KR

ENP Entry into the national phase

Ref document number: 2009126367

Country of ref document: RU

Kind code of ref document: A

ENP Entry into the national phase

Ref document number: 2009545650

Country of ref document: JP

Kind code of ref document: A

WWE Wipo information: entry into national phase

Ref document number: 2008705786

Country of ref document: EP

NENP Non-entry into the national phase

Ref country code: DE