Document Level Security and Indexing
The document level security (document permissions with read capability) interacts with the element level security and affects
The indexing of protected elements and whether index keys are combined with query rolesets.
Whether protected embedded triples are indexed.
During indexing, the element level security of every node in the document is compared to the document’s protection. For a given node in the document, the permissions on every matching protected path are compared to the document’s permissions. When all matching protected paths are determined to be weaker than the document’s protection, the element’s protection is considered to be weaker. In this case, the query rolesets for the matching protected paths are not used when indexing the current node. An embedded triple with weaker protection on all of its nodes (subject, predicate and object), is extracted.
How is the element level protection determined to be weaker? In the absence of compartment security, a higher number of roles implies weaker permission because it means more accessibility. More roles in this case doesn’t mean the total number of roles. It means that one set of roles is a superset of the other. The smaller set (the subset) is considered stronger because it is more restrictive. Roles are ORed by default. If the document is permitted to be accessed by more roles than the element (the element is more restrictive because there are more limitations on access), then the element security is considered to be stronger than the document security. In such a case, the element security is given higher precedence, and the element is protected (that is, the element is more restrictive). The fewer the number of contained or embedded roles, the more restrictive the permissions.
In situations where neither is stronger or it is unclear whether the document security or element security is stronger, the element level is always considered stronger. Only “Read” capability is checked when comparing the document’s permissions to the element’s permissions.
Note that there is no “flattening” of roles (inheritance of permissions) with element level security. Using the helper functions described in APIs for Element Level Security can facilitate both discovering existing query rolesets and applying them as part of ingestion.