Enterprise search access permission management – Quis custodiet ipsos custodes?

In any organisation there are multiple invisible silos. These silos are based on access permissions and the reason they are invisible is because the user has no means of knowing that they are not seeing the entire enterprise-wide corpus of information. A feature of enterprise search applications is that they need to ensure that these access permissions can be managed. There are three approaches to achieving this. In early (static) binding a user is only able to search the index for content they have permission to see. This is also referred to as index-time binding. The alternative is to enable the user to search through all content and then prior to displaying the results the content is matched against the user’s permissions before the results are presented – also known as dynamic or query side binding. The third approach is a hybrid of these two models. There are strengths and weaknesses of all three models but that can wait for another blog post. However,  it is worth highlighting the latency that comes with late binding can be both frustrating and indicate to the user that they are subject to access permissions!

A recent post in TechRadar.com quoted Microsoft

“With information barriers in Microsoft 365, organizations can restrict communication and collaboration among specific groups of users for both business and security purposes. Microsoft Teams, SharePoint Online and OneDrive for Business all support information barriers and if your subscription includes them, a compliance administrator can define policies that allow or prevent communications between groups of users.”

It is one thing to define access policies and quite another to implement them in a way that is constructive (maintaining security), transparent (who makes the decision on who can see what) and fair (avoiding any potential discrimination based on a poor personal relationship or any number of other factors). The security issues have to address important compliance issues, including export control on information (Imperial College London as an example) and the transmission of personal information under GDPR to countries without equivalent legislation. Often these compliance requirements are managed within a Protective Marking scheme, as for example the scheme set out by the UK Government.

The Big Question can be summed up in Latin as ‘Quis custodiet ipsos custodes?’ Who will guard the guards themselves? In the majority of my enterprise search projects I have found that no-one is certain about who makes the decisions about access permission and on what basis. The danger is that an access restriction has been put in place that is inappropriate and the user then makes a business-critical decision without vital information and puts the business (and potentially their career) at risk. It can be quite entertaining to ask a client to run a query for [Confidential] and see what content is presented.

An important decision in managing access permissions is the extent to which the search team is able to track queries against content that has access restrictions. Almost certainly this information will be of significant business value (or there would be no point in restricting access!) and ensuring that queries that might require this information to be readily accessible ought to be a priority requirement for the search team. The protocol they need to adopt when an employee complains about poor search quality when the root cause is that they do not have the applicable access permission has to be drafted and applied with considerable care.

The issues raised in this post are just a sample of the access management issues that search teams, compliance managers, risk managers and the corporate legal team need to consider in considerable detail and ensure that the procedures are documented and communicated appropriately. It is a topic that is covered in my one-day on-site enterprise search management training course.

Martin White