[Sigia-l] Designing a site with restricted content

[Christine Connors]

[Re-posted because of formatting problems.  Dick Hill]

Andy et al - 

We use Verity for our intranet search and have implemented a security model
like that you have alluded to. It has worked very well for us. We have done
extensive usability testing and independently came to the determination that
the DOD model detailed by Denise is what works best for our users. In the
defense/military realm an object's metadata (abstract, citation)can be
unclassified while the full object is classified. It gets very complicated,
so we authenticate at the object level, using the capabilities of our
various content and document management systems. 

If searching from our classic intranet, the user is prompted to authenticate
after submitting the query, but before being given the results list. All
documents the user is not cleared for are removed. Yes, this does increase
the time to results, but it's still a sub-second response. To mitigate this,
users are encouraged to move to our new portal-based environment (change
management is a separate topic!). As they have to authenticate to log on to
portal, and then remain authenticated, the credentials are passed
automatically between submitting the query and receiving the results. We
also use several different collections (indexes). This allows us to have the
default search only return unclassified information and authentication is
never an issue. Users are only asked to authenticate if they select "All"
collections or a collection with secured content. 

It's not rocket science (trust me, I work with those guys!) but it is very
detailed work that relies heavily on the object owners and our Security
organizations. 

Christine 


> Another part of restricting the content to consider is search. You want to
> be sure you've configured your search engine (assuming Intranet or
corporate
> search) to only display results that the user has the correct security
> access. Some search engines are good at this and some aren't. If I
remember
> correctly Verity was developed for use by the CIA (correctly if I'm wrong
> here) and includes the ability to screen out results by access level.
> 
> Andy 

-AND- 

> [...] They are able to display metadata to let people within the
department
> know what exists, but to hold the content secure.   The intent is that if
you
> have a need to see content, you can request access.  However, if you don't
have
> any idea what exists, you can never make a request.   And, therefore you
may
> miss content you need.   Role based login is implemented at the content
object
> level rather than the website level. [...]

> Denise

Christine JM Connors 
Metadata Architect 
Raytheon Company 
Enterprise IT 
Christine_Connors at raytheon.com