企业搜索权限管理

v20260423

glean-enterprise-rbac

本技能用于为Glean企业搜索设置基于角色的访问控制（RBAC）。它建立了一个安全框架，通过将各种源系统（如AD/Okta）的权限映射到统一搜索索引。功能涵盖了角色管理、API驱动的文档访问检查，以及完整的审计日志记录，确保系统符合GDPR和SOC 2等合规性要求。

RBAC 安全企业搜索合规性 API TypeScript 数据治理

获取技能

437 次下载

概览

Glean Enterprise RBAC

Overview

Glean's enterprise search aggregates content from dozens of connectors (Google Drive, Confluence, Slack, Salesforce). RBAC ensures users only see documents they are authorized to access. Permissions flow from source systems through connector-level ACLs into Glean's unified index. Misconfigured permissions mean search results leak sensitive data across teams. SOC 2 and GDPR compliance require document-level access control and full audit trails on who searched what.

Role Hierarchy

Role	Permissions	Scope
Super Admin	Create API tokens, manage all connectors, configure SSO	Organization-wide
Admin	Add/edit datasources, manage user groups, view analytics	Assigned datasources
Content Manager	Set document permissions, manage allowedGroups per datasource	Own datasources
User	Search and view permitted documents	Documents matching ACLs
Viewer	Search only, no document previews or snippets	Restricted document set

Permission Check

async function checkDocumentAccess(userId: string, documentId: string): Promise<boolean> {
  const response = await fetch(`${GLEAN_API}/permissions/check`, {
    method: 'POST',
    headers: { Authorization: `Bearer ${GLEAN_API_TOKEN}`, 'Content-Type': 'application/json' },
    body: JSON.stringify({ userId, documentId }),
  });
  const result = await response.json();
  return result.hasAccess ?? false;
}

Role Assignment

async function assignDatasourceRole(email: string, datasource: string, role: 'admin' | 'viewer'): Promise<void> {
  await fetch(`${GLEAN_API}/datasources/${datasource}/permissions`, {
    method: 'PUT',
    headers: { Authorization: `Bearer ${GLEAN_API_TOKEN}`, 'Content-Type': 'application/json' },
    body: JSON.stringify({ user: email, role, allowedGroups: [`${datasource}-${role}s`] }),
  });
}

async function revokeDatasourceAccess(email: string, datasource: string): Promise<void> {
  await fetch(`${GLEAN_API}/datasources/${datasource}/permissions/${email}`, {
    method: 'DELETE',
    headers: { Authorization: `Bearer ${GLEAN_API_TOKEN}` },
  });
}

Audit Logging

interface GleanAuditEntry {
  timestamp: string; userId: string; action: 'search' | 'view' | 'index' | 'permission_change';
  datasource: string; query?: string; documentId?: string; result: 'allowed' | 'denied';
}

function logSearchAccess(entry: GleanAuditEntry): void {
  console.log(JSON.stringify({ ...entry, org: process.env.GLEAN_ORG_ID }));
}

RBAC Checklist

Each connector maps source-system ACLs to Glean allowedGroups
API tokens scoped per datasource, not organization-wide
SAML/SSO groups synced with Glean user groups daily
Document-level permissions verified after each connector sync
Search analytics reviewed monthly for unauthorized access patterns
Token rotation policy enforced quarterly
Sensitive datasources restricted to named allowedGroups only

Error Handling

Issue	Cause	Fix
User sees documents from wrong team	AllowedGroups not mapped to connector	Reconfigure connector ACL mapping in admin console
`403 Forbidden` on search API	Expired or wrong-scope API token	Regenerate token with correct datasource scope
Stale permissions after IdP change	Connector sync lag	Trigger manual resync from Glean admin
Missing search results	Overly restrictive allowedGroups	Audit group membership against source system ACLs

Resources

Next Steps

See glean-security-basics.

信息

Category 编程开发

Name glean-enterprise-rbac

版本 v20260423

大小 4.15KB

Source jeremylongshore/claude-code-plugins-plus-skills

更新时间 2026-04-28