Azure AI Search ACL Example

This repository shows how to implement secure Azure AI Search patterns using document-level Access Control Lists (ACLs) in Azure Blob Storage to ensure users only retrieve documents they have permissions to access.

Overview

This project demonstrates best practices for implementing security-trimmed search results in Azure AI Search. By leveraging Azure Blob Storage metadata ACLs and Azure AI Search security filters, you can ensure that search results respect user permissions at the document level.

Key Features

• Document-level Security: Implement fine-grained access control at the individual document level
• Azure Blob Storage ACLs: Utilize blob metadata to store access control information
• Security Filtering: Apply security filters in Azure AI Search queries to trim results based on user permissions
• Scalable Pattern: Architecture designed to scale with enterprise security requirements

Architecture

The solution implements a security-trimmed search pattern using:

1. Azure Blob Storage: Stores documents with ACL metadata indicating which users/groups have access
2. Azure AI Search: Indexes documents along with their ACL information
3. Security Filters: Applied at query time to ensure users only see authorized documents

How It Works

1. Documents are uploaded to Azure Blob Storage with metadata containing ACL information (user IDs, group IDs, or security identifiers)
2. Azure AI Search indexer extracts both document content and ACL metadata
3. When users perform searches, security filters are applied based on their identity/group membership
4. Only documents the user has permissions to access are returned in search results

Prerequisites

• Azure subscription
• Azure Blob Storage account
• Azure AI Search service
• Appropriate permissions to create and configure Azure resources

Getting Started

1. Clone this repository
2. Configure your Azure resources (Blob Storage and AI Search)
3. Upload sample documents with ACL metadata
4. Configure the search indexer to include ACL fields
5. Implement security filters in your search queries

Security Considerations

• Always validate user identity before constructing security filters
• Use security groups to simplify ACL management at scale
• Regularly audit ACL assignments and search patterns
• Consider using Azure AD integration for identity management

Use Cases

• Enterprise document search with role-based access
• Multi-tenant applications requiring data isolation
• Compliance scenarios requiring strict access controls
• Knowledge management systems with sensitive content

Contributing

Contributions are welcome! Please feel free to submit issues or pull requests.

License

This project is licensed under the Apache License 2.0 - see the LICENSE file for details.

Additional Resources

• Azure AI Search Documentation
• Azure Blob Storage Security
• Security Filters in Azure AI Search

Workflow Diagram

Setup Process

graph TB
    A[Upload Documents to<br/>Azure Blob Storage] --> B[Add ACL Metadata<br/>user_ids, group_ids, rbac_scope]
    B --> C[Create AI Search Index<br/>with permissionFilter fields]
    C --> D[Configure Data Source<br/>with indexerPermissionOptions]
    D --> E[Create & Run Indexer<br/>with field mappings]
    E --> F[Index Documents<br/>with ACL Information]
    
    style A fill:#0078d4,color:#fff
    style B fill:#0078d4,color:#fff
    style C fill:#50e6ff,color:#000
    style D fill:#50e6ff,color:#000
    style E fill:#50e6ff,color:#000
    style F fill:#00b294,color:#fff

Loading