Install > Install and configure the Solr Search Engine > Enforcing Mandanten Security in Knowledge Management

Enforcing Mandanten Security in Knowledge Management

User role: System Administrator

Service Manager offers a security feature called Mandanten for any searches performed within Service Manager. Because the Knowledge Management module uses a third-party search engine (the Solr search engine), it does not apply the settings for Mandanten protection that may have been defined for Service Manager searches against these tables by the customer. You can utilize Mandanten protection for searches executed by the Knowledge Management module to ensure that all searches against these tables comply with the security requirements defined by Mandanten.

Introduction to Mandanten Security

Typically, Mandanten is set up based on the company of the user who is accessing the system, though it can be set up based on any value in any table that needs to be protected. Mandanten protection is set up on a per-table basis. The operator can be a member of one, many, or no security groups. The security groups (scsecuritygroups table) set values that define which records the user is allowed to see based on the content of the mandant field; the mandant field is set up for each table in the scmandant record. More flexible queries for each table and security group can be added to the scaccess table. However, when a user enters a search anywhere within Service Manager, the Mandanten restrictions are appended to that query upon execution, and restricted records will not be part of the returned record set.

Queries executed outside of Service Manager, such as with the Solr search engine, are not Mandanten protected. Information shown in the Knowledge Management hit list is not yet retrieved from the Service Manager internal files. When you select a record from the hit list for viewing, it will then access the Service Manager internal file (such as probsummary) that is under Mandanten protection. Access to the record will then be denied based on the Mandanten restrictions, even if the record was displayed in the hit list. To prevent this from happening, update the KM search security scripts to read Mandanten settings and apply these settings to the hitlist as well. For details, see Update a KM Search Security Script for Mandanten Security.

How to Enable Mandanten Security in Knowledge Management

To enable Mandanten security in Knowledge Management, you need to:

  1. Set up Mandanten protection according to the online help documentation:
    • The operator needs to belong to one or many security groups.
    • Security groups must have one or many “include” and/or “exclude” values.
    • The scmandant file must have a record for the table to protect and define a field in that table as the mandant field.
  2. Ensure that all fields used in the scmandant and scaccess files are defined in the Knowledgebase record’s Field Definitions tab. See Add an sclib Knowledgebase.
  3. Modify the search security script for the library that uses Mandanten protection, as described in Update a KM Search Security Script for Mandanten Security.

Note Make sure to run the full re-index as an operator without Mandanten limitations, since the Mandanten query that enforces security on the originating table will limit the records read during the re-index operation.