Security trimming in search web service

Question

I have a web application which consumes the SharePoint 2007 search web service (http://localhost/_vti_bin/search.asmx). My scope contains several content sources, all of them contain business data (content is crawled via SQL queries on external databases). I need one of these content sources to provide me security trimmed results. To put it simple, I have two tables:

• Table A with contents: NodeId, Title, Content
• Table B with permissions: NodeId, Username

Now, the crawler indexes table A with no problems. My problem is though, that when doing a search with the query web service, I cannot find a solution to do a security trimming of the results. The web service is consumed with a service account, no impersonation of logged in user. Is there a possibility to pass somehow the username to the querypacket object, or any other way that would check the Table B, whether the username has access to the NodeId?

Since I'm planning to migrate onto SP2013, maybe some of you also know a solution for this Sharepoint version, if there is no way in MOSS2007?

Answer 1

There are a few 3 main options for doing security trimming of SharePoint search results. They include:

1. ISecurityTrimmerPre - New in SharePoint 2013. Allows adding additional claims for the user before a search query is executed
2. ISecurityTrimmerPost - Also known as ISecurityTrimmer2 in earlier versions of SharePoint. Allows trimming search results on a 1 by 1 basis after a search query is executed
3. Business Connectivity Services Indexing Connectors - Allows you to supply ACLs to the search indexer when it is crawling the content source

There is a great set of blog articles that show how to implement each option.

Also, here's a great video of a SharePoint Conference 2012 session on custom security trimming.

HTH

-Eugene