Search Facet and Total Counts Accuracy and Dynamic Permission Inheritance

Overview

Each search response includes the total result count and facet bucket counts (in case of faceted searches, like the Search Bar searches or Headless Search API calls with Facet Configurations). These counts are not guaranteed to be accurate because the indexed view permissions are approximations in the case of assets that support dynamic permissions.

 

Count approximations are a common, acceptable trade-off to the performance cost of persisting and re-indexing an asset every time any user's permissions are changed (e.g., if a folder's permissions are changed, all its assets must be updated to maintain accuracy). 

Because of these approximations, users may experience the following behaviors:

  • facet bucket counts and total result counts are different from the actual number of assets a user can access,
  • facet bucket counts and total result counts may change from page to page,
  • facets that show count values may return no results when selected.


Image: Facet Bucket Counts, Result Totals, and pagination are based on Dynamic View Permission approximations.

Dynamic Permission Inheritance

It is possible to control an asset's view permissions by setting the permission of its parent asset or containing folder. Parent level permissions are available for Documents and Media (Folders and Files), Web Content (Folders and Articles), Message Boards (Categories and Threads), Bookmarks (Folders and Entries), Wiki (Nodes and Pages), and Categorization (Vocabularies and Categories).

Among other things, the View Permission Dynamic Inheritance framework calculates an asset's permissions during runtime to determine if a user can view the asset. This runtime calculation relieves the performance cost of re-indexing every asset affected by changing a folder's permission.

A side effect of the Dynamic Permissions Inheritance framework approach is that the permissions stored in the database and the search engine are approximations. Because these stored permissions are used when displaying facet bucket counts and total result counts, they may reflect more assets than what the user has permission to view. These counts may also change as the user navigates through pages. Regardless of these miscounts, users can never view assets they do not have permission to view.

Note: Directly assigning the permissions of assets will avoid the Dynamic Permission Inheritance framework and remove count approximations.

Accuracy versus Performance

When searching, Liferay receives documents from the search engine. It post-filters the documents in the Liferay application layer, removing any the user does not have permission to view. It repeats the process until enough documents have been returned to fill up the current search page. 

We recommend this default behavior as it ensures a speedier search experience, but there is a way to improve the accuracy of facet and total result counts at the cost of performance. 

Under System Settings > Search, you can configure the Default Search Result Permission Filter Accurate Count Threshold to make the portal filter at least that many results. 

For example if set to 1000, 1000 documents will be returned from the search engine and will be filtered down to the number the user can view. Facet bucket counts and total result counts for all the returned documents would be accurate but those numbers will be added to the approximate values for documents beyond 1000 not returned by the search engine.

If using Permission Filtered Search Result Accurate Count Threshold, we recommend changing the Search Query Result Window Limit to the same value to reduce the number of searches performed.

Consideration for the Custom Facet Widget 

Dynamic Permissions Inheritance can impact the behavior of the Custom Facet. This facet utilizes aggregation fields directly from the search response without any additional display context layer “post-filtering”, bypassing portal permission checks. This allows the Custom Facet to be configured to aggregate using any applicable field from the index.

Consequently, facet buckets might reference entities such as an asset's folder or category that the user lacks permission to view. (This behavior is often referred to as the “ghost facet” problem.)

Image A: 165100 is a reference to a folder the searching user does not have permission to view.

Image B: After facet bucket 165100 was clicked, no results are returned because the user does not have permission to view the folder or its contents.

To address this, create a custom widget Display Template for the Custom Facet. Within the template code, you can make service or REST calls to retrieve the underlying entries. Entries that cannot be fetched due to missing VIEW permissions can be simply excluded from the display while iterating over the collected buckets.

この記事は役に立ちましたか?
0人中0人がこの記事が役に立ったと言っています