Guides / Security / API keys

User-Restricted Access to Data

On this page

Sometimes, you don’t want your users to search your entire index, but only a subset that concerns them.

Content might be restricted to a specific user as private data, a set of users, a group, or even everybody. Handling access within an index allows to have a fine-grained control over who can search and view what content.

This doesn’t mean you need one index per user. By generating a Secured API key for the current user, you can restrict the records they can retrieve.

Adding an attribute for filtering in your dataset#

Algolia is schemaless and doesn’t have any concept of relationships between objects, so you need to put all the relevant information in each record.

Take a dataset for corporate documents as an example. The index contains the entire list of documents for the company, but has dedicated access control to restrict who can view content.

Consider different users in this company: Angela, Mike, and Ruth. Angela is an executive, Mike the accountant, and Ruth is an engineer.

Copy 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32

[
  {
    "title": "Financial record Q3 and pipeline forecast",
    "visible_by": ["Angela", "group/Finance", "group/Shareholders"],
    "objectID": "myID1",
    "content": "..."
  },
  {
    "title": "Compliance audit check-list",
    "visible_by": ["group/Finance"],
    "objectID": "myID2",
    "content": "..."
  },
  {
    "title": "Strategic partnership with BigCompany",
    "visible_by": ["Angela"],
    "objectID": "myID3",
    "content": "..."
  },
  {
    "title": "New company-wide healthcare coverage benefits",
    "visible_by": ["group/Everybody"],
    "objectID": "myID4",
    "content": "..."
  },
  {
    "title": "Ruth's personal TODO list",
    "visible_by": ["Ruth"],
    "objectID": "myID5",
    "content": "..."
  }
]

Each record has a visible_by attribute, which has a list of users, or groups. Only listed users and groups can see the specific record, with the group Everybody visible by anyone. When searching through it, only allowed people should be able to find those records.

Making the attribute filterable#

To make your visible_by attribute filterable, you should add it in attributesForFaceting.

Copy 
1
2
3
4
5

$index->setSettings([
  'attributesForFaceting' => [
    'filterOnly(visible_by)'
  ]
]);

In this case, you only want to filter on this attribute, and not use it for facet counts. That means you should add the filterOnly modifier. This improves performance because the engine doesn’t have to compute the count for each value.

If you need faceting on this attribute, you can remove the filterOnly modifier.

Adding and removing users#

Whenever someone needs to change the access rights of a record, you need to update the visible_by attribute.

Copy 
1
2
3
4
5
6

$index->partialUpdateObject(
    [
        'visible_by' => ['Angela', 'group/Finance', 'group/Shareholders'],
        'objectID' => 'myID1'
    ]
);

The partialUpdateObjects allows you to partially update an attribute instead of replacing the entire record, or even the entire index.

Generating a Secured API key#

With front-end search, malicious users can tweak the request to impersonate another user and see content they shouldn’t have access to.

To prevent this, you can generate a Secured API key, a special key that you can generate on the fly, and within which you can embed a set of filters. End users can’t alter those filters.

Copy 
1
2
3
4
5
6
7
8
9

$currentUserID = 'Angela';
$currentGroupId = 'Board';

$securedApiKey = \Algolia\AlgoliaSearch\SearchClient::generateSecuredApiKey(
  'YourSearchOnlyAPIKey', // A search key that you keep private
  [
    'filters' => 'visible_by:'.$currentUserID.' OR visible_by:group/'.$currentGroupId.' OR visible_by:group/Everybody'
  ]
);

Note that this needs to happen on the back end. For example, when a user logs in to your application, you could generate the key from your back end and return it for the current session.

To invalidate Secured API keys, you need to invalidate the search API key you used to generate it.

Making sensitive attributes unretrievable#

When using a Secured API key with an embedded filter, users can only retrieve content they’re allowed to access to. Since the API returns the visible_by attribute for each record, they can find out what other users have the same access for this record if they inspect the response.

To mitigate this privacy concern, you can leverage the unretrievableAttributes parameter. It allows you to ensure that the visible_by parameter is never part of the Algolia response, even though you use it for filtering on the engine side.

Copy 
1
2
3
4
5

$index->setSettings([
  'unretrievableAttributes' => [
    'visible_by'
  ]
]);

Searching in the subset#

You can now search on the front end using the API key generated from your back end. This API key has an embedded filter on the visible_by attribute, so you have a guarantee that the current user only sees results that they’re allowed to access.

Did you find this page helpful?