Hi Sharnel, At the time the Documentum connector was created there was no such thing as a "deny" acl.
I can supply a fix but I will need to know how to list "deny" acls for documentum documents, so if you could rewrite the above DQL query to return that list I can take it from there. Karl On Wed, Apr 5, 2017 at 1:40 PM, Sharnel Merdeck Pereira < [email protected]> wrote: > Hi, > > > > We are having issues with authorization when there are negative acls. > > > > I have included an example below : > > > > · Indexing done using manifoldcf v 2.5, solr v 5.5.2 > > · Indexed document with r_object_id 091e86d986f6a044 > > · document has acl idocs_inst_540278_O_acl > > · acl idocs_inst_540278_O_acl has negative group added to it > (r_accessor_name: emucw ; r_accessor_permit :1) > > · on indexing we see document has acl idocs_inst_540278_O_acl on > allowed_token > > · user 000470248 has been added to group emucw > > · On querytime we get user having acl idocs_inst_540278_O_acl and > user is able to see the document, *ideally there should not be access as > negative group should take priority and should not be available in user acl* > . > > > > I have attached screenshots and query logs: > > > > > > · User acls at query time > > > > > > · Query to fetch user acls in code : SELECT DISTINCT > A.owner_name, A.object_name FROM dm_acl A WHERE > > A.object_name NOT LIKE 'dm_%' AND ( > > (any (A.r_accessor_name IN ('" + strAccessToken + "', > 'dm_world') AND r_accessor_permit>2) > > OR (any (A.r_accessor_name='dm_owner' AND > A.r_accessor_permit>2) AND A.owner_name=" + quoteDQLString(strAccessToken) > + ") > > OR (ANY (A.r_accessor_name in (SELECT G.group_name FROM > dm_group G WHERE ANY G.i_all_users_names = " + > quoteDQLString(strAccessToken) + ") > > AND r_accessor_permit>2)) ) > > > > > > > > · Document values > > > > > > > > > > Kindly let me know if more details are required. How do I resolve above > issue > > > > > > Thanks > > Sharnel > > >
