Hi Shamel, I've done some further research.
(1) There is currently only one access token ever stored with a Documentum
document -- it's the name of the ACL associated with that document.
(2) The Documentum connector does not fire off any of its own DQL at this
time for finding the document's ACL. This is how it currently does it,
using DFC methods all the way:
>>>>>>
strarrACL[0] = docbaseName + ":" + object.getACLDomain() + "." +
object.getACLName();
<<<<<<
... where:
>>>>>>
/** Get the ACL domain */
public String getACLDomain()
throws DocumentumException, RemoteException
{
try
{
return ((IDfSysObject)object).getACLDomain();
}
catch (DfException e)
{
throw new DocumentumException("Documentum exception:
"+e.getMessage());
}
}
/** Get the ACL name */
public String getACLName()
throws DocumentumException, RemoteException
{
try
{
return ((IDfSysObject)object).getACLName();
}
catch (DfException e)
{
throw new DocumentumException("Documentum exception:
"+e.getMessage());
}
}
<<<<<<
(3) Your statement:
'acl idocs_inst_540278_O_acl has negative group added to it
(r_accessor_name: emucw ; r_accessor_permit :1)'
...implies that the way 'negative groups' have been added to Documentum is
by somehow designating groups as 'negative'. Is this correct? Or are
groups designated negative only within the context of individual ACLs?
If groups themselves are negative, how do you know whether a group is
negative? Is there a way to do this in DQL? And, can negative groups
contain other groups? Can groups in general contain other groups?
I was not the original author of the Documentum connector and authority,
and I do not have access to Documentum development materials at this time.
It seems to me that the choice of access token for this connector was not
well thought out, because instead of indexing the users and groups as is
done for all other connectors, we need to resolve document visibility in
the Documentum Authority. But I can't reasonably change this now. What I
would like to try first is rewriting the Authority DQL based on what you
can tell me about negative groups.
Thanks,
Karl
On Wed, Apr 5, 2017 at 2:02 PM, Karl Wright <[email protected]> wrote:
> Hi Sharnel,
>
> At the time the Documentum connector was created there was no such thing
> as a "deny" acl.
>
> I can supply a fix but I will need to know how to list "deny" acls for
> documentum documents, so if you could rewrite the above DQL query to return
> that list I can take it from there.
>
> Karl
>
>
> On Wed, Apr 5, 2017 at 1:40 PM, Sharnel Merdeck Pereira <
> [email protected]> wrote:
>
>> Hi,
>>
>>
>>
>> We are having issues with authorization when there are negative acls.
>>
>>
>>
>> I have included an example below :
>>
>>
>>
>> · Indexing done using manifoldcf v 2.5, solr v 5.5.2
>>
>> · Indexed document with r_object_id 091e86d986f6a044
>>
>> · document has acl idocs_inst_540278_O_acl
>>
>> · acl idocs_inst_540278_O_acl has negative group added to it
>> (r_accessor_name: emucw ; r_accessor_permit :1)
>>
>> · on indexing we see document has acl idocs_inst_540278_O_acl on
>> allowed_token
>>
>> · user 000470248 has been added to group emucw
>>
>> · On querytime we get user having acl idocs_inst_540278_O_acl and
>> user is able to see the document, *ideally there should not be access as
>> negative group should take priority and should not be available in user acl*
>> .
>>
>>
>>
>> I have attached screenshots and query logs:
>>
>>
>>
>>
>>
>> · User acls at query time
>>
>>
>>
>>
>>
>> · Query to fetch user acls in code : SELECT DISTINCT
>> A.owner_name, A.object_name FROM dm_acl A WHERE
>>
>> A.object_name NOT LIKE 'dm_%' AND (
>>
>> (any (A.r_accessor_name IN ('" + strAccessToken + "',
>> 'dm_world') AND r_accessor_permit>2)
>>
>> OR (any (A.r_accessor_name='dm_owner' AND
>> A.r_accessor_permit>2) AND A.owner_name=" + quoteDQLString(strAccessToken)
>> + ")
>>
>> OR (ANY (A.r_accessor_name in (SELECT G.group_name FROM
>> dm_group G WHERE ANY G.i_all_users_names = " +
>> quoteDQLString(strAccessToken) + ")
>>
>> AND r_accessor_permit>2)) )
>>
>>
>>
>>
>>
>>
>>
>> · Document values
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> Kindly let me know if more details are required. How do I resolve above
>> issue
>>
>>
>>
>>
>>
>> Thanks
>>
>> Sharnel
>>
>>
>>
>
>
