manifoldcf-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Karl Wright <daddy...@gmail.com>
Subject Re: ManifoldCf Documentum Negative ACL
Date Wed, 05 Apr 2017 18:02:13 GMT
Hi Sharnel,

At the time the Documentum connector was created there was no such thing as
a "deny" acl.

I can supply a fix but I will need to know how to list "deny" acls for
documentum documents, so if you could rewrite the above DQL query to return
that list I can take it from there.

Karl


On Wed, Apr 5, 2017 at 1:40 PM, Sharnel Merdeck Pereira <
spereire@worldbankgroup.org> wrote:

> Hi,
>
>
>
> We are having issues with authorization when there are negative acls.
>
>
>
> I have included an example below :
>
>
>
> ·         Indexing done using manifoldcf v 2.5, solr v 5.5.2
>
> ·         Indexed document with r_object_id 091e86d986f6a044
>
> ·         document has acl idocs_inst_540278_O_acl
>
> ·         acl idocs_inst_540278_O_acl has negative group added to it
> (r_accessor_name: emucw ; r_accessor_permit :1)
>
> ·         on indexing we see document has acl idocs_inst_540278_O_acl on
> allowed_token
>
> ·         user 000470248 has been added to group emucw
>
> ·         On querytime we get user having acl idocs_inst_540278_O_acl and
> user is able to see the document, *ideally there should not be access as
> negative group should take priority and should not be available in user acl*
> .
>
>
>
> I have attached screenshots and query logs:
>
>
>
>
>
> ·         User acls at query time
>
>
>
>
>
> ·         Query to fetch user acls in code :        SELECT DISTINCT
> A.owner_name, A.object_name FROM dm_acl A WHERE
>
>             A.object_name NOT LIKE 'dm_%' AND (
>
>             (any (A.r_accessor_name IN ('" + strAccessToken + "',
> 'dm_world') AND r_accessor_permit>2)
>
>             OR (any (A.r_accessor_name='dm_owner' AND
> A.r_accessor_permit>2) AND A.owner_name=" + quoteDQLString(strAccessToken)
> + ")
>
>             OR (ANY (A.r_accessor_name in (SELECT G.group_name FROM
> dm_group G WHERE ANY G.i_all_users_names = " +
> quoteDQLString(strAccessToken) + ")
>
>             AND r_accessor_permit>2)) )
>
>
>
>
>
>
>
> ·         Document values
>
>
>
>
>
>
>
>
>
> Kindly let me know if more details are required. How do I resolve above
> issue
>
>
>
>
>
> Thanks
>
> Sharnel
>
>
>

Mime
View raw message