IC4NOTICE: developerWorks Community will be offline May 29-30, 2015 while we upgrade to the latest version of IBM Connections. For more information, read our upgrade FAQ.
2 replies Latest Post - ‏2013-04-18T09:38:31Z by vzlomanov
2 Posts

Pinned topic ICA 3.0 provide document access-level with Rest API and access control list

‏2013-04-03T10:37:21Z |

We are trying to migrate from Omnifind 8.4 to ICA 3.0.
For Omnifind we have custom crawlers, which uses SIAPI to add files to Omnifind.
For document access level we use ACL as following:

Custom crawler code-snippet:

// contains user groups separeted by comma, e.g. 
// group1,group2,group3 String acl = getDocumentAcl(); indexFactory = getIndexFactory(); document = indexFactory.createDocument(...); ... document.setACL(

new String[] 
{ acl 
// store document in Omnifind this.indexRef.addOrReplaceDocument(document, fieldMapping);


For custom search application we use ESSearchServer ofsearch web-service (<OF_host>/ESSearchServer/services/ofsearchBinding/wsdl/ofsearch.wsdl):

Here is code-snippet: searchRequest = 

new SearchRequest(); searchRequest.setQueryText(finalSearchString); ... 
// contains user groups separeted by |, e.g. 
// group1 | group2 String acl = getUserAcl(); searchRequest.setAclConstraints(acl); searchResponse =;

Now we are trying to migrate to REST API provided by ICA.
For adding document we are using document API and add method (/document?method=add) and for getting search results - search API (/search)
This document/add has acl parameter with the String[] value.
And search API has no acl parameter, but securityConstraint.

For document/add we provide the next value to acl:



// array of groups, e.g. 
// {"group1", "group2", "group3"} String[] groups = getGroups();

For getting search results:



securityConstraint = 
"group1 | group2";

also tried



"@SecurityConstraint::'(group1 | group2)'"




"@SecurityConstraint::'" + context.serialize(

true) + 

where context is (according to documentation):



SecurityContext context = 

new SecurityContext(); context.setUserID(
"user_name"); Identity[] identities = 

new Identity[1]; identities[0] = 

new Identity(); identities[0].setDomain(
// don't know how exactly use it identities[0].setType(
// don't know how exactly use it identities[0].setUsername(
"cn=user_name,ou=default organization"); String[] groups = 

new String[5]; groups[0] = 
"uid=wpsadmin,o=default organization"; groups[1] = 
"all authenticated portal users"; groups[2] = 
"wpsadmins"; groups[3] = 
"group1"; groups[4] = 
"group2"; identities[0].setGroups(groups); identities[0].setProperties(

new Properties()); context.setIdentities(identities);

So we have no results with these ACLs.

Document level security settings for collection is next:



  • Pre-filtering enabled
  • Post-filtering disabled

So the question
How can we implement document access level with REST API?
All we need is provide list of groups which have access to document at crawling time and get results according user groups.


Updated on 2013-04-18T09:42:03Z at 2013-04-18T09:42:03Z by vzlomanov
  • SystemAdmin
    197 Posts

    Re: ICA 3.0 provide document access-level with Rest API and access control list

    ‏2013-04-03T11:22:59Z  in response to vzlomanov
    Your third approach using the SecurityContext object should return you the corrent constraint, but you have to use


    to set your custom ACL groups. AFAIK the context must contain at least one dummy identity, so just keep the one you already have created.
    • vzlomanov
      2 Posts

      Re: ICA 3.0 provide document access-level with Rest API and access control list

      ‏2013-04-18T09:38:31Z  in response to SystemAdmin

      Thanks! That's exactly what I need.

      I set securityConstraint parameter in the next way:

      @SecurityContext::'<security_xml>'where <security_xml> is:
      <!-- Base64-encoded userName -->
      <identities id="dXNlcl9uYW1l">
              <!-- Base64-encoded user's groups -->

      It's all working now.

      Updated on 2013-04-18T09:40:28Z at 2013-04-18T09:40:28Z by vzlomanov