The SSA Proxy is a Windows Service that will intercept the search queries sent by the Query Model API and redirect them to the QRServer after attaching security information to the original query.
The SSA Proxy will obtain the username from the qtf_securityfql:uid field passed as part of the original query. With the username, it will invoke the Aspire Http Group Expansion service that will provide the list of users encoded in Base32. Documents have to be previously indexed with ACLs information encoded as well in Base32 format. The managed property that contains the ACLs is configured on the SSA Proxy to construct the security query against this property.