This feature has been deprecated. As of Aspire 2.1 Documentum Group Expansion is part of the Documentum Scanner component.
Group expansion for our connector
Unlike the other connectors, ACL IDs are used as group names for Documentum's group expansion. The reason behind this is because it provides numerous additional security features such as the following:
- dm_owner: Permits that apply over the file owner.
- dm_world: Permits that apply over all other users but the owner.
- Required Groups: Accessor must be a member of specified groups to access an object, for example: Only people with “Top Secret” clearance AND “US Citizens” can access documents marked as “Top Secret”.
- Required Group Sets: Accessor must be a member of at least one of the listed groups to access an item, for example: Only people “in US” OR “in Japan” can access documents marked as “US-Japan Confidential”.
- Access Restrictions: Accessor is explicitly denied access despite being a member of a group that has been given access, for example: A person can only have “Read” access for a given document even if he belongs to a group that is granted higher access to the same document.
We are not able to validate these permissions during the crawl without doing group expansion, which is why we've indexed each file's ACL ID as a group name. And during group expansion, all ACLs are downloaded and all groups in which the user belongs are fetched. Each ACL is checked to make sure the user has permission to see the file.
The component performs group expansion in the following way:
BROWSE is the minimum permission the user must possess to have access to a file.
This component is based on the Simple Group Expansion
Configuration
Element | Type | Default | Description |
---|---|---|---|
host | string | The Documentum server docbroker name to connect to. | |
port | int | 1489 | The Documentum server's docbroker port. |
docBase | string | The Documentum docbase to connect to. | |
dfcPropsFilePath | string | The path to the Documentum dfc.properties file. | |
username | string | Username used to authenticate against Documentum. | |
password | string | Password of the user used to authenticate against Documentum. | |
cacheTimeout | long | 0 (=never expires) | The cache timeout in ms. |
refreshTimeout | long | 3600000 (=1 hr) | The period in ms between ACL refreshes. |
usePrefix | boolean | true | if true, each ACL returned by the group expansion component will be prefixed with: dctm://server:port/docbase@, if false, no prefix will be used and the ACL is returned as extracted. |
Example Configurations
<component name="DCTMGroupExpansion" subType="groupExpansion" factoryName="aspire-documentum-connector"> <docBase>documentum</docBase> <username>Administrator</username> <host>10.10.40.64</host> <dfcPropsFilePath>config/dfc.properties</dfcPropsFilePath> <debug>true</debug> <password>pass1234</password> </component>