How does Group Expansion Work?

  1. Download all ACLs
  2. Fetch $groups the $user is member of.
  3. For each ACL
    1. Check if $user is the file owner and dm_owner has at least BROWSE permit.

      If so, return with user has read access.

    2. Check if $user belongs in all groups specified in "required groups".

      If not, return with user has no read access.

    3. Check if at least one group from $groups is on "required groups set":

      If not, return with user has no read access.

    4. For each deny:

      If one deny entry matches $user or one group in $groups, return with user has no read access.

    5. For each allow:

      If at least one entry matches $user or one group in $groups, return with user has read access.

    6. If up until now the user has read access, and dm_world has at least BROWSE permit, return user has read access.


Specific Documentum document level security examples can be found here

General This section is the Connector FAQ & Troubleshooting page, if you want to add something here you must add it there 


The connector fails with a webtop docbroker error

Example exception is: [DFC_DOCBROKER_REQUEST_FAILED] Request to Docbroker "DocumentumServer:docBrokerPort" failed; ERRORCODE: ff; NEXT: null

This error occurs because Aspire could not connect to the Documentum repository. This occurs because one or more of the necessary services aren't running. To fix this, make sure the following 4 services are running on the server that hosts Documentum:

If not, manually restart them by clicking on each in the Services panel (in Windows, click on Control Panel and do a search for "Services", then click on View local services). Highlight each service and then click Start the Service. Then try starting the connector again.

ERROR com.documentum.fc.common.impl.preferences.PreferencesManager - [DFC_PREFERENCE_LOAD_FAILED] Failed to load persistent preferences from dfc.properties java.io.FileNotFoundException: dfc.properties (The system cannot find the path specified)

This error occurs when the dfc.properties file is not in the path specified on the DFC Properties File field.

ERROR com.documentum.fc.common.DfPreferences - [DFC_PREFERENCE_BAD_VALUE] Bad value for preference "dfc.security.keystore.file", value="dfc.keystore" DfAttributeValueException:: MSG: [DFC_OBJECT_BADATTRVALUE] Directory doesn't exist; ERRORCODE: ff; NEXT: null

This error occurs when the dfc.keystore file is not in the path specified in the dfc.properties file. To specify paths in the dfc.properties on a Windows system use this format: C\:/folder/folder/dfc.keystore.

ERROR com.documentum.fc.client.security.impl.IdentityManager - [DFC_SECURITY_IDENTITY_INIT] no identity initialization or incomplete identity initialization java.lang.SecurityException: Crypto-J is disabled, a FIPS 140 required self-integrity check failed.

This error is related to the dfc.keystore.

This error occurs because Aspire could not locate the dfc.properties file. Please make sure:

[DM_SESSION_E_CLIENT_AUTHENTICATION_FAILURE]error: "Could notauthenticate the client installation for reason: Client hostnamein authentication string doesn't match value in registry"

This error occurs when the dfc.keystore is not matching with the user being used to authenticate against the Documentum Server. Follow the usageInstructions.txt in File:Bug147071 pre60SP1 engr fix.zip to recreate the dfc.keystore.

"Unable to fetch object from Documentum repository followed" by "java.lang.NullPointerException: docbaseSpecString"

This means the Documentum URL you typed contains errors. Be sure it has the correct format (dctm://server:port/docbase/cabinet/folder).

The crawl fails with the "Stream handler unavailable due to: null" error

The following exception is thrown in the Aspire Console but not in the UI:

2016-10-19T21:36:48Z ERROR [/Documentum/ScanPipelineManager/Scan]: Error scanning java.lang.IllegalStateException: Stream handler unavailable due to: null
at org.apache.felix.framework.URLHandlersStreamHandlerProxy.openConnection(URLHandlersStreamHandlerProxy.java:311)
at java.net.URL.openConnection(Unknown Source)

If this happens upgrade the felix.jar to the new version in case this issue comes up. Click here to download the latest version.