Introduction
The mapped security architecture includes the following components:
Items in Documentum have an Access Control List (ACL) that lists the users and groups who are permitted, and are not permitted, to view the item.
The Documentum Connector retrieves items from Documentum and sends documents for indexing. The connector extracts the ACL for each item, and writes it to a document field. Each time the connector synchronizes with the repository, it extracts updated ACLs.
The Content component needs the ACL to determine whether a user can view a document that is returned as a result to a query. However, the Content component must also consider the groups that the user belongs to. A user might not be permitted to view a document, but they could be a member of a group that has permission. This means that the Content component requires group information from Documentum.
Group information is retrieved from Documentum by OmniGroupServer (the connector does not retrieve group information). OmniGroupServer then stores the group information so that it is available when needed.
When a user logs on to a front-end application, the application requests the user’s security information and group memberships from the Community component. Community returns a token containing the information. The front-end application includes this token in all queries the user sends to the Content component.
After a user submits a query, the Content component sends the result documents and the user’s security token to the Mapped Security plug-in. The Mapped Security plug-in compares the user’s security information and group memberships to each document’s ACL. The plug-in determines which documents the user is permitted to view and returns the results. The Content component then sends only the documents that the user is permitted to view to the front-end application.