Documentum Connector - ACL info not pulled back with ACLTranslation as UserMappingTable RRS feed

  • Question

  • Hi,

    With the DCTM indexing connector, there are 2 options to pull document ACL's while indexing DCTM content. One of the options is to use the User Mapping Table where you can map DCTM local users to your Windows NT user who would be performing search on the sharepoint UI.

    As per the documentation, we just need to create a mapping table in the SQL Server Database with the following schema & map the DCTM users & groups to related Windows NT users/Groups:

    DCTMCredentialDomain nvarchar (255) NOT NULL , 
    DCTMCredentialRepository nvarchar (32) NOT NULL , 
    DCTMCredentialLoginName nvarchar (80) NOT NULL , 
    NTCredential nvarchar (255) NOT NULL , 
    ( DCTMCredentialDomain, DCTMCredentialRepository, DCTMCredentialLoginName )

    We did the same (only users were mapped, no group mapping), however the crawled content from DCTM does not pull in the ACL information. We verified that by reading the FIXML files generated & decoded the docacl fields value. It came out to be "EVERYONE".

    Based on some reading of the source code of the connector via Reflector, we learnt that there are few more paramters there the connector reads from the DCTMConfig.xml file like DocumentumUserCacheLimit etc. There is no documentation around what else is required to have the connector pull the secuirty information.

    What we did observe from SQL profiler is that the connector is making calls to the table & looking for mappings of the users pulled from DCTM, however we do not see any impact of the query even if it finds the user in the mapping table.

    does anyone has experience working with the DCTM connector for indexing DCTM content with ACL's ?

    Any help would be highly appreciated!




    Thursday, July 28, 2011 5:29 PM

All replies

  • Try setting  -PersistDCTMACL "True".
    Tuesday, August 2, 2011 7:10 AM
  • Here you have my DCTMConfig settings with ACL enabled (it worked for me):


    Set-SPEnterpriseSearchDCTMConnectorConfig -ACLTranslation "UserMappingTable" -UnmappedAccount "DiscardACE" -UserMappingTableSQLServer "db_server" -UserMappingTableDBName "Documentum_Mapping_DB" -UserMappingTableName "Mappings" -DFSURL "documentum\" -DisplayURLPatternForDocument "{ObjectId}&format={Format}&RepositoryName={RepositoryName}" -DisplayURLPatternForContainer "{ObjectId}&RepositoryName={RepositoryName}" -PersistDCTMACL "True"

    Tuesday, August 2, 2011 8:10 AM
  • Hi,

    Thanks for the sharing the configuration information.

    The persistDCTMACL value was set to true for me & i was able to get the ACL's in the return.DocumentumACL crawled property.

    After some troubleshooting & looking at the fIXML generated by FAST, we found that the ACL is getting set to "Everyone". The issue was that the documents, folders & Cabinets on DCTM had dm_world permission set to "read". Due to this, even if i do not have any record in the Mapping table, the connector did not throw an error when it should have based on the documentation.

    Currently we are looking for options to crawl only specific object types (based on value of r_object_type) using this connector. I am not sure if there is an option to do that. Looking at the source code of the connector i saw that the DCTM config can have a node named "ExtraDocumentDQLConditions" under the repository node, however, i do not see any use of that value in the code while querying dm_document for getting the document.

    Also, i see that the connector crawls all cabinets, folders as individual documents. Is there a way we can say to the connector to crawl only documents & not cabinets & folders ?

    Any help here would be highly appreciated!



    P.S.: I must say, life was very easy working with the documentum connector in ESP :).

    Tuesday, August 2, 2011 9:20 AM
  • Hello,


    I don't have any experience with ESP, so this Documentum Connector is kind of a first for me :)


    Currently I am experiencing problems with Incremental Crawl. While full crawl gets the ACL (and then it works just fine form the search experience point of view), the incremental crawl seems to be not noticing the ACL changes for the single document. When I make a change for whole cabinet then it's ok, indexer consideres it as a change and pulls the updated ACL into index.

    Is there any difference between single document and cabinet ACLs? Maybe I am missing some Documentum settings?




    Friday, August 5, 2011 7:18 AM