You are viewing limited content. For full access, please sign in.

Question

Question

How to Search By Security

Laserfiche
Updated June 5, 2019
asked on August 29, 2017

Hello Everyone,

According to the "List of Changes to 10.2" documentation it says that Laserfiche now supports searching for entries based on what trustees have entry access rights assigned to them for that entry, the specific entry access rights involved, whether the right is allowed or denied, and the scope of that right. 

I have tried testing this and I can't seem to figure it out it. Do you need to use the security token? In any case, may someone please provide some assistance. Thank you. 

1 0

Answer

SELECTED ANSWER
replied on August 29, 2017

In order to perform one of these searches, you'll have to use the syntax directly; as of this writing they have not been added to the UI.

There are a few different possibilities:

  • {LFACE:trustee="trusteename"} - find entries where trusteename has security assigned to them (or denied to them)
  • {LFACE:type="allow"} (or {LFACE:type="deny"}) - find entries where security is allowed or denied to some trustee (that is, user or group)
  • {LFACE:scope="scopename"} - find entries with an access control entry with the specified scope; the scope names are "documentsonly", "thisentry", "folders", "foldersonly", "immediate", "immediatechildren", "immediatedocuments", "notthisentry", and "all".
  • {LFACE:rights="rights"} - find entries where a trustee is granted or denied rightsRights should be a sequence of three-letter codes, such as are visible in the "security" column: "brs", "rea", "mcn", "ada", "del", "ren", "dpg", "san", "ann", "red", "wme", "crd", "crf", "rac", "wac", "cow", "srd", "frz", "evt", "cls".  These codes are case-insensitive.  You may also want to add an asterisk at the end to specify "and also other rights".  For example, "BrsReaMCn*" would find entries where a trustee is allowed or denied Browse, Read, and Modify Content, even if they are also allowed or denied other rights as well.

Most likely, you'll want to combine one or more of these.  For example, if you wanted to find entries where ADMIN is denied rights to that entry and all of its descendants, you would search for

{LFACE:trustee="ADMIN", type="deny", scope="all"}

Hopefully that will at least get you started; if you have follow-up questions feel free to ask.

7 0
View 6 previous replies
replied on August 29, 2017

Andrew,

Thank you for getting back to me on this. Is there any official documentation on this? In the search syntax you used LFACE, what is that referencing? 

0 0
replied on August 29, 2017

The official documentation for this is in progress; somebody should update this thread when it's ready.

LFACE is just another search prefix, like LF (for most property searches) or LFRM (for records management searches).  In this context, ACE stands for "access control entry", and it's how entry access rights are organized.  Each ACE has an entry that it's applied to, a scope (detailing which descendants of the entry it affects, if any), a trustee that it affects, and the rights it allows or denies.  These searches allow you to find entries by searching on any of the ACEs' other properties.

1 0
replied on August 29, 2017

Andrew,

Thank you so much you are the man!

0 0
replied on November 9, 2017

Has the documentation been done yet Andrew?

0 0
replied on March 17, 2018 Show version history

Dear Andrew,

I'm trying yo use the syntax to search by field value and only get the documents allowed for specific user

{[]:[Reference Number] = "02275"} & ({LFACE:trustee="ADMIN", type="Allow", scope="all"}) /*no results*/
{[]:[Reference Number] = "02275"} & ({LFACE:trustee="ADMIN", type="Allow", scope="all" ,rights="rea" }) /*no results*/
{[]:[Reference Number] = "02275"} & ({LFACE:trustee="ADMIN", type="Allow", scope="all" } & {LFACE:rights="rea"}) /*no results*/

need your help to

0 0
replied on March 19, 2018

only get the documents allowed for specific user

Note that this is not what the LFACE search type does.  It finds entries with particular rights assigned to them.  It sounds like you want to find effective rights, which would need to take into account inherited rights assignments as well as group membership.  There is no search type for the latter, though the web client can provide user access reports if you have doubts about the way you have configured security in your repository.

0 0
replied on March 19, 2018

Thank you Brain,

what I need is to search by query and get only documents allowed to specific user , I use this later in SDK for custom reports.

 

0 0
replied on March 19, 2018

Search results are automatically filtered by the rights of the user running the report, but there's no predicate that will filter it by another user's rights.  You need to check the effective rights for each result yourself.  There's a function Entry.BatchGetEffectiveRights() that is the most efficient way to do this, since it can cache things like the user's group membership that would have to be recalculated if you use a method like Entry.GetEffectiveRights().

2 0
replied on June 5, 2019

Is there a way to search for all folders where the 'Inherit rights from parent and include with specified rights' checkbox has been unchecked? 

0 0

Replies

replied on May 22, 2018

The syntax for LFACE searches has now been documented in the updated Advanced Search Syntax white paper, in the "Entry Access Rights Searches" section.

4 0
You are not allowed to follow up in this post.

Sign in to reply to this post.

Details
Related Posts
Loading ...