Manage Rights on Documents in AFS

Technical Notes

A document in AIF can contain two layers dedicated to the management of user and group rights on that document: the ACL ("Access Control List") layer and the SAR ("Search Access Rights") layer.

These layers will be filled automatically if the PaF is running in secured mode and the documents are loaded by the PaF itself (local files) or by an off-the-shelf connector such as the afs_filesystem_load filter.

When documents are created by other means, e.g., within a custom filter, the SAR layer (at least) must be filled to enable access to these documents when AFS runs in secured mode.

If the PaF is running in secured mode then the search database is automatically configured to run AFS in secured mode too.

If the SAR layer is left empty for a document in a secured PaF then this document will not be accessible in AFS for any user or group.


This layer contains the rights assigned to the document in the file system or CMS from which the document was loaded. The format is compatible with POSIX ACL and MS Windows ACL, and enables rich rights management.

ACL manages two types of objects:

  • the Actors
  • the Rights for a document

An Actor can either be a User, a Group or Others (someone who is neither a user nor a part of a listed group), and has an unique identifier name.

The rights of a document specify:

  • its Owner (an Actor)
  • the list of Access Controls Rights (execute, read, write, delete, manage)

Setting the Access Control consists in giving a right to each type of Actor for a document. Setting the ACL layer is done by off-the-shelf connectors (for filesystem or CMS) as a first step towards defining the SAR layer which is used by the search engine.

A project can implement its own rights management policy by filling the ACL layer and then the SAR layer.


The SAR - Search Access Rights layer is required for a document so that this document can be accessed by some users and/or groups in AFS. SAR makes it possible to efficiently retrieve and filter documents according to the credentials provided in the query.

For a given document, the SAR layer contains the following data:

  • a list of Actors (a user or group with a name)
  • an ActorsOperator: value containing either 'AO_AND' or 'AO_OR' and defining whether the list of actors must be processed resp. as a logical conjunction (i.e. credentials to access the document must include all actors of the list defined in the SAR layer of the document) or a logical disjunction (i.e. credentials must include at least one actor of the list defined in the SAR layer of the document)

To allow access to a document for any credentials (i.e. for all users and groups), the SAR layer must contain one Actor of type 'OTHER' and if the ActorsOperator is AO_AND this actor must be the only one in the list.

The process of converting ACL to SAR is done automatically by the PaF for local files and by the off-the-shelf connectors such as afs_filesystem_load (or other file system / CMS connector). It does not require any setup.