When querying a document layer from a reply database, the Content Repository checks whether the document has a SAR layer (a SAR layer indicates that the document is protected - see ACL and SAR for more information).
If this is the case, the SAR layer includes information about the users and/or group that can access this document. This information will be used to ensure that the access is correct. The user and/or group information provided through the afs:user and afs:group will be used to check whether access to the document is allowed or denied.
- If the access is allowed then the Content Repository will provide the requested layer information, providing the same result that it would have given if the document was unprotected.
- If the access is denied then the Content Repository will produce an error output feed with an HTTP error code 401.
For more information about managing rights on documents, security, and querying a secured reply databases, the following resources are available:
To improve security, it is also possible to authenticate calls to AFS web services using the afs:key parameter.
afs:user, afs:group and afs:key parameters have to be set by the server calling AFS. It is not the responsibility of the end-user to provide this information.
The list of layers of a document is always available, regardless of the presence of a SAR layer. Authorized and unauthorized users can retrieve the layer list.
When querying a PaF using Host Live mode, security is not enforced since PaF machines are not meant to be directly accessible from end-user clients. This enables Back Office users to browse through documents layers even if the documents are secured.