My Oracle Support Banner

Elasticsearch Returns Documents Protected by ACL Aliases (xClbraAliasList) (Doc ID 2954194.1)

Last updated on JUNE 09, 2023

Applies to:

Oracle WebCenter Portal - Version 12.2.1.4.0 and later
Information in this document applies to any platform.

Symptoms

In Content Server, documents can be protected with three types of Access Control Lists (ACL):

When viewing documents in the Content Manager task flow, users are only shown the documents they have permissions to according to any of the above three ACLs.
When doing a search with Elasticserach, it shows all the documents protected by aliases even when the user should not be seeing those documents.
Clicking on a protected document with an alias returns the following error if the user does not has access to the document:


ERROR

Error
You specified an invalid document or a document you do not have access to.

 

STEPS

The issue can be reproduced with the following steps:

  1. Configure WebCenter Portal with Elasticsearch.
     
  2. Create two users in the external LDAP associated to the domain.
    e.g.:
     
    testuser1
    testuser3
     
  3. Create an alias in Content Server as follows:

    • Open the Content Server user interface.

      http://<HOSTNAME>:16200/cs

    • Go to Admin Applets -> User Admin

    • Select the Aliases Tab.

    • Click Add and add an alias.
      e.g.:

      Alias Name: TestAlias1
      Alias Display Name: TestAlias1
      users: testuser1

    • Restart Content Server.


  4. Add the xClbraAliasList Content Server field as a custom attribute for search per the following documentation:
     
    Administering Oracle WebCenter Portal
    Adding a Custom Metadata Field in Oracle WebCenter Content
     
     
  5. Connect to WebCenter Portal.

    • Create a Portal.
      e.g.: testPortalSearch

    • Enable documents in the portal and add the Documents page to the portal.

    • Add the participant role to the portal and add the users as members of the portal with Participant role.
      e.g.:

      testuser1 - Participant
      testuser3 - Participant

    • View the Portal and go to the Documents page.

    • Upload a document.
      e.g.:

      Document Name: NovemberContent.docx

      Metadata:
      Group Access List: TestAlias1
      Permissions: RWDA

    • Upload a document.
      e.g.:

      Document Name: DecemberContent.docx

  6. Do a document crawl.

    • Connect to WebCenter Portal.

    • Go to Administration -> Settings -> Tools and Services -> Scheduler

    • Start a Document Crawl.


  7. Connect to WebCenter Portal as testuser1 (member of TestAlias1 in content server).

    • Go to the documents page in the testPortalSearch portal.

    • Confirm the user can see both documents:

       NovemberContent.docx
       DecemberContent.docx

    • Search for "Content".

    • Confirm the search results show the two documents:

       NovemberContent.docx
       DecemberContent.docx


  8. Connect to WebCenter Portal as testuser3 (this user is NOT member of TestAlias1 in content server).
     
    • Go to the documents page in the testPortalSearch portal.
       
    • Confirm the user can only see the document without ACL:
       
      DecemberContent.docx
       
    • Search for "Content".
       
    • Note the user will see the two documents in the search results even when the user should not be able to see the documents:
       
       NovemberContent.docx
       DecemberContent.docx
       
    • Clicking on the document returns this error:
       
      Error
      You specified an invalid document or a document you do not have access to.


 

Changes

 

Cause

To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!

In this Document
Symptoms
Changes
Cause
Solution
References


My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.