How to use ACL transforms

Summary: In some cases you need to adjust ACLs crawled by connector. Mostly that may happen because your SSO or other authentication provider doesn't provide same domain name as crawled in the ACLs.

Fix: You can use the ACLs transform to conditionally modify the ACLs of a document before it’s indexed by the GSA. 

All of the ACL transform rules are added to the file, following a specific format:

transform.acl.<rule sequence>=<ACL entry in document to be matched>;<ACL to be converted to>

The ACL transform uses a rules-based configuration, and each configured rule is applied to each document. The rule sequence starts at 0, and increments for each additional rule entry. The rule value contains a semicolon, delimited list defining the ACL entry for each document to be matched, and the ACL to be converted to. 

The “ACL match” portion of this value is what the transform uses to identify a matching ACL to be changed. The “ACL to be converted” portion of the value defines the change to be made to the ACL. 

The following ACL transform configuration demonstrates three different ACL transforms:

transform.acl.0=type=user, domain=gsatestlab; domain=gsaprodlab

transform.acl.1=type=group, domain=gsatestlab;

transform.acl.2=type=user, name=user1; domain=gsatestlab, name=user2

The above rule entries behave as follows:

  1.  Rule 0: For documents where the ACL matches user principles with a domain of “gsatestlab”, change the domain to be “gsaprodlab”. 
  2. Rule 1: For documents where the ACL matches group principles with a domain of “gsatestlab”, change the domain to be “”. 
  3. Rule 2: For documents where the ACL matches for user principles with a name of “user1”, change the name to be “user2” and the domain to be “gsatestlab

Important: Keep in mind that domain, user and group names are CASE-SENSITIVE.

Additional Examples:

  1. For example, the file has permitted groups as DOMAIN\Administrators. In order to substitute ACL matching that  group, you should use the following transform:
    transform.acl.1=type=group, name=Administrators; name=Users
  1. In order to delete domain, you can use the following ACL:
    transform.acl.0=type=user, domain=MYDOMAIN; domain=​
Was this helpful?
How can we improve it?