Skip to main content
ImportantThis stage is deprecated in Fusion 5.9.0. The Graph Security Trimming stage, introduced in Fusion 5.6.0, uses a single filter query for all data sources instead of one filter query per data source.Migrate your query pipeline stage to the graph security trimming stage.
This describes how to migrate your pre-Fusion 5.8 Graph Security Trimming query pipeline stage setup to Fusion 5.8 or later. It applies to deployments using:
  • SharePoint Optimized V2 connector v1.1.0 or later
  • LDAP ACLs V2 connector v1.4.0 or later to crawl Active Directory in Azure
  • The LDAP ACLs V2 connector v1.2.0 or later to crawl Active Directory in LDAP

Migration

To migrate a deployment that is crawling Active Directory to Fusion 5.8 or later, follow these steps.

Update the datasource configurations

The SharePoint Optimized V2 and LDAP ACLs V2 datasources must index the content documents and ACL documents to the same collection. Ensure both datasources use the same value, contentCollection, for the field ACL Collection ID.

If using SharePoint-Optimized and LDAP-ACLs < v2.0.0

Update the ACL Collection Id in the datasource configuration.The SharePoint-Optimized and LDAP-ACLs datasources must index their content_documents and acl_documents to the same collection. Make sure the property Security -> ACL Collection in both datasources have the same value. In both datasources, SharePoint-Optimized and LDAP-ACLs, check the property Security -> ACL Collection Id and make sure it points to the same content-collection.
  1. Navigate to Indexing > Datasources.
  2. Open your SharePoint Optimized V2 or LDAP ACLs V2 datasource.
  3. Under Security, update the configuration to use contentCollection as the ACL Collection ID. The Security checkbox must be checked for this field to appear.
  4. Save the configuration.
Repeat this process for all required datasources.

If using SharePoint-Optimized and LDAP-ACLs >= v2.0.0

Recreate or update the datasources. If only updated, it is not possible to go back to the configuration of a previous plugin version.By default, the LDAP-ACLs and SharePoint-Optimized V2 datasources will index the content_documents and acl_documents to the same collection.
  1. Navigate to Indexing > Datasources.
  2. Open your SharePoint Optimized V2 or LDAP ACLs V2 datasource.
  3. Under Graph Security Filtering Configuration, select Enable security trimming.
Repeat this process for all required datasources.

Clear the datasources and perform a full crawl

  1. Navigate to Indexing > Datasources.
  2. Open your SharePoint Optimized V2 or LDAP ACLs V2 datasource.
  3. Click the Clear Datasource button, and choose yes.
  4. Navigate to Collections > Collections Manager.
  5. Verify that the job_state collection is empty.
  6. Return to your datasource.
  7. Click Run > Start to reindex your data.
Repeat this process for all required datasources.
The Security Trimming query pipeline stage restricts query results according to the user ID. While indexing the content, the Fusion connectors service stores security ACL metadata associated with the crawled items and indexes them as fields. The Security Trimming stage matches this information against the ID of the user running the search query. This stage supports asynchronous processing.

Query pipeline stage condition examples

Stages can be triggered conditionally when a script in the Condition field evaluates to true. Some examples are shown below. Run this stage only for mobile clients:
params.deviceType === "mobile"
Run this stage when debugging is enabled:
params.debug === "true"
Run this stage when the query includes a specific term:
params.q && params.q.includes("sale")
Run this stage when multiple conditions are met:
request.hasParam("fusion-user-name") && request.getFirstParam("fusion-user-name").equals("SuperUser");
!request.hasParam("isFusionPluginQuery")
The first condition checks that the request parameter “fusion-user-name” is present and has the value “SuperUser”. The second condition checks that the request parameter “isFusionPluginQuery” is not present.

Configuration

When entering configuration values in the UI, use unescaped characters, such as \t for the tab character. When entering configuration values in the API, use escaped characters, such as \\t for the tab character.
I