> ## Documentation Index
> Fetch the complete documentation index at: https://doc.lucidworks.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Security Trimming Stage

export const schema = {
  "type": "object",
  "title": "Security Trimming",
  "description": "Apply connectors security trimming",
  "properties": {
    "skip": {
      "type": "boolean",
      "title": "Skip This Stage",
      "description": "Set to true to skip this stage.",
      "default": false,
      "hints": ["advanced"]
    },
    "label": {
      "type": "string",
      "title": "Label",
      "description": "A unique label for this stage.",
      "hints": ["advanced"],
      "maxLength": 255
    },
    "condition": {
      "type": "string",
      "title": "Condition",
      "description": "Define a conditional script that must result in true or false. This can be used to determine if the stage should process or not.",
      "hints": ["code", "code/javascript", "advanced"]
    },
    "legacy": {
      "type": "boolean",
      "title": "Legacy",
      "description": "True if this stage only supports legacy mode",
      "hints": ["readonly", "hidden"]
    },
    "asyncConfig": {
      "type": "object",
      "title": "Asynchronous Execution Config",
      "required": ["enabled", "asyncId"],
      "properties": {
        "enabled": {
          "type": "boolean",
          "title": "Enable Async Execution",
          "description": "Run the expensive data loading or processing part of this stage in a separate thread allowing the pipeline to continue executing. The results of this asynchronous execution can be merged into the pipeline request using a downstream \"Merge Async Results\" stage.",
          "default": false
        },
        "asyncId": {
          "type": "string",
          "title": "Async ID",
          "description": "A unique value to use as reference in downstream \"Merge Async Results\" stages."
        }
      }
    },
    "overrideUserIdentityHandling": {
      "type": "boolean",
      "title": "Override Default User Identity Handling?",
      "description": "Default handling first attempts to take the user identity from a 'fusion-user-id' http-header, which is the logged-in user ID from the Fusion proxy service. If that value is empty, a 'username' query parameter is tried instead. When this DataSource property is enabled, the specified source and key properties are used explicitly, without any fallback behavior.",
      "default": false
    },
    "userIdentitySource": {
      "type": "string",
      "title": "User ID source",
      "description": "Specify whether the value comes from an http header or query parameter.",
      "enum": ["query_param", "header"],
      "default": "query_param"
    },
    "userIdentityKey": {
      "type": "string",
      "title": "User ID key",
      "description": "e.g. username, userID, etc.",
      "default": "username"
    },
    "datasources": {
      "type": "array",
      "title": "Restrict filter to Datasource(s)",
      "description": "A list of Fusion datasources to which security-trimming should be restricted, allowing content from other datasources to pass through un-filtered; if empty, all matching content is subject to filtering.",
      "hints": ["advanced"],
      "items": {
        "type": "string"
      }
    }
  },
  "category": "Set Up",
  "categoryPriority": 8,
  "unsafe": false
};

export const SchemaParamFields = ({schema}) => {
  const sanitize = str => {
    if (typeof str !== "string") return str;
    return str.replace(/^"(.*)"$/s, "$1").replace(/\\/g, "").replace(/"/g, "'");
  };
  const formatDescription = str => {
    const s = sanitize(str);
    return (/[.!?]\)*$/).test(s) ? s : `${s}.`;
  };
  const {description, properties = {}, required: requiredProps = []} = schema;
  const visibleProps = useMemo(() => Object.entries(properties).filter(([, prop]) => !prop.hints?.includes("hidden")), [properties]);
  return <div>
      {description && <p>{formatDescription(description)}</p>}

      {visibleProps.map(([name, prop]) => {
    const isRequired = requiredProps.includes(name);
    const hasDefault = prop.default !== undefined;
    const rawDefault = prop.default;
    const isComplexDefault = hasDefault && (typeof rawDefault === "object" || typeof rawDefault === "string" && (rawDefault.length > 20 || rawDefault.includes('"')));
    const fieldProps = {
      key: name,
      body: prop.title || name,
      type: prop.type,
      ...prop.title && ({
        post: [<><span className="text-stone-400 dark:text-stone-500">API property: </span>{name}</>]
      }),
      ...isRequired && ({
        required: true
      }),
      ...!isComplexDefault && hasDefault ? {
        default: sanitize(String(rawDefault))
      } : {}
    };
    const isObject = prop.type === "object" && prop.properties;
    const isArrayOfObjects = prop.type === "array" && prop.items?.type === "object" && prop.items.properties;
    return <ParamField {...fieldProps}>
            {prop.description && <p>{formatDescription(prop.description)}</p>}

            {isComplexDefault && <div className="flex">
                <p>
                  <strong>Default:</strong>
                </p>
                <pre className="!my-0">
                  <code>
                    {JSON.stringify(rawDefault, null, 2)}
                  </code>
                </pre>
              </div>}

            {isArrayOfObjects && <div className="flex">
              <p>
                <strong>Object attributes:</strong>
              </p>
              <pre className="!my-0">
                <code>
                  {'{\n'}
                  {Object.entries(prop.items.properties).map(([iname, iprop]) => <>
                      {`  ${iname}`}
                      {prop.items?.required?.includes(iname) && <span style={{
      color: 'red'
    }}> required</span>}
                      {`: {\n    display name: ${sanitize(iprop.title || '')}\n    type: ${iprop.type}\n  }\n`}
                    </>)}
                  {'}'}
                </code>
              </pre>
              </div>}

            {isObject && <Expandable title="properties">
                <SchemaParamFields schema={{
      properties: prop.properties,
      required: prop.required
    }} />
              </Expandable>}
          </ParamField>;
  })}
    </div>;
};

export const LwTemplate = ({title = "Key questions to get you started", icon = "sparkles", cta = "Powered by Agent Studio", linkHref = "https://lucidworks.com/demo/?utm_source=docs&utm_medium=referral&utm_campaign=docs_cta_ai"}) => {
  const [isLoaded, setIsLoaded] = useState(false);
  useEffect(() => {
    const timer = setTimeout(() => {
      setIsLoaded(true);
    }, 500);
    return () => clearTimeout(timer);
  }, []);
  return <div className="lw-template-container">
      <Card title={title} icon={icon}>
        {isLoaded && <span dangerouslySetInnerHTML={{
    __html: `<lw-template id="a029c1a9-28be-427e-b0e1-5d918920246a"></lw-template
            >`
  }} />}
        <Link href={linkHref} className="agent-studio-link text-left text-gray-600 gap-2 dark:text-gray-400 text-sm font-medium flex flex-row items-center hover:text-primary dark:hover:text-primary-light group-hover:text-primary group-hover:dark:text-primary-light">Powered by Lucidworks Agent Studio</Link>
      </Card>
    </div>;
};

[localhost link]: http://localhost:3000/docs/5/fusion/reference/config-ref/pipeline-stages/query-stages/security-trimming-query-stage

[mintlify link]: https://doc.lucidworks.com/docs/5/fusion/reference/config-ref/pipeline-stages/query-stages/security-trimming-query-stage

[old doc.lw link]: https://doc.lucidworks.com/fusion/5.9/272

<Tip>
  **Important**

  This stage is deprecated in Fusion 5.9.0. The [Graph Security Trimming stage](/docs/5/fusion/reference/config-ref/pipeline-stages/query-stages/security-trimming-graph-query-stage), introduced in Fusion 5.6.0, uses a single filter query for all data sources instead of one filter query per data source.
</Tip>

<Accordion title="Migrate your query pipeline stage to the graph security trimming stage.">
  This describes how to migrate your pre-Fusion 5.8 Graph Security Trimming query pipeline stage setup to Fusion 5.8 or later. It applies to deployments using:

  * SharePoint Optimized V2 connector v1.1.0 or later
  * LDAP ACLs V2 connector v1.4.0 or later to crawl Active Directory in Azure
  * The LDAP ACLs V2 connector v1.2.0 or later to crawl Active Directory in LDAP

  ## Migration

  To migrate a deployment that is crawling Active Directory to Fusion 5.8 or later, follow these steps.

  ### Update the datasource configurations

  The SharePoint Optimized V2 and LDAP ACLs V2 datasources must index the content documents and ACL documents to the same collection. Ensure both datasources use the same value, `contentCollection`, for the field **ACL Collection ID**.

  #### If using SharePoint-Optimized and LDAP-ACLs \< v2.0.0

  Update the **ACL Collection Id** in the datasource configuration.

  The SharePoint-Optimized and LDAP-ACLs datasources must index their `content_documents` and `acl_documents` to the same collection. Make sure the property **Security** -> **ACL Collection**  in both datasources have the same value. In both datasources, SharePoint-Optimized and LDAP-ACLs, check the property **Security** -> **ACL Collection Id** and make sure it points to the same content-collection.

  1. Navigate to **Indexing > Datasources**.
  2. Open your SharePoint Optimized V2 or LDAP ACLs V2 datasource.
  3. Under **Security**, update the configuration to use `contentCollection` as the **ACL Collection ID**. The **Security** checkbox must be checked for this field to appear.
  4. Save the configuration.

  Repeat this process for all required datasources.

  #### If using SharePoint-Optimized and LDAP-ACLs >= v2.0.0

  Recreate or update the datasources. If only updated, it is not possible to go back to the configuration of a previous plugin version.

  By default, the LDAP-ACLs and SharePoint-Optimized V2 datasources will index the `content_documents` and `acl_documents` to the same collection.

  1. Navigate to **Indexing > Datasources**.
  2. Open your SharePoint Optimized V2 or LDAP ACLs V2 datasource.
  3. Under **Graph Security Filtering Configuration**, select **Enable security trimming**.

  Repeat this process for all required datasources.

  ### Clear the datasources and perform a full crawl

  1. Navigate to **Indexing > Datasources**.
  2. Open your SharePoint Optimized V2 or LDAP ACLs V2 datasource.
  3. Click the **Clear Datasource** button, and choose yes.
  4. Navigate to **Collections > Collections Manager**.
  5. Verify that the `job_state` collection is empty.
  6. Return to your datasource.
  7. Click **Run > Start** to reindex your data.

  Repeat this process for all required datasources.
</Accordion>

The Security Trimming query pipeline stage restricts query results according to the user ID. While indexing the content, the Fusion connectors service stores security ACL metadata associated with the crawled items and indexes them as fields. The Security Trimming stage matches this information against the ID of the user running the search query.

This stage supports [asynchronous processing](/docs/5/fusion/getting-data-out/query-basics/query-pipelines/overview).

<LwTemplate />

## Query pipeline stage condition examples

Stages can be triggered conditionally when a script in the **Condition** field evaluates to true.
Some examples are shown below.

Run this stage only for mobile clients:

```js wrap  theme={"dark"}
params.deviceType === "mobile"
```

Run this stage when debugging is enabled:

```js wrap  theme={"dark"}
params.debug === "true"
```

Run this stage when the query includes a specific term:

```js wrap  theme={"dark"}
params.q && params.q.includes("sale")
```

Run this stage when multiple conditions are met:

```js wrap  theme={"dark"}
request.hasParam("fusion-user-name") && request.getFirstParam("fusion-user-name").equals("SuperUser");
!request.hasParam("isFusionPluginQuery")
```

The first condition checks that the request parameter "fusion-user-name" is present and has the value "SuperUser".
The second condition checks that the request parameter "isFusionPluginQuery" is not present.

## Learn more

<Accordion title=" Troubleshoot Security Trimming Issues">
  This topic describes how to troubleshoot issues with the Security Trimming query pipeline stage.

  One of the most common issues that occurs when working with Fusion is that users do not see the search results expected from security trimming for one reason or another. This issue can show itself in two ways:

  * Users see documents that they **should not** see.
  * Users **do not see** documents that they **should** see.

  ## An Explanation of the Security Trimming Stage

  The Security Trimming stage starts with a user ID. This ID can be a Windows user principal name, a Windows logon ID, an email address, an LDAP user ID, or any other type of identification that represents a search user.

  Next, the stage sends your ID to all of the datasources in your application and returns a solr filter query that will trim the data for the specific user.

  For example: You give Alfresco the user ID `admin` and the Security Trimming stage will return a filter query such as:

  `+({!terms f=acls_ss}ADMIN__cmis_read,GROUP_Engineering,GROUP_SustainingEngineering__cmis_read,guest__cmis_read)`

  Since Alfresco documents store the users/groups who have permission to view the document in a special solr field called `acls_ss`, this filter will only return a document if one of the values in the filter matches the `acls_ss` on the document.

  ## Troubleshooting

  If you do not receive the expected results from the Security Trimming stage, use the following steps to troubleshoot:

  1. Add `&debug=true` to your query so that you get the debug output that will contain the filters that were used when querying.
  2. Obtain the filter query that was used for your query. This will contain the groups/user IDs that were matched against the `acl` field for your datasource’s documents in order trim your results.
  3. Obtain a subset of the documents that were or were not supposed to be returned in your search results, and save the `acl` field for those results. For example, `acls_ss` from the previous section.
  4. Compare the `acl` values that were in the filter query to the `acl` values that are on the documents. Search results are only shown when one or more of the `acl` values from the filter match the `acl` values of the documents.
     * If the `acl` values on the document do not match what you expect from your datasource. For example, an Alfresco document gives permission to group XYZ, but that group does not appear in the `acls_ss` field:
     * Make sure the datasource is up to date. It may have a stale index and need a fresh crawl.
     * If the `acls_ss` is still incorrect, open a ticket with [Lucidworks Support](https://support.lucidworks.com/hc/en-us) for further assistance.
     * If the ACL values in the filter query seem inaccurate. For example, you see groups you should not see or are missing groups you should see:
     * Go into your source system and check that the users are actually in the groups that you are expecting them to belong to.
     * If you are sure that the correct groups are not being returned for a user, open a ticket with [Lucidworks Support](https://support.lucidworks.com/hc/en-us) for further assistance.
</Accordion>

## Configuration

<Tip>
  When entering configuration values in the UI, use *unescaped* characters, such as `\t` for the tab character. When entering configuration values in the API, use *escaped* characters, such as `\\t` for the tab character.
</Tip>

<SchemaParamFields schema={schema} />
