Page tree
Skip to end of metadata
Go to start of metadata


This page describes the security extensions to the AIE Core API.


These are links into the AIE Javadoc descriptions of security-related object classes.

Principal Identification

AIE uniquely identifies users and groups by a realmId and principalId. The realmId and principalId combined must be a unique identifier for the user or group within all of AIE. The realmId is a virtual construct used to uniquely identify different "realms of authentication and authorization". For example, your Microsoft Windows users and groups might be Active Directory authenticated and you may want to identify those as "AttivioWindowsRealm". But for Linux users and groups, the realm you may want to use could be something like "AttivioLinuxRealm".

Setting "Run As" principal via Query API.

With security enabled, all AIE queries must include a AttivioPrincipal so that ACLs can be properly applied to end-user searches. The AttivioPrincipal can be set by calling the "setPrincipal(AttivioPrincipal)" method on QueryRequest. The AttivioPrincipal supplied does not have to have the user's name field specified. Only the unique realmId/principalId combination is needed here. For example:

QueryRequest qr = new QueryRequest();
qr.setPrincipal(new AttivioPrincipal("AttivioRealm","1234","Jane",PrincipalType.USER));


QueryRequest qr = new QueryRequest();
qr.setPrincipal(new AttivioPrincipal("AttivioRealm","1234","Unknown",PrincipalType.USER));

The user's realmId and principalId can also be supplied as parameters on the URL post with:


Feeding Documents and ACLS via IngestClient

Documents and ACLs are fed programmatically as follows.

    IngestClient feed = new DefaultAieClientFactory().createIngestClient();

     * Feed bob and jane users
    AttivioPrincipal bob = new AttivioPrincipal("companyrealm","bobid","bob jones", AttivioPrincipal.PrincipalType.USER);
    AttivioPrincipal jane = new AttivioPrincipal("companyrealm","janeid","jane doe", AttivioPrincipal.PrincipalType.USER);
     * Create a file that only bob has read access on
    IngestDocument file = new IngestDocument("doc1");
    file.setField("title","history of the world");
    file.setField("text","this is the history part 1");
    AttivioAcl bobAcl = new AttivioAcl();
    List<AttivioPermission> perms = new ArrayList<AttivioPermission>();
    AttivioAclEntry entry = new AttivioAclEntry(bob, perms, false);

     * query as bob
    QueryRequest bobQr = new QueryRequest(new PhraseQuery("title","history"));
    QueryResponse resp =;

Feeding Principals via IngestClient

Content Security

AttivioPrincipals (users and groups) and their direct group membership can be fed programmatically to AIE with the following code.

    IngestClient principalFeeder = new DefaultAieClientFactory().createIngestClient();
    principalFeeder.setIngestWorkflow("ingestPrincipals"); // not required, but skips linguistics for better performance

    AttivioPrincipal tom = new AttivioPrincipal("companyrealm","tomid","tom jones", PrincipalType.USER);
    AttivioPrincipal allgroup = new AttivioPrincipal("companyrealm","allgroupid","all group", PrincipalType.GROUP);
    AttivioGroupMembership membership = new AttivioGroupMembership(tom.getPrincipalKey(), allgroup.getPrincipalKey());


Role-Based Security

Feeding AttivioPrincipals (users and groups) and their direct group membership can also be done for Role-Based Security, to the aieprincipals index.  This is done exactly the same as Content Security above, except setIngestWorkflow should be given ingestAiePrincipals instead of ingestPrincipals, as follows.

  • No labels