Issue
Fusion does not return filtered results based on user access when searching documents indexed by the SharePoint Optimized connector. Document-level security trimming is expected, but search queries return either all or no documents regardless of the authenticated user.
Diagnosis
This issue typically occurs when either:
The SharePoint Optimized connector is used without a configured ACL (Access Control List) indexing source (such as the LDAP ACL connector).
The ACL and content collections are not aligned, or the graph join query is malformed.
A legacy or patched connector version is used that lacks compatibility with the security-trimming stage.
To verify if the issue applies:
Check whether the
graphquery is being constructed and injected into the query pipeline.Confirm if the ACL collection contains data with expected user and group mappings.
Examine whether the LDAP ACL connector is deployed and properly indexing into the same ACL collection used by the SharePoint connector.
Review Solr logs to verify that the join and graph queries are executing correctly.
Environment
Fusion 5.5.1-1
Kubernetes: EKS, version 1.24
Applies to: Fusion 5.5 and above using SharePoint Optimized and LDAP ACL connectors
Cause
The default SharePoint Optimized connector does not index ACLs directly. It relies on external ACL connectors, such as the LDAP ACL connector, to populate access control information in a separate ACL collection. If this collection is missing or misaligned with the content collection, the graph security trimming query will not function.
Additionally, security trimming does not work with older patch versions of the SharePoint Optimized connector due to plugin or ID mismatch issues. Some environments may use unsupported regex site filters in pre-1.0 connector patches, which are incompatible with graph-based security trimming.
Resolution
Install and configure the graph security trimming plugin
Navigate to System → Blobs → Add → Query stage plugin.
Upload the provided plugin:
query-stage-plugins_graph-security-trimming-stage-plugin-55x.zipAdd the plugin to the desired query pipeline:
Click “Add new pipeline stage”.
Select the graph security trimming stage under Custom.
Configure datasources
Deploy both the SharePoint Optimized and LDAP ACL connectors under the same content collection.
Configure both to write ACLs to the same ACL collection (e.g.,
TestACL) viasecurity → ACL collectionin the datasource configuration.
Set up index pipeline
Ensure that the ID field is not modified by the index pipeline for both datasources.
Re-crawl both datasources to re-index content and ACLs.
Construct the graph join query
Use the following fq parameter inside a Query Params stage to apply graph-based filtering:
{!join from=id to=_lw_acl_ss fromIndex=TestACL method=crossCollection}{!graph from=inbound_ss to=outbound_ss}id:<userId>Replace <userId> with the authenticated user’s email or unique identifier.
Execute and validate
Validate the security-trimmed query using the Solr Admin UI or Query Workbench.
Review the query response and logs to confirm that the join/graph is applied correctly and access is trimmed according to ACLs.
Additional notes
Document IDs indexed by the LDAP ACL connector must match the IDs in the SharePoint documents (no suffix like
__0).Always use officially released connector versions (1.x or higher); pre-1.0 versions are unsupported and may be incompatible with graph security trimming.
Confirm the user’s group memberships and ACL mappings in the indexed documents (e.g., using
UserACLDocs.jsonandSampleContentDoc.json).
If the ACL graph query continues to return zero documents, verify that:
The user has valid permissions within SharePoint groups.
All related ACL documents are present and correctly mapped to the content.