Configure IDOL > Security > Document Security > OmniGroupServer


OmniGroupServer extracts user and group information from repositories, such as Microsoft Active Directory and IBM Notes. OmniGroupServer stores the information so that it can be used by IDOL to provide document security.

When a user submits a query to IDOL server, IDOL must determine whether the user is permitted to view the documents that are returned as results. To do this, IDOL compares the user's information to each document's Access Control List (ACL).


The permissions applied to a file or record specify the users and groups who are permitted, and are not permitted, to view it. The permissions are stored in the file's ACL. When you set up mapped document security and connectors extract files from a repository, the connector writes the ACL into an encrypted document field.

IDOL must also consider the groups that the user belongs to. For example, a user might not have explicit permission to view a document, but they could be a member of a group that has permission. This means that IDOL requires the user and group information from the repository.

IDOL cannot retrieve security information from a repository at query time, because this would result in an unacceptable delay for the user who submitted the query. Instead, you can use OmniGroupServer to extract and cache the security information. OmniGroupServer regularly extracts security information, based on a schedule that you configure, so that it remains synchronized with the repository.

Retrieve Security Information

To extract security information from a repository you configure tasks in the OmniGroupServer configuration file. Each task extracts information from one type of repository. You can schedule tasks to run at specific intervals.


OmniGroupServer can make many requests to a repository. To maximize performance, HPE recommends scheduling tasks when the repository has spare capacity to process the queries, for example during the night.

For most repositories, OmniGroupServer can extract incremental changes. The first time the task runs, OmniGroupServer extracts all of the security information from the repository. The next time the task runs, OmniGroupServer only needs to extract the updated information.

Due to API limitations imposed by repositories, OmniGroupServer cannot extract security information from all types of repository. In some cases (for example Microsoft SharePoint), you must use a connector to extract security information. To extract security information using a connector, run the connector's SynchronizeGroups action.

You can run the SynchronizeGroups action automatically by using one of the following methods:

Process Security Information

OmniGroupServer can perform operations on the security information it extracts. For example, certain repositories use NT security but do not include the domain name in ACLs. In this case you could configure OmniGroupServer to remove the domain name from the NT groups that are extracted, so that they match the ACL.

Combine Security Information

Some repositories, such as Microsoft SharePoint, use a combination of security types. To set up security for documents that are extracted from SharePoint, you must configure a task in OmniGroupServer to combine NT security information with that from the SharePoint server. For more information about how to do this, refer to the SharePoint connector documentation.