PreQueryPlugin to enforce access control across all query endpoints.
In a production environment with thousands of workspaces, search forms, or otherwise any metacard that is covered by the access control policy, the PDP has to go through all of them, page by page, in linear time, to execute the policy and determine which of those the user is allowed to see. The network will actually timeout waiting for this process to complete.
Adding a pre-query plugin as part of the policy to modify the filter on-the-fly and defer a large portion of the processing to Solr is a big improvement.
Privilege user (role) should have access to all metacard.
Users should have access to all metacard that
they own "metacard.owner_txt":["firstname.lastname@example.org"]
they have been given access "security.access-individuals_txt":["email@example.com"],
they have been given administrator right (this could be deprecated) "security.access-administrators_txt":["firstname.lastname@example.org"],
they belong to the group with access "security.access-groups_txt":["guest"],