We have a build system on which we need to fetch documents for other user's builds. We don't have their password but only their login and we will use a service account. Is there a way to get the access rights for another principal with the FileNet API so we won't allow them to fetch something they don't have access to?
For performance sake, I would rather ask the CE to do the check instead of getting all permissions and checking them all one by one. Plus nested groups and security priority (direct/template/proxy) might slow things done a lot and make the code complex. Something like getAccessAllowed but given a principal or a User? If there is not, what would be the best way to do that?
I saw that get_MemberOfGroups deals with nested group but we still have to check against all the permissions, taking care of the source priority and deny/allow priority, which means re-implement the CE security strategy.
You can create custom LoginModule to authenticate user without password, then you can work with CE as original user without service account.
But you need to add this users in FN objects ACL's with correct permissions.