Be careful with search-admin role in HCL Connections

Author: Christoph Stoettner
Read in about 3 min · 516 words

Postboxes for newsletter

Photo by Markus Winkler | Unsplash

I showed, in several slides and sessions, how you can use the search-admin role in the search application of HCL Connections for troubleshooting and reviewing some key configurations.

In several environments, my user or other administrative users have this role, just to access the link to /search/serverStatus for example.

How it started

Some years ago, when IBM owned Connections, we had a case, that a user with the search application search-admin role didn’t see results in the profiles advanced search. The result was always empty.

As it already was after the birth of pink/component pack we decided to close the case, as a new search was already planned and announced.

So I forgot about this topic and started again to investigate an issue with profiles advanced search, end of 2023. My finding was that users with search-admin role do not get results in advanced search (/search/web/jsp/advancedSearch.jsp) of Connections. Any search term gives an empty result.

The journey

Profiles advanced search

Now searching for a given name (example: https://cnx8cr6-db2.stoeps.home/profiles/html/ )

Profiles advanced without search-admin role

Profiles advanced with search-admin role

After recognizing the root cause, a search in my notes and local documentation, brought up the old case and I opened a new one at HCL support.

After three months of waiting, I got the answer:

This is to inform you that the development has gone through the issue. This is working as expected.

HCL Support

Ok, as this behavior seems to be intended, I asked for updated documentation or knowledge base article. I even created a pull request for the Connections 8 documentation.

So, two months ago, the page Roles was updated with the wording:

Note: Users with this role may experience certain limitations with UI-based search functionality.

HCL Connections 8 documentation

I wasn’t pleased with this because when something is working as intended, I would clearly state what happens when you assign the role. So I asked for a change. Which was released with CR6 now:

Note: Granting the search-admin role exclusively for auditing tasks to a user may inadvertently expose restricted content. Consequently, the role is intended to have limitations.

HCL Connections 8 documentation

To be honest, that’s even worse. Therefore, there is a role for auditing, but it is built to have limitations. I don’t understand! Either I have an audit role (which should get everything), or I have limitations.


To prevent further time wastage, I’m closing the case and jotting down a note to remember this shortcoming. But I don’t want to wait any longer for another change or for my proposal to be merged.

Btw, there is another documentation page Analyzing results from the search serverStatus page , which tells you to set the role for troubleshooting, but also does not contain a warning about the circumstances. Just a recommendation to use a new user for the role.

Add a comment
There was an error sending your comment, please try again.
Thank you!
Your comment has been submitted and will be published once it has been approved.

Your email address will not be published. Required fields are marked with *

Suggested Reading
Card image cap

Some time ago I got the tip from HCL Support, that the Create Community button will recognize the role community-creator only when the gatekeeper option CATALOG_CARD_UPDATED is set to false.

This is working, but I had to complain, that this option activates some code, which loads fonts from a CDN instead of the local Connections deployment.

Last Update:
Read in about 2 min
Aaron Burden: Fountain pen and a notebook
IBM released a tech document on friday with title: Search fails with the error CLFRW0060E: Input-output exception . This document solves one of my problems i had in a demo environment since two weeks. I traced the environment, checked j2ee roles, reinstalled CR3 and 4, redeployed search and activities, but i always got an error, when the search wants to access the activities seed list. So what happened? I want to show the /search/serverStatus page in a course and for this i want to remove all warnings and errors. When you don’t set SEARCH_SEEDLIST_TIMEOUT, you get a warning, that the variable is not set.
Last Update:
Read in about 2 min
Aaron Burden: Fountain pen and a notebook
On one of my IBM Connections Site i had a problem with directory search (better the typeahead search). When we searched single characters no business cards are displayed. I use Firebug for Chrome here and you see, that the search gets an result back from Connections, but no business cards are displayed. When i open this get statement i get a list of profile documents in JSON format: In this case i a got a list of about 20 User profiles. When i search a little bit more detailed i get an error of a Javascript, which should interpret the JSON list.
Last Update:
Read in about 2 min