CheckDocumentAccess
Note
Amazon Q Business will no longer be open to new customers starting on July 31, 2026. If you would like to use the service, please sign up prior to July 30. For capabilities similar to Q Business, explore Amazon Quick. Learn more.
Verifies if a user has access permissions for a specified document and returns the actual ACL attached to the document. Resolves user access on the document via user aliases and groups when verifying user access.
Request Syntax
GET /applications/applicationId/index/indexId/users/userId/documents/documentId/check-document-access?dataSourceId=dataSourceId HTTP/1.1
URI Request Parameters
The request uses the following URI parameters.
- applicationId
-
The unique identifier of the application. This is required to identify the specific Amazon Q Business application context for the document access check.
Length Constraints: Fixed length of 36.
Pattern:
[a-zA-Z0-9][a-zA-Z0-9-]{35}Required: Yes
- dataSourceId
-
The unique identifier of the data source. Identifies the specific data source from which the document originates. Should not be used when a document is uploaded directly with BatchPutDocument, as no dataSourceId is available or necessary.
Length Constraints: Fixed length of 36.
Pattern:
[a-zA-Z0-9][a-zA-Z0-9-]{35} - documentId
-
The unique identifier of the document. Specifies which document's access permissions are being checked.
Length Constraints: Minimum length of 1. Maximum length of 1825.
Pattern:
\P{C}*Required: Yes
- indexId
-
The unique identifier of the index. Used to locate the correct index within the application where the document is stored.
Length Constraints: Fixed length of 36.
Pattern:
[a-zA-Z0-9][a-zA-Z0-9-]{35}Required: Yes
- userId
-
The unique identifier of the user. Used to check the access permissions for this specific user against the document's ACL.
Length Constraints: Minimum length of 1. Maximum length of 2048.
Required: Yes
Request Body
The request does not have a request body.
Response Syntax
HTTP/1.1 200
Content-type: application/json
{
"documentAcl": {
"allowlist": {
"conditions": [
{
"groups": [
{
"name": "string",
"type": "string"
}
],
"memberRelation": "string",
"users": [
{
"id": "string",
"type": "string"
}
]
}
],
"memberRelation": "string"
},
"denyList": {
"conditions": [
{
"groups": [
{
"name": "string",
"type": "string"
}
],
"memberRelation": "string",
"users": [
{
"id": "string",
"type": "string"
}
]
}
],
"memberRelation": "string"
}
},
"hasAccess": boolean,
"userAliases": [
{
"id": "string",
"type": "string"
}
],
"userGroups": [
{
"name": "string",
"type": "string"
}
]
}
Response Elements
If the action is successful, the service sends back an HTTP 200 response.
The following data is returned in JSON format by the service.
- documentAcl
-
The Access Control List (ACL) associated with the document. Includes allowlist and denylist conditions that determine user access.
Type: DocumentAcl object
- hasAccess
-
A boolean value indicating whether the specified user has access to the document, either direct access or transitive access via groups and aliases attached to the document.
Type: Boolean
- userAliases
-
An array of aliases associated with the user. This includes both global and local aliases, each with a name and type.
Type: Array of AssociatedUser objects
- userGroups
-
An array of groups the user is part of for the specified data source. Each group has a name and type.
Type: Array of AssociatedGroup objects
Errors
For information about the errors that are common to all actions, see Common Error Types.
- AccessDeniedException
-
You don't have access to perform this action. Make sure you have the required permission policies and user accounts and try again.
HTTP Status Code: 403
- InternalServerException
-
An issue occurred with the internal server used for your Amazon Q Business service. Wait some minutes and try again, or contact Support
for help. HTTP Status Code: 500
- ResourceNotFoundException
-
The application or plugin resource you want to use doesn’t exist. Make sure you have provided the correct resource and try again.
- message
-
The message describing a
ResourceNotFoundException. - resourceId
-
The identifier of the resource affected.
- resourceType
-
The type of the resource affected.
HTTP Status Code: 404
- ThrottlingException
-
The request was denied due to throttling. Reduce the number of requests and try again.
HTTP Status Code: 429
- ValidationException
-
The input doesn't meet the constraints set by the Amazon Q Business service. Provide the correct input and try again.
- fields
-
The input field(s) that failed validation.
- message
-
The message describing the
ValidationException. - reason
-
The reason for the
ValidationException.
HTTP Status Code: 400
See Also
For more information about using this API in one of the language-specific AWS SDKs, see the following: