Rather than the Access Rights could you restrict the website using IP Allow List instead ? 

If you are just interested in seeing the data within Graphiql you can query using the APP Key and Secret rather than the Single Key. 

No, we cant use IP restrictions, it need to be behind login.

Im not sure what you mean by the second sentence, I\m using the CMS integration and all three keys are already configured in the cms appsettings.json file. 

Hey Erik,

You're right to notice this behavior — and yes, it's by design

Optimizely Graph (Content Graph) only indexes content that is accessible to "Everyone" or the authenticated search user (depending on config).

What you can do 

Use IGraphContentAccessEvaluator to Customize Access Evaluation

public class AllowAllContentAccessEvaluator : IGraphContentAccessEvaluator
{
    public bool HasAccess(IContent content) => true;
}

And register it:

services.AddSingleton<IGraphContentAccessEvaluator, AllowAllContentAccessEvaluator>();

NOTE:-

• This makes all content indexable, regardless of the Access Control List (ACL) ✅
• Ideal for dev/test environments where content is behind a login ✅
• Should never be used in production ❌

Hey Erik,
I've been working recently on accessing restricted content through Graph and didn't have to add any IGraphContentAccessEvaluator.
I still need to test this properly across the whole site but performed tests against the page restricted like below:



Yes, it will not be returned when accessing Graph with Public access/single key (this way is used in the CMS Graph query explorer UI) but it is when querying Graph with Admin and Restricted access.
https://docs.developers.optimizely.com/platform-optimizely/docs/authentication
This would also mean that restricted content is indexed by default.

Essentially, what I did was to access the Graph with basic/hmac auth using app key and secret and adding cg-roles header with "Role1,Role2,Role3" assigned to the current user. 

I have no idea how you are accessing the graph from your FE side, but if you are using the Opti clients https://github.com/remkoj/optimizely-dxp-clients there is a method exposed to the client that switches to restricted access and sets the roles header.

 client.setFrontendUser({
        username: "user1",
        roles: "Role1,Role2,Role3"
    })

Damian:

So Its possible the content is indexed, but not available through the Graph admin module? Interesting, is there some documentation on this?

I'll investigate if this is the case, but at the same time it makes the admin tool completely useless for testing queries in a test enviroment. I wonder why the admin tool wouldnt atleast use the access roles of the current user?

I agree it would make sense for the admin tool actually to query content as an admin. 
If you take a look at the Network tab, you can see it sends a request with epi-single authorization header, which made me think it queries only public content:

I need to test this when I get time, thanks for the tip!

I thought for a second that maybe there is a configuration option to enable admin access, but I noticed this tool is actually an IFrame pointing to https://cg.optimizely.com/app/graphiql?auth=%7Bsinglekey%7D.
Admin access would require passing the app key and secret there, which doesn't seem like a good and secure approach. 

https://docs.developers.optimizely.com/platform-optimizely/docs/getting-started#access-the-interactive-graphiql-page