diff --git a/src/com/google/enterprise/adaptor/AclTransform.java b/src/com/google/enterprise/adaptor/AclTransform.java
new file mode 100644
index 0000000..af740b1
--- /dev/null
+++ b/src/com/google/enterprise/adaptor/AclTransform.java
@@ -0,0 +1,190 @@
+// Copyright 2013 Google Inc. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package com.google.enterprise.adaptor;
+
+import com.google.common.base.Objects;
+import com.google.enterprise.adaptor.Principal.ParsedPrincipal;
+
+import java.util.*;
+
+/**
+ * Transforms Principals in ACLs based on provided rules.
+ */
+final class AclTransform {
+  private final List<Rule> rules;
+
+  public AclTransform(List<Rule> rules) {
+    this.rules = Collections.unmodifiableList(new ArrayList<Rule>(rules));
+  }
+
+  public Acl transform(Acl acl) {
+    if (acl == null) {
+      return null;
+    }
+    if (rules.isEmpty()) {
+      return acl;
+    }
+    return new Acl.Builder(acl)
+        .setPermits(transform(acl.getPermits()))
+        .setDenies(transform(acl.getDenies()))
+        .build();
+  }
+
+  private Set<Principal> transform(Set<Principal> principals) {
+    Set<Principal> newPrincipals = new TreeSet<Principal>();
+    for (Principal principal : principals) {
+      ParsedPrincipal parsed = principal.parse();
+      for (Rule rule : rules) {
+        if (rule.match.matches(parsed)) {
+          parsed = rule.replace.replace(parsed);
+        }
+      }
+      newPrincipals.add(parsed.toPrincipal());
+    }
+    return Collections.unmodifiableSet(newPrincipals);
+  }
+
+  @Override
+  public String toString() {
+    return "AclTransform(rules=" + rules + ")";
+  }
+
+  @Override
+  public int hashCode() {
+    return rules.hashCode();
+  }
+
+  @Override
+  public boolean equals(Object o) {
+    if (!(o instanceof AclTransform)) {
+      return false;
+    }
+    AclTransform a = (AclTransform) o;
+    return rules.equals(a.rules);
+  }
+
+  public static final class Rule {
+    private final MatchData match;
+    private final MatchData replace;
+
+    public Rule(MatchData match, MatchData replace) {
+      if (match == null || replace == null) {
+        throw new NullPointerException();
+      }
+      if (replace.isGroup != null) {
+        throw new IllegalArgumentException(
+            "isGroup must be null for replacements");
+      }
+      this.match = match;
+      this.replace = replace;
+    }
+
+    @Override
+    public String toString() {
+      return "Rule(match=" + match + ",replace=" + replace + ")";
+    }
+
+    @Override
+    public int hashCode() {
+      return Arrays.hashCode(new Object[] {match, replace});
+    }
+
+    @Override
+    public boolean equals(Object o) {
+      if (!(o instanceof Rule)) {
+        return false;
+      }
+      Rule r = (Rule) o;
+      return match.equals(r.match) && replace.equals(r.replace);
+    }
+  }
+
+  public static final class MatchData {
+    // Visible for GsaCommunicationHandler
+    final Boolean isGroup;
+    private final String name;
+    private final String domain;
+    private final String namespace;
+
+    /**
+     * For matching, non-{@code null} fields must be equal on Principal. For
+     * replacing, non-{@code null} fields will get set on Principal.
+     * {@code isGroup} must be {@code null} for replacements.
+     */
+    public MatchData(Boolean isGroup, String name, String domain,
+        String namespace) {
+      this.isGroup = isGroup;
+      this.name = name;
+      this.domain = domain;
+      this.namespace = namespace;
+    }
+
+    private boolean matches(ParsedPrincipal principal) {
+      boolean matches = true;
+      if (isGroup != null) {
+        matches = matches && isGroup.equals(principal.isGroup);
+      }
+      if (name != null) {
+        matches = matches && name.equals(principal.plainName);
+      }
+      if (domain != null) {
+        matches = matches && domain.equals(principal.domain);
+      }
+      if (namespace != null) {
+        matches = matches && namespace.equals(principal.namespace);
+      }
+      return matches;
+    }
+
+    private ParsedPrincipal replace(ParsedPrincipal principal) {
+      if (isGroup != null) {
+        throw new AssertionError();
+      }
+      if (name != null) {
+        principal = principal.plainName(name);
+      }
+      if (domain != null) {
+        principal = principal.domain(domain);
+      }
+      if (namespace != null) {
+        principal = principal.namespace(namespace);
+      }
+      return principal;
+    }
+
+    @Override
+    public String toString() {
+      return "MatchData(isGroup=" + isGroup + ",name=" + name
+          + ",domain=" + domain + ",namespace=" + namespace + ")";
+    }
+
+    @Override
+    public int hashCode() {
+      return Arrays.hashCode(new Object[] {isGroup, name, domain, namespace});
+    }
+
+    @Override
+    public boolean equals(Object o) {
+      if (!(o instanceof MatchData)) {
+        return false;
+      }
+      MatchData m = (MatchData) o;
+      return Objects.equal(isGroup, m.isGroup)
+          && Objects.equal(name, m.name)
+          && Objects.equal(domain, m.domain)
+          && Objects.equal(namespace, m.namespace);
+    }
+  }
+}
diff --git a/src/com/google/enterprise/adaptor/Config.java b/src/com/google/enterprise/adaptor/Config.java
index 0dd9f83..419b504 100644
--- a/src/com/google/enterprise/adaptor/Config.java
+++ b/src/com/google/enterprise/adaptor/Config.java
@@ -119,6 +119,8 @@
  *     checking. Defaults to false
  * <tr><td> </td><td>server.useCompression </td><td> compress retrieval
  *     responses. Defaults to true
+ * <tr><td> </td><td>transform.acl.X </td><td> where X is an integer, match
+ *     and modify principals as described. Defaults no modifications
  * <tr><td> </td><td>transform.pipeline </td><td> sequence of
  *     transformation steps.  Defaults to no-pipeline
  * </table>
diff --git a/src/com/google/enterprise/adaptor/DocumentHandler.java b/src/com/google/enterprise/adaptor/DocumentHandler.java
index 04ba831..813fa87 100644
--- a/src/com/google/enterprise/adaptor/DocumentHandler.java
+++ b/src/com/google/enterprise/adaptor/DocumentHandler.java
@@ -62,6 +62,7 @@
       = new HashSet<InetAddress>();
   private final SamlServiceProvider samlServiceProvider;
   private final TransformPipeline transform;
+  private final AclTransform aclTransform;
   private final boolean useCompression;
   private final boolean sendDocControls;
   private final long headerTimeoutMillis;
@@ -76,14 +77,14 @@
                          AuthzAuthority authzAuthority,
                          String gsaHostname, String[] fullAccessHosts,
                          SamlServiceProvider samlServiceProvider,
-                         TransformPipeline transform,
+                         TransformPipeline transform, AclTransform aclTransform,
                          boolean useCompression,
                          Watchdog watchdog, AsyncPusher pusher,
                          boolean sendDocControls, long headerTimeoutMillis,
                          long contentTimeoutMillis, String scoringType) {
     if (docIdDecoder == null || docIdEncoder == null || journal == null
-        || adaptor == null || watchdog == null || pusher == null
-        || scoringType == null) {
+        || adaptor == null || aclTransform == null || watchdog == null
+        || pusher == null || scoringType == null) {
       throw new NullPointerException();
     }
     this.docIdDecoder = docIdDecoder;
@@ -93,6 +94,7 @@
     this.authzAuthority = authzAuthority;
     this.samlServiceProvider = samlServiceProvider;
     this.transform = transform;
+    this.aclTransform = aclTransform;
     this.useCompression = useCompression;
     this.watchdog = watchdog;
     this.pusher = pusher;
@@ -777,6 +779,7 @@
       if (transform != null) {
         transform();  
       } 
+      acl = aclTransform.transform(acl);
       if (requestIsFromFullyTrustedClient(ex)) {
         // Always specify metadata and ACLs, even when empty, to replace
         // previous values.
diff --git a/src/com/google/enterprise/adaptor/GsaCommunicationHandler.java b/src/com/google/enterprise/adaptor/GsaCommunicationHandler.java
index 4d8fa24..1980a42 100644
--- a/src/com/google/enterprise/adaptor/GsaCommunicationHandler.java
+++ b/src/com/google/enterprise/adaptor/GsaCommunicationHandler.java
@@ -14,6 +14,7 @@
 
 package com.google.enterprise.adaptor;
 
+import com.google.common.annotations.VisibleForTesting;
 import com.google.common.util.concurrent.ThreadFactoryBuilder;
 
 import com.sun.net.httpserver.Filter;
@@ -308,7 +309,7 @@
         docIdCodec, docIdCodec, journal, adaptor, authzAuthority,
         config.getGsaHostname(),
         config.getServerFullAccessHosts(),
-        samlServiceProvider, createTransformPipeline(),
+        samlServiceProvider, createTransformPipeline(), createAclTransform(),
         config.isServerToUseCompression(), watchdog,
         asyncDocIdSender, 
         config.doesGsaAcceptDocControlsHeader(),
@@ -372,6 +373,7 @@
     return createTransformPipeline(config.getTransformPipelineSpec());
   }
 
+  @VisibleForTesting
   static TransformPipeline createTransformPipeline(
       List<Map<String, String>> pipelineConfig) {
     List<DocumentTransform> elements = new LinkedList<DocumentTransform>();
@@ -427,6 +429,93 @@
     return elements.size() > 0 ? new TransformPipeline(elements, names) : null;
   }
 
+  private AclTransform createAclTransform() {
+    return createAclTransform(config.getValuesWithPrefix("transform.acl."));
+  }
+
+  @VisibleForTesting
+  static AclTransform createAclTransform(Map<String, String> aclConfigRaw) {
+    Map<Integer, String> aclConfig = new TreeMap<Integer, String>();
+    for (Map.Entry<String, String> me : aclConfigRaw.entrySet()) {
+      try {
+        aclConfig.put(Integer.parseInt(me.getKey()), me.getValue());
+      } catch (NumberFormatException ex) {
+        // Don't insert into map.
+        log.log(Level.FINE, "Ignorning transform.acl.{0} because {0} is not an "
+            + "integer", me.getKey());
+      }
+    }
+
+    List<AclTransform.Rule> rules = new LinkedList<AclTransform.Rule>();
+    for (String value : aclConfig.values()) {
+      String[] parts = value.split(";", 2);
+      if (parts.length != 2) {
+        log.log(Level.WARNING, "Could not find semicolon in acl transform: {0}",
+            value);
+        continue;
+      }
+      AclTransform.MatchData search = parseAclTransformMatchData(parts[0]);
+      AclTransform.MatchData replace = parseAclTransformMatchData(parts[1]);
+      if (search == null || replace == null) {
+        log.log(Level.WARNING,
+            "Could not parse acl transform rule: {0}", value);
+        continue;
+      }
+      if (replace.isGroup != null) {
+        log.log(Level.WARNING,
+            "Replacement cannot change type. Failed in rule: {0}", value);
+        continue;
+      }
+      rules.add(new AclTransform.Rule(search, replace));
+    }
+    return new AclTransform(rules);
+  }
+
+  private static AclTransform.MatchData parseAclTransformMatchData(String s) {
+    String[] decls = s.split(",", -1);
+    if (decls.length == 1 && decls[0].trim().equals("")) {
+      // No declarations are required
+      return new AclTransform.MatchData(null, null, null, null);
+    }
+    Boolean isGroup = null;
+    String name = null;
+    String domain = null;
+    String namespace = null;
+    for (String decl : decls) {
+      String parts[] = decl.split("=", 2);
+      if (parts.length != 2) {
+        log.log(Level.WARNING,
+            "Could not find \"=\" in \"{0}\" as part of \"{1}\"",
+            new Object[] {decl, s});
+        return null;
+      }
+      String key = parts[0].trim();
+      String value = parts[1];
+      if (key.equals("type")) {
+        if (value.equals("group")) {
+          isGroup = true;
+        } else if (value.equals("user")) {
+          isGroup = false;
+        } else {
+          log.log(Level.WARNING, "Unknown type \"{0}\" as part of \"{1}\"",
+              new Object[] {value, s});
+          return null;
+        }
+      } else if (key.equals("name")) {
+        name = value;
+      } else if (key.equals("domain")) {
+        domain = value;
+      } else if (key.equals("namespace")) {
+        namespace = value;
+      } else {
+        log.log(Level.WARNING, "Unknown key \"{0}\" as part of \"{1}\"",
+            new Object[] {key, s});
+        return null;
+      }
+    }
+    return new AclTransform.MatchData(isGroup, name, domain, namespace);
+  }
+
   /**
    * Retrieve our default KeyPair from the default keystore. The key should have
    * the same password as the keystore.
diff --git a/src/com/google/enterprise/adaptor/Principal.java b/src/com/google/enterprise/adaptor/Principal.java
index 3b32777..043fbd8 100644
--- a/src/com/google/enterprise/adaptor/Principal.java
+++ b/src/com/google/enterprise/adaptor/Principal.java
@@ -95,4 +95,168 @@
 
     return name.compareTo(other.name);
   }
+
+  ParsedPrincipal parse() {
+    for (int i = 0; i < name.length(); i++) {
+      char c = name.charAt(i);
+      switch (c) {
+        case '\\':
+          return new ParsedPrincipal(isGroup(), name.substring(i + 1),
+              name.substring(0, i), DomainFormat.NETBIOS, namespace);
+        case '/':
+          return new ParsedPrincipal(isGroup(), name.substring(i + 1),
+              name.substring(0, i), DomainFormat.NETBIOS_FORWARDSLASH,
+              namespace);
+        case '@':
+          return new ParsedPrincipal(isGroup(), name.substring(0, i),
+              name.substring(i + 1), DomainFormat.DNS, namespace);
+        default:
+      }
+    }
+    return new ParsedPrincipal(isGroup(), name, "", DomainFormat.NONE,
+        namespace);
+  }
+
+  static enum DomainFormat {
+    NONE,
+    DNS,
+    NETBIOS,
+    /**
+     * Same as NETBIOS, but a forward slash is used instead of a backslash. This
+     * is to support round-tripping all Principals; if you don't modify the
+     * ParsedPrincipal, you shouldn't see any modifications.
+     */
+    NETBIOS_FORWARDSLASH,
+    ;
+  }
+
+  /**
+   * Immutable form of Principal where user's name has been split into name and
+   * domain components. This class guarantees full fidelity of Principal
+   * objects: {@code principal.equals(principal.parse().toPrincipal())} is
+   * always {@code true}.
+   */
+  static class ParsedPrincipal<T extends Principal> {
+    public final boolean isGroup;
+    public final String plainName;
+    public final String domain;
+    public final DomainFormat domainFormat;
+    public final String namespace;
+
+    public ParsedPrincipal(boolean isGroup, String plainName, String domain,
+        DomainFormat domainFormat, String namespace) {
+      if (plainName == null || domain == null || domainFormat == null
+          || namespace == null) {
+        throw new NullPointerException();
+      }
+      this.isGroup = isGroup;
+      this.plainName = plainName;
+      this.domain = domain;
+      this.domainFormat = domainFormat;
+      this.namespace = namespace;
+    }
+
+    public ParsedPrincipal plainName(String plainName) {
+      return new ParsedPrincipal(isGroup, plainName, domain, domainFormat,
+          namespace);
+    }
+
+    public ParsedPrincipal domain(String domain) {
+      return new ParsedPrincipal(isGroup, plainName, domain, domainFormat,
+          namespace);
+    }
+
+    public ParsedPrincipal domainFormat(DomainFormat domainFormat) {
+      return new ParsedPrincipal(isGroup, plainName, domain, domainFormat,
+          namespace);
+    }
+
+    public ParsedPrincipal namespace(String namespace) {
+      return new ParsedPrincipal(isGroup, plainName, domain, domainFormat,
+          namespace);
+    }
+
+    /**
+     * Determine the format that should be used for combining the name and
+     * domain together. This does not simply return domainFormat, because it
+     * needs to make sure that using such a format will not cause ambiguities.
+     */
+    private DomainFormat determineEffectiveFormat() {
+      DomainFormat format = domainFormat;
+      if (domain.equals("")) {
+        return format;
+      }
+
+      // Domain handling
+      if (format == DomainFormat.NONE) {
+        format = DomainFormat.NETBIOS;
+      }
+      if ((format == DomainFormat.NETBIOS
+            || format == DomainFormat.NETBIOS_FORWARDSLASH)
+          && containsSpecial(domain)) {
+        format = DomainFormat.DNS;
+      }
+      if (format == DomainFormat.DNS && containsSpecial(plainName)) {
+        if (containsSpecial(domain)) {
+          throw new IllegalStateException("Neither NETBIOS nor DNS formats can "
+              + "be used: plainName=" + plainName + " domain=" + domain);
+        }
+        format = DomainFormat.NETBIOS;
+      }
+      return format;
+    }
+
+    private boolean containsSpecial(String s) {
+      return s.contains("\\") || s.contains("/") || s.contains("@");
+    }
+
+    public Principal toPrincipal() {
+      String name;
+      switch (determineEffectiveFormat()) {
+        case NONE:
+          name = plainName;
+          break;
+        case DNS:
+          name = plainName + "@" + domain;
+          break;
+        case NETBIOS:
+          name = domain + "\\" + plainName;
+          break;
+        case NETBIOS_FORWARDSLASH:
+          name = domain + "/" + plainName;
+          break;
+        default:
+          throw new AssertionError();
+      }
+      if (isGroup) {
+        return new GroupPrincipal(name, namespace);
+      } else {
+        return new UserPrincipal(name, namespace);
+      }
+    }
+
+    @Override
+    public String toString() {
+      return "ParsedPrincipal(isGroup=" + isGroup + ",plainName=" + plainName
+          + ",domain=" + domain + ",domainFormat=" + domainFormat
+          + ",namespace=" + namespace + ")";
+    }
+
+    @Override
+    public int hashCode() {
+      return Arrays.hashCode(
+          new Object[] {isGroup, plainName, domain, domainFormat, namespace});
+    }
+
+    @Override
+    public boolean equals(Object o) {
+      if (!(o instanceof ParsedPrincipal)) {
+        return false;
+      }
+      ParsedPrincipal p = (ParsedPrincipal) o;
+      return isGroup == p.isGroup && plainName.equals(p.plainName)
+          && domainFormat == p.domainFormat && namespace.equals(p.namespace)
+          && domain.equals(p.domain);
+    }
+  }
 }
diff --git a/test/com/google/enterprise/adaptor/AclTransformTest.java b/test/com/google/enterprise/adaptor/AclTransformTest.java
new file mode 100644
index 0000000..d23ad61
--- /dev/null
+++ b/test/com/google/enterprise/adaptor/AclTransformTest.java
@@ -0,0 +1,198 @@
+// Copyright 2013 Google Inc. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package com.google.enterprise.adaptor;
+
+import static org.junit.Assert.*;
+
+import com.google.enterprise.adaptor.AclTransform.MatchData;
+import com.google.enterprise.adaptor.AclTransform.Rule;
+
+import org.junit.Test;
+
+import java.util.*;
+
+/** Unit tests for {@link AclTransform}. */
+public class AclTransformTest {
+  private static final Acl baseAcl = new Acl.Builder()
+      .setInheritFrom(new DocId("inherit place"))
+      .setEverythingCaseInsensitive()
+      .setPermits(Arrays.asList(
+          new UserPrincipal("u1"),
+          new GroupPrincipal("g1@d1"),
+          new GroupPrincipal("D1\\g1"),
+          new GroupPrincipal("D1/g1"),
+          new GroupPrincipal("u1", "ns1"),
+          new GroupPrincipal("u1@d1", "ns2")))
+      .setDenies(Arrays.asList(
+          new UserPrincipal("u1"),
+          new GroupPrincipal("g1"),
+          new GroupPrincipal("g1", "ns1")))
+      .build();
+
+  @Test
+  public void testEmptyTransform() {
+    assertSame(baseAcl,
+        new AclTransform(Arrays.<Rule>asList()).transform(baseAcl));
+  }
+
+  @Test
+  public void testNonMatchingTransform() {
+    List<Rule> rules = Arrays.asList(
+        new Rule(new MatchData(null, "nonmatching", null, null),
+          new MatchData(null, "noprincipal", "nodomain", "nons")));
+    assertEquals(baseAcl, new AclTransform(rules).transform(baseAcl));
+  }
+
+  @Test
+  public void testAllMatchingTransform() {
+    List<Rule> rules = Arrays.asList(
+        new Rule(new MatchData(null, null, null, null),
+          new MatchData(null, "anyprincipal", "anydomain", "anyns")));
+    AclTransform transform = new AclTransform(rules);
+    // Test null passthrough and re-use of AclTransform
+    assertNull(transform.transform(null));
+    assertEquals(new Acl.Builder(baseAcl)
+          .setPermits(Arrays.asList(
+            new UserPrincipal("anydomain\\anyprincipal", "anyns"),
+            new GroupPrincipal("anyprincipal@anydomain", "anyns"),
+            new GroupPrincipal("anydomain\\anyprincipal", "anyns"),
+            new GroupPrincipal("anydomain/anyprincipal", "anyns")))
+          .setDenies(Arrays.asList(
+            new UserPrincipal("anydomain\\anyprincipal", "anyns"),
+            new GroupPrincipal("anydomain\\anyprincipal", "anyns")))
+          .build(),
+        transform.transform(baseAcl));
+  }
+
+  @Test
+  public void testAllMatchingTransformNoop() {
+    List<Rule> rules = Arrays.asList(
+        new Rule(new MatchData(null, null, null, null),
+          new MatchData(null, null, null, null)));
+    assertEquals(baseAcl, new AclTransform(rules).transform(baseAcl));
+  }
+
+  @Test
+  public void testGroupMatching() {
+    List<Rule> rules = Arrays.asList(
+        new Rule(new MatchData(true, null, null, null),
+          new MatchData(null, "anygroup", null, null)));
+    assertEquals(new Acl.Builder(baseAcl)
+          .setPermits(Arrays.asList(
+            new UserPrincipal("u1"),
+            new GroupPrincipal("anygroup@d1"),
+            new GroupPrincipal("D1\\anygroup"),
+            new GroupPrincipal("D1/anygroup"),
+            new GroupPrincipal("anygroup", "ns1"),
+            new GroupPrincipal("anygroup@d1", "ns2")))
+          .setDenies(Arrays.asList(
+            new UserPrincipal("u1"),
+            new GroupPrincipal("anygroup", "ns1"),
+            new GroupPrincipal("anygroup")))
+          .build(),
+        new AclTransform(rules).transform(baseAcl));
+  }
+
+  @Test
+  public void testSpecificMatching() {
+    List<Rule> rules = Arrays.asList(
+        new Rule(new MatchData(true, "g1", "", "ns1"),
+          new MatchData(null, null, "foundit", null)));
+    assertEquals(new Acl.Builder(baseAcl)
+          .setDenies(Arrays.asList(
+            new UserPrincipal("u1"),
+            new GroupPrincipal("g1"),
+            new GroupPrincipal("foundit\\g1", "ns1")))
+          .build(),
+        new AclTransform(rules).transform(baseAcl));
+  }
+
+  @Test(expected = NullPointerException.class)
+  public void testRuleNullMatch() {
+    new Rule(null, new MatchData(null, null, null, null));
+  }
+
+  @Test(expected = NullPointerException.class)
+  public void testRuleNullReplacement() {
+    new Rule(new MatchData(null, null, null, null), null);
+  }
+
+  @Test(expected = IllegalArgumentException.class)
+  public void testRuleWithNonNullReplacementGroup() {
+    new Rule(new MatchData(null, null, null, null),
+        new MatchData(false, null, null, null));
+  }
+
+  @Test
+  public void testToString() {
+    assertEquals("AclTransform(rules=[Rule("
+        + "match=MatchData(isGroup=true,name=a,domain=b,namespace=c),"
+        + "replace=MatchData(isGroup=null,name=null,domain=null,namespace=null)"
+        + ")])",
+        new AclTransform(Arrays.asList(new Rule(
+          new MatchData(true, "a", "b", "c"),
+          new MatchData(null, null, null, null)))).toString());
+  }
+
+  @Test
+  public void testEquals() {
+    MatchData m1 = new MatchData(true, "a", "b", "c");
+    MatchData m2 = new MatchData(true, new String("a"), new String("b"),
+        new String("c"));
+    MatchData m3 = new MatchData(false, "a", "b", "c");
+    MatchData m4 = new MatchData(null, "a", "b", "c");
+    MatchData m5 = new MatchData(true, "z", "b", "c");
+    MatchData m6 = new MatchData(true, null, "b", "c");
+    MatchData m7 = new MatchData(true, "a", "z", "c");
+    MatchData m8 = new MatchData(true, "a", null, "c");
+    MatchData m9 = new MatchData(true, "a", "b", "z");
+    MatchData m10 = new MatchData(true, "a", "b", null);
+    assertEquals(m1, m2);
+    assertEquals(m1.hashCode(), m2.hashCode());
+    assertFalse(m1.equals(m3));
+    assertFalse(m1.equals(m4));
+    assertFalse(m1.equals(m5));
+    assertFalse(m1.equals(m6));
+    assertFalse(m1.equals(m7));
+    assertFalse(m1.equals(m8));
+    assertFalse(m1.equals(m9));
+    assertFalse(m1.equals(m10));
+    assertFalse(m1.equals(new Object()));
+
+    // Same as m4
+    MatchData m11 = new MatchData(null, new String("a"), new String("b"),
+        new String("c"));
+    MatchData m12 = new MatchData(null, "a", "b", null);
+    Rule r1 = new Rule(m1, m4);
+    Rule r2 = new Rule(m2, m11);
+    Rule r3 = new Rule(m3, m4);
+    Rule r4 = new Rule(m1, m12);
+    assertEquals(r1, r2);
+    assertEquals(r1.hashCode(), r2.hashCode());
+    assertFalse(r1.equals(r3));
+    assertFalse(r1.equals(r4));
+    assertFalse(r1.equals(new Object()));
+
+    AclTransform t1 = new AclTransform(Arrays.asList(r1));
+    AclTransform t2 = new AclTransform(Arrays.asList(r2));
+    AclTransform t3 = new AclTransform(Arrays.asList(r3));
+    AclTransform t4 = new AclTransform(Arrays.asList(r1, r1));
+    assertEquals(t1, t2);
+    assertEquals(t1.hashCode(), t2.hashCode());
+    assertFalse(t1.equals(t3));
+    assertFalse(t1.equals(t4));
+    assertFalse(t1.equals(new Object()));
+  }
+}
diff --git a/test/com/google/enterprise/adaptor/DocumentHandlerTest.java b/test/com/google/enterprise/adaptor/DocumentHandlerTest.java
index e33ec08..d7f6273 100644
--- a/test/com/google/enterprise/adaptor/DocumentHandlerTest.java
+++ b/test/com/google/enterprise/adaptor/DocumentHandlerTest.java
@@ -358,6 +358,36 @@
   }
 
   @Test
+  public void testAclTransform() throws Exception {
+    AclTransform aclTransform = new AclTransform(Arrays.asList(
+        new AclTransform.Rule(
+            new AclTransform.MatchData(null, "u1", null, null),
+            new AclTransform.MatchData(null, "u2", null, null))));
+    mockAdaptor = new MockAdaptor() {
+      @Override
+      public void getDocContent(Request request, Response response)
+          throws IOException, InterruptedException {
+        response.setAcl(new Acl.Builder()
+            .setPermitUsers(Arrays.asList(
+                new UserPrincipal("u1"), new UserPrincipal("u3")))
+            .build());
+        super.getDocContent(request, response);
+      }
+    };
+    String remoteIp = ex.getRemoteAddress().getAddress().getHostAddress();
+    DocumentHandler handler = createHandlerBuilder()
+        .setAdaptor(mockAdaptor)
+        .setFullAccessHosts(new String[] {remoteIp})
+        .setAclTransform(aclTransform)
+        .build();
+    mockAdaptor.documentBytes = new byte[] {1, 2, 3};
+    handler.handle(ex);
+    assertEquals(200, ex.getResponseCode());
+    assertEquals("google%3Aaclusers=u2,google%3Aaclusers=u3",
+                 ex.getResponseHeaders().get("X-Gsa-External-Metadata").get(1));
+  }
+
+  @Test
   public void testNullAuthzResponse() throws Exception {
     MockAdaptor adaptor = new MockAdaptor() {
           @Override
@@ -1376,6 +1406,8 @@
     private String[] fullAccessHosts = new String[0];
     private SamlServiceProvider samlServiceProvider;
     private TransformPipeline transform;
+    private AclTransform aclTransform
+        = new AclTransform(Arrays.<AclTransform.Rule>asList());
     private int transformMaxBytes;
     private boolean transformRequired;
     private boolean useCompression;
@@ -1433,6 +1465,11 @@
       return this;
     }
 
+    public DocumentHandlerBuilder setAclTransform(AclTransform aclTransform) {
+      this.aclTransform = aclTransform;
+      return this;
+    }
+
     public DocumentHandlerBuilder setUseCompression(boolean useCompression) {
       this.useCompression = useCompression;
       return this;
@@ -1474,8 +1511,8 @@
     public DocumentHandler build() {
       return new DocumentHandler(docIdDecoder, docIdEncoder, journal, adaptor,
           authzAuthority, gsaHostname, fullAccessHosts, samlServiceProvider,
-          transform, useCompression, watchdog, pusher, sendDocControls,
-          headerTimeoutMillis, contentTimeoutMillis, scoring);
+          transform, aclTransform, useCompression, watchdog, pusher,
+          sendDocControls, headerTimeoutMillis, contentTimeoutMillis, scoring);
     }
   }
 }
diff --git a/test/com/google/enterprise/adaptor/GsaCommunicationHandlerTest.java b/test/com/google/enterprise/adaptor/GsaCommunicationHandlerTest.java
index 7b9d513..3ede388 100644
--- a/test/com/google/enterprise/adaptor/GsaCommunicationHandlerTest.java
+++ b/test/com/google/enterprise/adaptor/GsaCommunicationHandlerTest.java
@@ -370,6 +370,41 @@
   }
 
   @Test
+  public void testCreateAclTransformNone() throws Exception {
+    Map<String, String> config = new HashMap<String, String>();
+    assertEquals(new AclTransform(Arrays.<AclTransform.Rule>asList()),
+        GsaCommunicationHandler.createAclTransform(config));
+  }
+
+  @Test
+  public void testCreateAclTransformNoOp() throws Exception {
+    Map<String, String> config = new HashMap<String, String>() {
+      {
+        put("nogood", "name=u1;name=u1");
+        put("1", " type=group; ");
+        put("3", "nosemicolon");
+        put("5", "name=u1; name=u2, namespace=ns1");
+        put("6", "type=user, domain=d1;domain=d2");
+        put("7", "unknown=key;name=u1");
+        put("8", "missingequals;name=u1");
+        put("9", "type=unknown;name=u1");
+        put("10", "name=u1;type=group");
+      }
+    };
+    assertEquals(new AclTransform(Arrays.asList(
+          new AclTransform.Rule(
+            new AclTransform.MatchData(true, null, null, null),
+            new AclTransform.MatchData(null, null, null, null)),
+          new AclTransform.Rule(
+            new AclTransform.MatchData(null, "u1", null, null),
+            new AclTransform.MatchData(null, "u2", null, "ns1")),
+          new AclTransform.Rule(
+            new AclTransform.MatchData(false, null, "d1", null),
+            new AclTransform.MatchData(null, null, "d2", null)))),
+        GsaCommunicationHandler.createAclTransform(config));
+  }
+
+  @Test
   public void testKeyStore() throws Exception {
     assertNotNull(GsaCommunicationHandler.getKeyPair("notadaptor",
         KEYSTORE_VALID_FILENAME, "JKS", "notchangeit"));
diff --git a/test/com/google/enterprise/adaptor/PrincipalTest.java b/test/com/google/enterprise/adaptor/PrincipalTest.java
index 48366a2..a723f6e 100644
--- a/test/com/google/enterprise/adaptor/PrincipalTest.java
+++ b/test/com/google/enterprise/adaptor/PrincipalTest.java
@@ -16,6 +16,9 @@
 
 import static org.junit.Assert.*;
 
+import com.google.enterprise.adaptor.Principal.DomainFormat;
+import com.google.enterprise.adaptor.Principal.ParsedPrincipal;
+
 import org.junit.*;
 import org.junit.rules.ExpectedException;
 
@@ -162,4 +165,136 @@
        assertEquals(sorted, dup);
      }
   }
+
+  @Test
+  public void testPrincipalParse() {
+    assertEquals(
+        new ParsedPrincipal(false, "user", "", DomainFormat.NONE, "Default"),
+        new UserPrincipal("user").parse());
+    assertEquals(new ParsedPrincipal(false, "user", "example.com",
+          DomainFormat.DNS, "somens"),
+        new UserPrincipal("user@example.com", "somens").parse());
+    assertEquals(new ParsedPrincipal(false, "usr", "EXAMPLE",
+          DomainFormat.NETBIOS, "Default"),
+        new UserPrincipal("EXAMPLE\\usr").parse());
+    assertEquals(new ParsedPrincipal(true, "grp", "EXAMPLE.COM",
+          DomainFormat.NETBIOS_FORWARDSLASH, "Default"),
+        new GroupPrincipal("EXAMPLE.COM/grp").parse());
+  }
+
+  @Test
+  public void testParsedPrincipalRoundtrip() {
+    // All principals should round-trip back to an identical principal.
+    List<Principal> golden = Arrays.asList(
+        new UserPrincipal("user"),
+        new UserPrincipal("user@example.com", "ns1"),
+        new UserPrincipal("EXAMPLE.COM\\user", "ns2"),
+        new UserPrincipal("EXAMPLE.COM/user"),
+        new GroupPrincipal("group1"),
+        new GroupPrincipal("group@example.com"),
+        new GroupPrincipal("\\group"),
+        new GroupPrincipal("domain\\"),
+        new GroupPrincipal("/group"),
+        new GroupPrincipal("domain/"),
+        new GroupPrincipal("@domain"),
+        new GroupPrincipal("group@"),
+        new GroupPrincipal("domain\\group@/\\extra"),
+        new GroupPrincipal("domain/group@/\\extra"),
+        new GroupPrincipal("group@domain@/\\extra"));
+    for (Principal p : golden) {
+      assertEquals(p, p.parse().toPrincipal());
+    }
+  }
+
+  @Test
+  public void testParsedPrincipalToPrincipal() {
+    assertEquals(new UserPrincipal("a", "ns"),
+        new ParsedPrincipal(false, "a", "", DomainFormat.NONE, "ns")
+          .toPrincipal());
+    assertEquals(new UserPrincipal("a@", "ns"),
+        new ParsedPrincipal(false, "a", "", DomainFormat.DNS, "ns")
+          .toPrincipal());
+    assertEquals(new UserPrincipal("DOMAIN\\a", "ns"),
+        new ParsedPrincipal(false, "a", "DOMAIN", DomainFormat.NONE, "ns")
+          .toPrincipal());
+    assertEquals(new UserPrincipal("a@DOM\\AIN", "ns"),
+        new ParsedPrincipal(false, "a", "DOM\\AIN", DomainFormat.NETBIOS, "ns")
+          .toPrincipal());
+    assertEquals(new UserPrincipal("domain.com\\a@", "ns"),
+        new ParsedPrincipal(false, "a@", "domain.com", DomainFormat.DNS, "ns")
+          .toPrincipal());
+    assertEquals(new UserPrincipal("domain.com\\a/", "ns"),
+        new ParsedPrincipal(false, "a/", "domain.com", DomainFormat.DNS, "ns")
+          .toPrincipal());
+  }
+
+  @Test(expected = IllegalStateException.class)
+  public void testParsedPrincipalToPrincipalFail() {
+    new ParsedPrincipal(false, "a/", "domain@com", DomainFormat.DNS, "ns")
+        .toPrincipal();
+  }
+
+  @Test(expected = NullPointerException.class)
+  public void testParsedPrincipalNullPlainName() {
+    new ParsedPrincipal(false, null, "b", DomainFormat.DNS, "c");
+  }
+
+  @Test(expected = NullPointerException.class)
+  public void testParsedPrincipalNullDomain() {
+    new ParsedPrincipal(false, "a", null, DomainFormat.DNS, "c");
+  }
+
+  @Test(expected = NullPointerException.class)
+  public void testParsedPrincipalNullDomainFormat() {
+    new ParsedPrincipal(false, "a", "b", null, "c");
+  }
+
+  @Test(expected = NullPointerException.class)
+  public void testParsedPrincipalNullNamespace() {
+    new ParsedPrincipal(false, "a", "b", DomainFormat.DNS, null);
+  }
+
+  @Test
+  public void testParsedPrincipalEquals() {
+    ParsedPrincipal p1 = new ParsedPrincipal(false, "a", "b", DomainFormat.DNS,
+        "c");
+    ParsedPrincipal p2 = new ParsedPrincipal(false, new String("a"),
+        new String("b"), DomainFormat.DNS, new String("c"));
+    assertEquals(p1, p2);
+    assertEquals(p1.hashCode(), p2.hashCode());
+
+    assertFalse(p1.equals(new Object()));
+    assertFalse(p1.equals(new ParsedPrincipal(true, "a", "b", DomainFormat.DNS,
+        "c")));
+    assertFalse(p1.equals(new ParsedPrincipal(false, "z", "b", DomainFormat.DNS,
+        "c")));
+    assertFalse(p1.equals(new ParsedPrincipal(false, "a", "z", DomainFormat.DNS,
+        "c")));
+    assertFalse(p1.equals(new ParsedPrincipal(false, "a", "b",
+        DomainFormat.NONE, "c")));
+    assertFalse(p1.equals(new ParsedPrincipal(false, "a", "b", DomainFormat.DNS,
+        "z")));
+  }
+
+  @Test
+  public void testParsedPrincipalToString() {
+    assertEquals("ParsedPrincipal(isGroup=true,plainName=a,domain=b,"
+          + "domainFormat=NETBIOS,namespace=ns)",
+        new ParsedPrincipal(true, "a", "b", DomainFormat.NETBIOS, "ns")
+          .toString());
+  }
+
+  @Test
+  public void testParsedPrincipalSetters() {
+    ParsedPrincipal p
+        = new ParsedPrincipal(false, "a", "b", DomainFormat.DNS, "c");
+    assertEquals(new ParsedPrincipal(false, "z", "b", DomainFormat.DNS, "c"),
+        p.plainName("z"));
+    assertEquals(new ParsedPrincipal(false, "a", "z", DomainFormat.DNS, "c"),
+        p.domain("z"));
+    assertEquals(new ParsedPrincipal(false, "a", "b", DomainFormat.NONE, "c"),
+        p.domainFormat(DomainFormat.NONE));
+    assertEquals(new ParsedPrincipal(false, "a", "b", DomainFormat.DNS, "z"),
+        p.namespace("z"));
+  }
 }