topic Re: New Role and ACL_METHOD in Alfresco Archive

New Role and ACL_METHOD

steel — Wed, 01 Mar 2006 17:18:50 GMT

Hi,I am creating a new role to allow a person to act as an administrator and add (create new) users and groups to their homespace. Temporarily I have attempted to elevate the priviledges of the Coordinator Role to allow creating a new person and group.I did the following:1. Set a globalPermission i

Re: New Role and ACL_METHOD

steel — Wed, 01 Mar 2006 22:45:25 GMT

anyone?

Re: New Role and ACL_METHOD

steel — Wed, 01 Mar 2006 23:43:23 GMT

Ok, I found that I made a mistake with the whole ROLE_COORDINATOR I think. I corrected them and replaced it with ACL_NODE.0.cmbject.Coordinator. The person.CreatePerson runs find but it is getting stuck on PermissionService.getAllPermission which as a rule of ACL_ALLOW.

In the public services security context file it states:

<!– If one method cal requires security enforcement - all methods must gave a –>
<!– security entry of some sort. ACL_ALLOW can be used to give access to all –>
<!– ROLE_ADMINISTRATOR can be used to grant access to administrator related methods –>

I am not exactly sure exactly what this mean. ACL ALLOW can be used to give access to all? If it is all I am not sure why it is getting stuck at this point.

Here are some debugger info:
authentication:
net.sf.acegisecurity.providers.UsernamePasswordAuthenticationToken@317bdd: Username: net.sf.acegisecurity.providers.dao.User@bb02e3: Username: sfu; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_AUTHENTICATED; Password: [PROTECTED]; Authenticated: false; Details: net.sf.acegisecurity.providers.dao.User@bb02e3: Username: sfu; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_AUTHENTICATED; Granted Authorities: ROLE_AUTHENTICATED

detailed message:
Bad credentials presented

Can anyone shed some light on this? I would really appreciate it. Thanks!

Re: New Role and ACL_METHOD

steel — Thu, 02 Mar 2006 18:04:30 GMT

I re-read the Security wiki and realized that this is the reverse of what I want to do with adding coordinator to the objectDefinitionSource line because it adds on to the requirement not takes away from it.

I'm trying to find documentation on how to implement an OR statement in the uri pattern to allow both admin and a coordinator.

Re: New Role and ACL_METHOD

derek — Tue, 07 Mar 2006 12:30:29 GMT

Hi,

Admin will always be allowed. The reason why some methods may require admin explicitly is that all methods on the interface have to have an entry. So if you had a method that only admin was allowed to use, then you would have to put admin down otherwise Acegi would clear the security context when the method was used.

ACL_Allow is for those methods that don't require any protection. But something still has to be put down for each method.

If you have Coordinator on a method, then admin is still allowed to use it.

Regards

Re: New Role and ACL_METHOD

debraj — Tue, 05 Feb 2008 09:38:38 GMT

hi steel and derek,
I am also trying to configure the same thing.I want a user to have a role through which he can only create new users and groups.Can you please help me in this regard.
Thanks for any suggestions

Re: New Role and ACL_METHOD

andy — Tue, 05 Feb 2008 14:53:55 GMT

Hi

You are probably best creating a group for these people (eg "woof") and then adding protection for this group on the methods. Then use ACL_METHOD.GROUP_woof.

Andy

Re: New Role and ACL_METHOD

debraj — Wed, 06 Feb 2008 04:56:14 GMT

Thanks a lot for the reply. This is the first reply i got in the alfresco forum. Can you please elaborate on adding protection for this group on this method. And also group creation is done on the ui. How can i put this in the source code. By group did you mean a permission group

Re: New Role and ACL_METHOD

debraj — Wed, 06 Feb 2008 06:40:45 GMT

And also how will the admin console come up in the ui for the user in the group woof

Re: New Role and ACL_METHOD

debraj — Wed, 06 Feb 2008 08:47:03 GMT

I created a group and added protection for this group in public-services-security-context.xml. But the user cannot view the admin console.

How can i bring up the admin console??

The admin console comes up when i add the user as a admin in authority-context.xml but this user can also operate on context and space.

I want the user to only create and delete user/group and he souldnt have permission for any other action.

Thanks a lot for any replies

Re: New Role and ACL_METHOD

andy — Tue, 19 Feb 2008 14:48:56 GMT

Hi

You will have to modify the protection (conditional display based on evaluators) for the UI screens and possibly extend the UI. You could always use the Javascript API to provide this specific functionality for a sub set of users. This may be easier.

Andy