Permission Questions - Enterprise Network

rberg — Thu, 12 Jan 2006 17:18:44 GMT

Hi,I have a few permission questions I was hoping to have answered:1) It is my understanding that permissionDefinitions.xml is where you would essentially define an â€œACLâ€ that is associated with a type or aspect. Then that definition could be assigned to a user or group. Is this correct?2) Curre

Re: Permission Questions - Enterprise Network

andy — Fri, 13 Jan 2006 08:28:56 GMT

Hi

The first point of call is:
http://www.alfresco.org/mediawiki/index.php/Security_and_Authentication

1) It is my understanding that permissionDefinitions.xml is where you would essentially define an â€œACLâ€ that is associated with a type or aspect. Then that definition could be assigned to a user or group. Is this correct?

You are correct, and this file is a good example of what to do.
ACL is really (node, authority, permission, ALLOW|DENY)
You are defining permissions and convenient groups of permissions (which you may call roles if you want …)

2) Currently out-of-the-box the following roles exist: Contributor, Coordinator, Editor, Guest. Is it possible to define a custom role, and assign custom permissions to this role, perhapse specific to a type or aspect? If so, could an example of how to do this be provided?

It is possible to define your own role. Just create another permissoin group. All are specific to a type or aspect. The ownable aspect is a good example.

3) Could permissions be configured in such a way that a type and/or aspect would be available to one group, but not any others? Again, if possible, an example would be great.

This is not available at the moment. It requires some thought as you want to add a new "AddAspect/CreateType" permission bound to a type (as opposed to make a permission per type). I will add this to the list of things.

4) Does security extend beyond types and aspects? For example, could you limit which actions a user can choose when defining content rules for their space?

You can check if a user has any permission when building the UI so in principle, yes. You would have to assign global ACLs for some new permissions. Global ACLs are only in XML at the moment. You would have to change how these lists are built to reflect permissions. It is not supported out of the box.

5) Would it be possible with security, to have multiple conceptual â€œcompany homesâ€ within the same Store? For example with the following space structure:

We do not have pseudo roots. You could define the structure as described. If Home 1 and Home 2 have access restricted to each group then people will only see what they are allowed when they move up a folder. Home 1 will be Hidden from group 2 and the reverse.

I do not see why you can not have

|- Company Home
|- Group 1 Home
|- Group 2 Home

I don't recall any reason why a user's home space has to be below the company home. It may not be so easy to create it from the UI, I have not tried!

Company home is expected to be a unique location.

Regards

Andy

Re: Permission Questions - Enterprise Network

rberg — Fri, 13 Jan 2006 14:58:44 GMT

Andy,

Thank you for your quick reply, this really helps. I completely understand the security/permission model conceptually, but for some reason I am struggleing to get my mind around how to actually implement (in permissionDefinitions.xml) what I would like to do.

Could you please provide me with a simple example of the xml definition for this situation:

Let's say we have type cm:mytype, and a role called myrole (maybe it should actually be ROLE_myrole). I would like to only provide READ access to all content of type mytype to users and groups who have the role myrole, all other users should have no access. If you have time perhaps you could extend the example to demonstrate how to add READ and WRITE priveledges to content of type mytype to users and groups who have a role named authorrole.

Thanks again.
-Ryan

topic Permission Questions - Enterprise Network in Alfresco Archive

Permission Questions - Enterprise Network

Re: Permission Questions - Enterprise Network

Re: Permission Questions - Enterprise Network