https://connect.hyland.com/t5/alfresco-archive/complex-security-requirements/m-p/215671#M168801 <HTML><HEAD></HEAD><BODY><SPAN>I would like to develop/configure a fairly complex security model. Documents would be added to Alfresco with a bunch of business related metadata (e.g. project, document type, partner, contract, product, etc). Access to the documents would be dependant on the value of the document properties and the users membership of one or more groups. I don't think that the standard Alfresco security model (i.e. groups/users, ACLs, etc) would accommodate this but I could be wrong. For example, access to a document may be granted to users that are members of group_a and group_b and group_c ('and' not 'or'). Can anyone suggest a possible approach to this?</SPAN><BR /><BR /><SPAN>Thanks</SPAN></BODY></HTML> Tue, 31 Aug 2010 11:49:28 GMT ukdavo 2010-08-31T11:49:28Z https://connect.hyland.com/t5/alfresco-archive/complex-security-requirements/m-p/215671#M168801 I would like to develop/configure a fairly complex security model. Documents would be added to Alfresco with a bunch of business related metadata (e.g. project, document type, partner, contract, product, etc). Access to the documents would be dependant on the value of the document properties and the Tue, 31 Aug 2010 11:49:28 GMT https://connect.hyland.com/t5/alfresco-archive/complex-security-requirements/m-p/215671#M168801 ukdavo 2010-08-31T11:49:28Z https://connect.hyland.com/t5/alfresco-archive/complex-security-requirements/m-p/215672#M168802 <HTML><HEAD></HEAD><BODY><SPAN>You are right that normally group access will be group_a or group_b or group_c.&nbsp;&nbsp; However the alfresco security model is very flexible and can be configured and extended.</SPAN><BR /><BR /><SPAN>You are going to need to do some digging…&nbsp;&nbsp; </SPAN><BR /><BR /><SPAN>Although just a thought … would it be possible to simplify the problem by creating a group (group_abc) containing the intersection of group_a, group_b and group_c.&nbsp;&nbsp; And then using the standard permission model on that group.</SPAN></BODY></HTML> Thu, 02 Sep 2010 19:13:31 GMT https://connect.hyland.com/t5/alfresco-archive/complex-security-requirements/m-p/215672#M168802 mrogers 2010-09-02T19:13:31Z https://connect.hyland.com/t5/alfresco-archive/complex-security-requirements/m-p/215673#M168803 <HTML><HEAD></HEAD><BODY><SPAN>It is an old post though.</SPAN><BR /><BR /><SPAN>I have similar problem. If we simply creating group_abc, it can lead to composition explosion. For example, there are 1000 groups like group a, 1000 groups like group b and 1000 groups like group c. The worst case, the composition groups like group_abc would be 1000*1000*1000.&nbsp; </SPAN></BODY></HTML> Thu, 21 Feb 2013 05:22:58 GMT https://connect.hyland.com/t5/alfresco-archive/complex-security-requirements/m-p/215673#M168803 nick_l 2013-02-21T05:22:58Z https://connect.hyland.com/t5/alfresco-archive/complex-security-requirements/m-p/215674#M168804 <HTML><HEAD></HEAD><BODY><SPAN>Yes clearly that would be a problem, my suggestion above was a possible work-around.&nbsp;&nbsp; However since I wrote that first reply alfresco's permission model has gained "deny" and other stuff like property driven security for R.M.&nbsp;&nbsp; Although not easy I do think an "And" is do-able.&nbsp;&nbsp;&nbsp; </SPAN><BR /><BR /><BR /></BODY></HTML> Thu, 21 Feb 2013 21:40:49 GMT https://connect.hyland.com/t5/alfresco-archive/complex-security-requirements/m-p/215674#M168804 mrogers 2013-02-21T21:40:49Z https://connect.hyland.com/t5/alfresco-archive/complex-security-requirements/m-p/215675#M168805 <HTML><HEAD></HEAD><BODY><SPAN>Thanks Rogers</SPAN><BR /><SPAN>Can you be more explicit about property driven security?</SPAN></BODY></HTML> Thu, 21 Feb 2013 22:47:51 GMT https://connect.hyland.com/t5/alfresco-archive/complex-security-requirements/m-p/215675#M168805 nick_l 2013-02-21T22:47:51Z https://connect.hyland.com/t5/alfresco-archive/complex-security-requirements/m-p/215676#M168806 <HTML><HEAD></HEAD><BODY><SPAN>I'd suggest that you take a look at using Dynamic Authorities. There are examples in the Alfresco source such as LockOwnerDynamicAuthority.java</SPAN><BR /><BR /><SPAN>As the term suggests, these dynamically determine if a user should have access.</SPAN><BR /><BR /><SPAN>You will need to extend AbstractLifecycleBean and implement DynamicAuthority.</SPAN><BR /><BR /><SPAN>When defining your Dynamic Authority override the hasAuthority() method which you can use to determine if the user satisfies the required criteria, in your case checking the custom properties e.t.c</SPAN><BR /><BR /><SPAN>You can also override the getAuthority() method which determines the access the user should have, such as consumer, editor e.t.c</SPAN><BR /><BR /><BR /></BODY></HTML> Tue, 26 Feb 2013 15:22:32 GMT https://connect.hyland.com/t5/alfresco-archive/complex-security-requirements/m-p/215676#M168806 mikemars 2013-02-26T15:22:32Z