topic Re: Complex Security Requirements in Alfresco Archive

Complex Security Requirements

ukdavo — Tue, 31 Aug 2010 11:49:28 GMT

I would like to develop/configure a fairly complex security model. Documents would be added to Alfresco with a bunch of business related metadata (e.g. project, document type, partner, contract, product, etc). Access to the documents would be dependant on the value of the document properties and the

Re: Complex Security Requirements

mrogers — Thu, 02 Sep 2010 19:13:31 GMT

You are right that normally group access will be group_a or group_b or group_c.   However the alfresco security model is very flexible and can be configured and extended.

You are going to need to do some digging…

Although just a thought … would it be possible to simplify the problem by creating a group (group_abc) containing the intersection of group_a, group_b and group_c.   And then using the standard permission model on that group.

Re: Complex Security Requirements

nick_l — Thu, 21 Feb 2013 05:22:58 GMT

It is an old post though.

I have similar problem. If we simply creating group_abc, it can lead to composition explosion. For example, there are 1000 groups like group a, 1000 groups like group b and 1000 groups like group c. The worst case, the composition groups like group_abc would be 1000*1000*1000.

Re: Complex Security Requirements

mrogers — Thu, 21 Feb 2013 21:40:49 GMT

Yes clearly that would be a problem, my suggestion above was a possible work-around. However since I wrote that first reply alfresco's permission model has gained "deny" and other stuff like property driven security for R.M. Although not easy I do think an "And" is do-able.

Re: Complex Security Requirements

nick_l — Thu, 21 Feb 2013 22:47:51 GMT

Thanks Rogers
Can you be more explicit about property driven security?

Re: Complex Security Requirements

mikemars — Tue, 26 Feb 2013 15:22:32 GMT

I'd suggest that you take a look at using Dynamic Authorities. There are examples in the Alfresco source such as LockOwnerDynamicAuthority.java

As the term suggests, these dynamically determine if a user should have access.

You will need to extend AbstractLifecycleBean and implement DynamicAuthority.

When defining your Dynamic Authority override the hasAuthority() method which you can use to determine if the user satisfies the required criteria, in your case checking the custom properties e.t.c

You can also override the getAuthority() method which determines the access the user should have, such as consumer, editor e.t.c