topic Re: Managing Group Authorities as Regular User? in Alfresco Archive

Managing Group Authorities as Regular User?

cjd — Mon, 06 Sep 2010 21:19:39 GMT

Hello!I am developing an application where regular Alfresco users will need to be able to create and manage groups comprised of other system users through web scripts. I was thinking that using a regular user group (usr:authorityContainer) might work for this task, but I'm not sure… I know the Pe

Re: Managing Group Authorities as Regular User?

mrogers — Mon, 06 Sep 2010 23:17:57 GMT

Yes you are right that managing groups requires admin access. However you can write a script or a piece of code that "runs as" admin. Your script can then do the work to the groups. Of course you have then opened up group admin to everyone so you may want to control access to your script either by code or by permissions.

Re: Managing Group Authorities as Regular User?

cjd — Tue, 07 Sep 2010 00:23:07 GMT

Thanks for the response!

I am familiar with "runas", and I agree with you that using runas=admin could definitely cause some security "complications" which would need to be addressed in my app code… I'll need to think through that a bit more to figure out how feasible that might be, although my gut says I'm probably better off avoiding those issues…

If I look at a usr:authorityContainer node in the node browser, I see a property that lists all the members of the group, but I don't see any property tracking who created the group. I also see that there are READ permissions granted to "GROUP_EVERYONE", but no explicit write permissions assigned to anyone. So, I guess what I'm really wondering is, can explicit write permissions be granted to a regular user on the usr:authorityContainer node to enable that user to modify the properties of the node without needing to resort to runas=admin? Or would it not even matter if a regular user could write to the node because the API calls themselves require that the script be executed by an admin?

I'll see what I can find on my own, of course. Although, if you happen to know off the top of your head, it'd be much appreciated

Thanks again.

Re: Managing Group Authorities as Regular User?

jcoon — Mon, 27 Jun 2011 20:21:09 GMT

This would be a useful feature. Right now my only good workaround is to give users that need to modify groups full admin access…. that isn't a very professional solution. Alfresco should have a built-in option to grant a specific Group of users permission to edit specific user groups.