https://connect.hyland.com/t5/alfresco-archive/extending-the-permission-service-to-allow-permissions-based-on/m-p/293052#M246182 <HTML><HEAD></HEAD><BODY><SPAN>I would like to be able to assign permissions based on aspects.</SPAN><BR /><BR /><SPAN>Use case:</SPAN><BR /><SPAN>Our Alfresco deployment uses External Authentication for logging in. Our external authentication method allows users to log in by login/password or using a two factor method involving a Common Access Card.</SPAN><BR /><SPAN>The external authentication system sets an HTTP header variable that identifies which method the user used to log in.&nbsp; An Alfresco extension sets an aspect attribute on the user's person node corresponding to their method of login.</SPAN><BR /><SPAN>Our Alfresco deployment houses a subset of documents that, by policy, should only be seen/accessed by users who have logged in via the two factor method.&nbsp; These sensitive documents are marked as such using an aspect.</SPAN><BR /><SPAN>Permission to documents needs to be determined based on the whether the user has permission to the document through their site access, the user's authentication method and the document's sensitive.</SPAN><BR /><BR /><SPAN>Looking at some of the Alfresco documentation on the permission service (</SPAN><A href="http://docs.alfresco.com/5.0/concepts/implserv-permiss.html" rel="nofollow noopener noreferrer">http://docs.alfresco.com/5.0/concepts/implserv-permiss.html</A><SPAN>), it appears that this is what I need to extend/modify in order to accomplish what I want. Note that the referenced page says that the permission service is responsible for 'Determining if the current, authenticated user has permission to a node'.</SPAN><BR /><BR /><SPAN>Outside of defining/modifying permission definitions, there's not a lot of information or examples on how to go about extending the permission service.&nbsp; What classes of the permission service perform the action of determining whether a user has permission to a node. What is the best way to go about extending it to look at whether the user's aspect indicates they have authenticated via two-factor and whether the current document requires it for access.</SPAN><BR /><BR /><BR /></BODY></HTML> Fri, 24 Jul 2015 16:14:05 GMT vamirr 2015-07-24T16:14:05Z https://connect.hyland.com/t5/alfresco-archive/extending-the-permission-service-to-allow-permissions-based-on/m-p/293052#M246182 I would like to be able to assign permissions based on aspects.Use case<IMG id="smileysurprised" class="emoticon emoticon-smileysurprised" src="https://migration33.stage.lithium.com/i/smilies/16x16_smiley-surprised.png" alt="Smiley Surprised" title="Smiley Surprised" />ur Alfresco deployment uses External Authentication for logging in. Our external authentication method allows users to log in by login/password or using a two factor method involving a Common Access Card.The external authentica Fri, 24 Jul 2015 16:14:05 GMT https://connect.hyland.com/t5/alfresco-archive/extending-the-permission-service-to-allow-permissions-based-on/m-p/293052#M246182 vamirr 2015-07-24T16:14:05Z https://connect.hyland.com/t5/alfresco-archive/extending-the-permission-service-to-allow-permissions-based-on/m-p/293053#M246183 <HTML><HEAD></HEAD><BODY><SPAN>Hello,</SPAN><BR /><BR /><SPAN>typically, you do not extend the PermissionService and even when - it is not a customization recommended by Alfresco. The extension points of custom permissions and dynamic authorities are - from my experience - more than enough to address between 95-99% of use cases. Your requirements sound like something that could be achieved using these two concepts with a bit of "creative coding". Also - instead of extending the permission service you might want to consider simply facading it to add your custom checks AFTER the standard implementation has run and only when appropriate.</SPAN><BR /><BR /><SPAN>Nevertheless, to answer your question: The PermissionServiceImpl is the class you are looking for. It is a self-contained collection of the service and the low level ACL evaluation ("Does user x have permission y?"). In case you do decide to extend it, maybe the best point would be the high-level hasPermission(NodeRef, PermissionReference) method - at lower levels you loose the context necessary to check you aspects.</SPAN><BR /><BR /><SPAN>Regards</SPAN><BR /><SPAN>Axel</SPAN></BODY></HTML> Mon, 27 Jul 2015 08:16:03 GMT https://connect.hyland.com/t5/alfresco-archive/extending-the-permission-service-to-allow-permissions-based-on/m-p/293053#M246183 afaust 2015-07-27T08:16:03Z https://connect.hyland.com/t5/alfresco-archive/extending-the-permission-service-to-allow-permissions-based-on/m-p/293054#M246184 <HTML><HEAD></HEAD><BODY><SPAN>Hi Axel,</SPAN><BR /><BR /><SPAN>Thank you for your comments, you have been extremely helpful.&nbsp; I was able to achieve my requirement by implementing a MethodInterceptor and wiring that into the NodeService.</SPAN></BODY></HTML> Tue, 28 Jul 2015 13:30:30 GMT https://connect.hyland.com/t5/alfresco-archive/extending-the-permission-service-to-allow-permissions-based-on/m-p/293054#M246184 vamirr 2015-07-28T13:30:30Z