topic ACLs on a content type and metadata basis in Alfresco Forum

ACLs on a content type and metadata basis

ranjeetsi — Fri, 18 Dec 2020 04:51:22 GMT

Hi all,

We can have ACLs on the basis of folders in Alfresco but we need to have ACLS(allow and deny content access) requirement.

For a user OR group -

a) How can we restrict allow or deny access to a content type or folder type(defined in content model) for eg claim is a document type in content model, expense report is a content type.

b) How we can allow or deny content access on the basis of metadata properties . For eg . If metadata says sensitive=true , then deny access to all and allow access to only admin. If sensitive value is made false then , the content can be accessible by a service user / group.

Note: We can set permissions on a content/folder type but the minimum pemissions is consumer and the content can be read/accessible.

Please suggest.

Re: ACLs on a content type and metadata basis

afaust — Tue, 22 Dec 2020 17:35:54 GMT

Alfresco does not support such kind of ACL management out-of-the-box with any of their high-level services. There aren't even any (simple) alternative approaches that I could readily recommend, due to being untested/unverified and having potentially significant side effects on other parts of the application. Technically, something like this "should" be possible if one were to hijack the low-level handling of ACL inheritance via behaviours / service extensions, but for reasons stated I won't go into any details about this idea of mine...

A rather simple / limited solution I implemented for a customer of mine once handled a somewhat similar requirement by adding a service extension for the permission service, which post-processed metadata check for the custom sensible state after the basic read permission was already checked, and another service extension to the search service which transparently rewrote FTS / CMIS queries to include filter queries for the relevant metadata, so that the query already selected only the accessible nodes and there was no need for any further post-processing.

Re: ACLs on a content type and metadata basis

ranjeetsi — Tue, 22 Dec 2020 17:46:29 GMT

Thanks Alex for suggestion:

I had found some links so thought to get suggestion:

https://docs.alfresco.com/5.2/concepts/secur-permissions.html

https://docs.alfresco.com/6.1/references/dev-extension-points-permissions.html

Re: ACLs on a content type and metadata basis

ranjeetsi — Tue, 22 Dec 2020 20:20:41 GMT

Hi Alex,

Thanks for your response!.

Question:

For the extension in Permission service , the extension has to check the user/group against which it has to filter or provide access , so user/group has to be validated ?!

In that case - this has to be hardcoded in code for checking the a user/group access?

For eg:

A finance user needs to have access to invoice only ? So where we can do the mapping so that it can be used in code?

thanks,

Ranjeet