topic Alfresco custom site permission model for reading folders and reading+writing content in Alfresco Forum

Alfresco custom site permission model for reading folders and reading+writing content

Peter_Hegt — Wed, 14 Jun 2023 08:55:19 GMT

Hello,

We've got the following challenge. One of our clients asked us if it is possible to customize Alfresco (7) such that it is possible to have a site role where site members in that role are allowed to read the properties of folders in the site (actually folders of our custom type my:folder) but not change properties and are able to read and write content (same of custom type my:content) nodes (metadata and content file).

I have tried many different things with a custom permission model but I was not able to get it working.

Best regards, Peter

Re: Alfresco custom site permission model for reading folders and reading+writing content

Jigir_Shah1 — Wed, 14 Jun 2023 10:27:19 GMT

Hello @peter,

To achieve requirement which you mentioned, we need to create custom PermissionGroup with these available PermissionGroups mentioned below.

ReadProperties
ReadChildren
ReadContent
WriteContent

You can have folder structure with custom folder as parent and inside that custom documents can be pushed and Permissions applied on parent folder with custom role.

And if you are having ADF or any other custom UI, you can get permission of logged in user and accordingly enable/disable Document/user actions.

Let me know if you need more information.

Re: Alfresco custom site permission model for reading folders and reading+writing content

Peter_Hegt — Wed, 14 Jun 2023 14:58:30 GMT

Hello Jigir,

Thank you for your answer. Not sure if I completely get it. Here's in more detail what we want:

Given:

type my:dossier parent cm:folder
type my:document parent cm:content

and some site, say site-a with a member john.smith@example.org and some dossiers and documents

/Repository/Sites/site-a/documentLibrary
- dossier-1 [type my:dossier]
  - document-1-1.ext [type my:document]
  - document-1-2.ext [type my:document]
- dossier-2 [type my-dossier]
  - document-2-1.ext [type my:document]
  - document-2-2.ext [type my:document]

Now we want a site role SiteDocumentProcessor so that we can give john smith that role

and now john can read the dossier-x properties but not edit and john can read and write document-x-y.ext properties and content

This is the permission model I've tried (and other variations):

<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE permissions ><!-- Default values --><!-- permissionSet --><!-- expose : all --><!-- permissionGroup --><!-- allowFullControl : false --><!-- expose           : true --><!-- extends          : false --><permissions><namespaces><namespace uri="http://www.alfresco.org/model/system/1.0" prefix="sys" /><namespace uri="http://www.alfresco.org/model/content/1.0" prefix="cm" /><namespace uri="http://www.alfresco.org/model/site/1.0" prefix="st" /><namespace uri="http://www.example.org/contentmodel/my/1.0" prefix="my" /></namespaces><permissionSet type="cm:cmobject">    <!-- Kept for backward compatibility - the administrator permission has -->    <!-- been removed to avoid confusion -->     <permissionGroup name="Administrator" allowFullControl="true" />    <!-- A coordinator can do anything to the object or its children unless the -->    <!-- permissions are set not to inherit or permission is denied.  -->    <permissionGroup name="Coordinator" allowFullControl="true" />    <!-- A collaborator can do anything that an editor and a contributor can do -->    <permissionGroup name="Collaborator">        <includePermissionGroup permissionGroup="Editor" type="cm:cmobject" />        <includePermissionGroup permissionGroup="Contributor" type="cm:cmobject" />    </permissionGroup>    <!-- A contributor can create content and then they have full permission on what -->    <!-- they have created - via the permissions assigned to the owner. -->    <permissionGroup name="Contributor">        <!-- Contributor is a consumer who can add content, and then can modify via the -->        <!-- owner permissions. -->        <includePermissionGroup permissionGroup="Consumer" type="cm:cmobject"/>        <includePermissionGroup permissionGroup="AddChildren" type="sys:base"/>        <includePermissionGroup permissionGroup="ReadPermissions" type="sys:base" />    </permissionGroup>    <!-- An editor can read and write to the object; they can not create -->    <!-- new nodes. They can check out content into a space to which they have -->    <!-- create permission. -->    <permissionGroup name="Editor">        <includePermissionGroup type="cm:cmobject" permissionGroup="Consumer"/>        <includePermissionGroup type="sys:base" permissionGroup="Write"/>        <includePermissionGroup type="cm:lockable" permissionGroup="CheckOut"/>        <includePermissionGroup type="sys:base" permissionGroup="ReadPermissions"/>    </permissionGroup>    <!-- The Consumer permission allows read to everything by default. -->    <permissionGroup name="Consumer">        <includePermissionGroup permissionGroup="Read" type="sys:base" />    </permissionGroup>    <!-- records permission -->    <!-- Should be tied to the aspect -->    <!-- ownership should be removed when using this permission -->     <permissionGroup name="RecordAdministrator" expose="false">        <includePermissionGroup type="sys:base" permissionGroup="ReadProperties"/>        <includePermissionGroup type="sys:base" permissionGroup="ReadChildren"/>        <includePermissionGroup type="sys:base" permissionGroup="WriteProperties"/>        <includePermissionGroup type="sys:base" permissionGroup="ReadContent"/>        <includePermissionGroup type="sys:base" permissionGroup="DeleteChildren"/>        <includePermissionGroup type="sys:base" permissionGroup="CreateChildren"/>        <includePermissionGroup type="sys:base" permissionGroup="LinkChildren"/>        <includePermissionGroup type="sys:base" permissionGroup="DeleteAssociations"/>        <includePermissionGroup type="sys:base" permissionGroup="CreateAssociations"/>    </permissionGroup>    <permissionGroup name="DocumentProcessor">        <includePermissionGroup permissionGroup="Read" type="sys:base" />        <includePermissionGroup permissionGroup="ReadPermissions" type="sys:base" />    </permissionGroup></permissionSet><permissionSet type="cm:content">    <!-- Content specific roles. -->    <permissionGroup name="Coordinator" extends="true" />    <permissionGroup name="Collaborator" extends="true" />    <permissionGroup name="Contributor" extends="true" />    <permissionGroup name="Editor" extends="true" />    <permissionGroup name="Consumer" extends="true" />    <permissionGroup name="RecordAdministrator" extends="true" expose="false"/>    <permissionGroup name="DocumentProcessor" extends="true">        <includePermissionGroup permissionGroup="Collaborator" type="cm:content" />        <includePermissionGroup permissionGroup="ReadPermissions" type="sys:base" />    </permissionGroup></permissionSet><permissionSet type="cm:folder">    <!-- Content folder specific roles. -->    <permissionGroup name="Coordinator" extends="true" />    <permissionGroup name="Collaborator" extends="true" />    <permissionGroup name="Contributor" extends="true" />    <permissionGroup name="Editor" extends="true" />    <permissionGroup name="Consumer" extends="true" />    <permissionGroup name="RecordAdministrator" extends="true" expose="false"/>    <permissionGroup name="DocumentProcessor" extends="true">        <includePermissionGroup permissionGroup="Consumer" type="cm:folder" />        <includePermissionGroup permissionGroup="ReadPermissions" type="sys:base" />    </permissionGroup></permissionSet><permissionSet type="my:dossier">    <!-- Content folder specific roles. -->    <permissionGroup name="Coordinator" extends="true" />    <permissionGroup name="Collaborator" extends="true" />    <permissionGroup name="Contributor" extends="true" />    <permissionGroup name="Editor" extends="true" />    <permissionGroup name="Consumer" extends="true" />    <permissionGroup name="RecordAdministrator" extends="true" expose="false"/>    <permissionGroup name="ReopenArchivedDossierPermission" extends="true" />    <permissionGroup name="DocumentProcessor" extends="true">    </permissionGroup></permissionSet><permissionSet type="my:document">    <!-- Content specific roles. -->    <permissionGroup name="Coordinator" extends="true" />    <permissionGroup name="Collaborator" extends="true" />    <permissionGroup name="Contributor" extends="true" />    <permissionGroup name="Editor" extends="true" />    <permissionGroup name="Consumer" extends="true" />    <permissionGroup name="RecordAdministrator" extends="true" />    <permissionGroup name="DocumentProcessor" extends="true">    </permissionGroup></permissionSet><permissionSet type="st:site">    <permissionGroup name="SiteManager" allowFullControl="true" />    <permissionGroup name="SiteCollaborator">        <includePermissionGroup permissionGroup="Collaborator" type="cm:cmobject" />    </permissionGroup>    <permissionGroup name="SiteContributor">        <includePermissionGroup permissionGroup="Contributor" type="cm:cmobject" />    </permissionGroup>    <permissionGroup name="SiteConsumer">        <includePermissionGroup permissionGroup="Consumer" type="cm:cmobject" />        <includePermissionGroup permissionGroup="ReadPermissions" type="sys:base" />    </permissionGroup>    <permissionGroup name="SiteCoordinator">        <includePermissionGroup permissionGroup="Coordinator" type="cm:cmobject" />    </permissionGroup>    <permissionGroup name="SiteDocumentProcessor" type="my:dossier">        <includePermissionGroup permissionGroup="DocumentProcessor" type="my:dossier" />        <includePermissionGroup permissionGroup="ReadPermissions" type="sys:base" />    </permissionGroup>    <permissionGroup name="SiteDocumentProcessor" type="my:document">        <includePermissionGroup permissionGroup="DocumentProcessor" type="my:document" />        <includePermissionGroup permissionGroup="ReadPermissions" type="sys:base" />    </permissionGroup></permissionSet></permissions>

But now content is read-only for john...

(I had to copy paste basic stuff else it would not work at all)

Re: Alfresco custom site permission model for reading folders and reading+writing content

Peter_Hegt — Thu, 15 Jun 2023 09:15:40 GMT

Hello Jigir,

Thank you for your help. I have tried it, however it does not work because the user (when having that role) cannot edit the document properties nor the document content.

This is my permission model:

<?xml version='1.0' encoding='UTF-8'?><!DOCTYPE permissions ><permissions>    <namespaces>        <namespace uri="http://www.alfresco.org/model/system/1.0" prefix="sys"/>        <namespace uri="http://www.alfresco.org/model/content/1.0" prefix="cm"/>        <namespace uri="http://www.alfresco.org/model/site/1.0" prefix="st"/>    </namespaces>    <permissionSet type="st:site" expose="selected">        <permissionGroup name="SiteManager" allowFullControl="true" expose="true" />        <permissionGroup name="SiteCollaborator" allowFullControl="false" expose="true">            <includePermissionGroup permissionGroup="Collaborator" type="cm:cmobject" />        </permissionGroup>        <permissionGroup name="SiteContributor" allowFullControl="false" expose="true">            <includePermissionGroup permissionGroup="Contributor" type="cm:cmobject" />        </permissionGroup>        <permissionGroup name="SiteConsumer" allowFullControl="false" expose="true">            <includePermissionGroup permissionGroup="Consumer" type="cm:cmobject" />            <includePermissionGroup permissionGroup="ReadPermissions" type="sys:base" />        </permissionGroup>        <permissionGroup name="SiteDocumentProcessor" expose="true">            <includePermissionGroup type="sys:base" permissionGroup="ReadProperties"/>            <includePermissionGroup type="sys:base" permissionGroup="ReadChildren"/>            <includePermissionGroup type="sys:base" permissionGroup="ReadContent"/>            <includePermissionGroup type="sys:base" permissionGroup="WriteContent"/>        </permissionGroup>    </permissionSet></permissions>

Re: Alfresco custom site permission model for reading folders and reading+writing content

Peter_Hegt — Tue, 05 Dec 2023 09:34:41 GMT

Proposed solution is not good because solution must be IN Alfresco Repository because architecture: security must be enforces by server and not by client because that can be bypassed.

Re: Alfresco custom site permission model for reading folders and reading+writing content

Peter_Hegt — Tue, 05 Dec 2023 09:35:15 GMT

Hi, yes we need more information... see below

Re: Alfresco custom site permission model for reading folders and reading+writing content

Peter_Hegt — Tue, 05 Dec 2023 09:40:42 GMT

Hi yes we need more information