topic Re: How to enable non-admin user to modify ACLs to docs in Alfresco Forum

How to enable non-admin user to modify ACLs to docs

longinus — Fri, 03 Nov 2017 16:12:22 GMT

Hello AllHow do we enable user to modify ACLs (add new, remove existing) ?Me as an admin can make a call to folder.addAcl() and assign new permissions for principals. But how can i enable other selected user to achieve the same thing? Would i need to put a user into a group and then assign it some c

Re: How to enable non-admin user to modify ACLs to docs

afaust — Fri, 03 Nov 2017 18:50:10 GMT

A user needs to have the ChangePermissions privilege / permission on the document (or inherited from the parent folder) to be able to manage the ACL.

Re: How to enable non-admin user to modify ACLs to docs

longinus — Sat, 04 Nov 2017 12:59:44 GMT

Is there a way to set it outside of Share?

Re: How to enable non-admin user to modify ACLs to docs

afaust — Sun, 05 Nov 2017 13:00:43 GMT

You mean out-of-the-box? There isn't even a way to set this privilege in Share without some minor customisation. But as long as you have a tool / client that can call a ReST API, you could use either ReST v1 API or custom web scripts to set this privilege.

Re: How to enable non-admin user to modify ACLs to docs

longinus — Sun, 05 Nov 2017 19:16:54 GMT

Thanks for reply.

Do you mind telling me which rest public so i I can use to set permissions?

Re: How to enable non-admin user to modify ACLs to docs

afaust — Mon, 06 Nov 2017 09:39:51 GMT

A pu to the /nodes/{nodeId} v1 ReST endpoint allows to set permissions.

Re: How to enable non-admin user to modify ACLs to docs

longinus — Thu, 09 Nov 2017 17:34:39 GMT

Thanks for pointing me to this endpoint. I am able to add new permissions with it now.

However, overwriting the existing inherited permissions doesn't work. Inherited permissions are: GROUP_EVERYONE, Consumer, ALLOWED. I would like to remove it or overwrite it with GROUP_EVERYONE, Consumer, DENIED.

I end up having them both set, and since ALLOWED is first on the list, it is applied first.

Is there a way to remove ALLOWED or overwrite it?

Re: How to enable non-admin user to modify ACLs to docs

afaust — Fri, 10 Nov 2017 10:32:04 GMT

The order of the permissions does not matter. If there is a DENIED set on a level in addition to an inherited ALLOWED, the DENIED has precedence.

The only way to remove inherited ALLOWED is to disable the inheritance on that folder alltogether.

Re: How to enable non-admin user to modify ACLs to docs

longinus — Fri, 10 Nov 2017 14:05:35 GMT

I see.

What's the precedence in reverse situation? I.e. when DENIED is inherited and you want to enable a group to documents in child folder only?

Re: How to enable non-admin user to modify ACLs to docs

longinus — Tue, 14 Nov 2017 18:01:10 GMT

And what happens when user is in GROUP_EVERYONE with DENIED and also in another group with "Write" ALLOWED?

Would the GROUP_EVERYONE rule overwrite the 2nd group's write access? Can user be in two different groups, one of which allows him access and the other denying him access?

Re: How to enable non-admin user to modify ACLs to docs

afaust — Tue, 14 Nov 2017 19:33:07 GMT

Basically it is safe to assume that permission set at a lower level take precedence over a higher level, and more specific permissions take precedence over less specific ones. I.e. if user A has been DENIED Consumer permission but has been ALLOWED Read permission, that user will be able to read content items. If user has competing permissions set on the same level (directly or via membership in multiple groups), then the DENIED will take precedence, though the "more specific" rule still kicks in, i.e. a permission set to user specifically will have precedence over a permission set to the group.

It's all quite logical...