Hyland Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

ACL inheritance - am I missing something?

gjferrier
Champ in-the-making
Champ in-the-making

‎12-04-2012 12:06 PM

Am sure I must be missing something, but I'm sure what exactly.  Here's the scenario …

I've got a document space which gets created with the GROUP_EVERYONE cmis:read ACE.  If any further content I create as a child of that content will inherit the permissions am I right in thinking that any further child will always have the GROUP_EVERYONE cmis:read ACE?  How do I apply ACEs so that access is denied to GROUP_EVERYONE if there is some ancester, no matter how far away, that has the ACE added?

MTIA
Labels:
0 Kudos
3 REPLIES 3

jpotts
World-Class Innovator
World-Class Innovator

‎12-08-2012 02:08 AM

By default, GROUP_EVERYONE is set to read on the root folder. And, by default, all objects inherit from their parent. So unless GROUP_EVERYONE is removed from the root folder, every descendent of root that doesn't explicitly break ACL inheritance will inherit GROUP_EVERYONE as a reader.

Unfortunately, you cannot use CMIS to break inheritance.

Jeff
Jeff Potts
https://www.metaversant.com | https://ecmarchitect.com
0 Kudos

gjferrier
Champ in-the-making
Champ in-the-making

‎12-12-2012 09:40 AM

Thanks Jeff, I have a follow-up.

I'd like to be able to give two users with different group assignment a different view of a single folder, i.e. in a folder there are 2 files, one which has Group A cmis:read, the other which has Group B cmis:read.  Therefore a user from either Group A would only see a single file, the same is true for Group B, except it would be the other file.  From what I can tell that's not possible with the current permissions mapping in Alfresco, and perhaps not at all within the bounds of CMIS.  Can you advise?

MTIA.
0 Kudos

jpotts
World-Class Innovator
World-Class Innovator

‎01-02-2013 03:02 PM

Suppose the folder is called "Some Folder". To implement your example, you'd need to make sure that the EVERYONE group is removed from Some Folder. You would then make sure that file1 has Group A set as a consumer (cmis:read) with inheritance broken (which you cannot do through CMIS). You would add Group B to file2 as a consumer, again with inheritance broken. You can add both Group A and Group B to Some Folder as consumers. Now, when members of each group view the folder, they will each only see one file.

If you use Alfresco (not CMIS) to break the inheritance on the objects, you can use CMIS for the rest.

Jeff
Jeff Potts
https://www.metaversant.com | https://ecmarchitect.com
0 Kudos
Getting started

Tags

Find what you came for

We want to make your experience in Hyland Connect as valuable as possible, so we put together some helpful links.

Copyright © 2025 Khoros, LLC