Hyland Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Complex Security Requirements

ukdavo
Champ in-the-making
Champ in-the-making

‎08-31-2010 07:49 AM

I would like to develop/configure a fairly complex security model. Documents would be added to Alfresco with a bunch of business related metadata (e.g. project, document type, partner, contract, product, etc). Access to the documents would be dependant on the value of the document properties and the users membership of one or more groups. I don't think that the standard Alfresco security model (i.e. groups/users, ACLs, etc) would accommodate this but I could be wrong. For example, access to a document may be granted to users that are members of group_a and group_b and group_c ('and' not 'or'). Can anyone suggest a possible approach to this?

Thanks
Labels:
0 Kudos
5 REPLIES 5

mrogers
Star Contributor
Star Contributor

‎09-02-2010 03:13 PM

You are right that normally group access will be group_a or group_b or group_c.   However the alfresco security model is very flexible and can be configured and extended.

You are going to need to do some digging…  

Although just a thought … would it be possible to simplify the problem by creating a group (group_abc) containing the intersection of group_a, group_b and group_c.   And then using the standard permission model on that group.
0 Kudos

nick_l
Champ in-the-making
Champ in-the-making
In response to mrogers

‎02-21-2013 12:22 AM

It is an old post though.

I have similar problem. If we simply creating group_abc, it can lead to composition explosion. For example, there are 1000 groups like group a, 1000 groups like group b and 1000 groups like group c. The worst case, the composition groups like group_abc would be 1000*1000*1000. 
0 Kudos

mrogers
Star Contributor
Star Contributor
In response to nick_l

‎02-21-2013 04:40 PM

Yes clearly that would be a problem, my suggestion above was a possible work-around.   However since I wrote that first reply alfresco's permission model has gained "deny" and other stuff like property driven security for R.M.   Although not easy I do think an "And" is do-able.   


0 Kudos

nick_l
Champ in-the-making
Champ in-the-making
In response to mrogers

‎02-21-2013 05:47 PM

Thanks Rogers
Can you be more explicit about property driven security?
0 Kudos

mikemars
Champ in-the-making
Champ in-the-making
In response to nick_l

‎02-26-2013 10:22 AM

I'd suggest that you take a look at using Dynamic Authorities. There are examples in the Alfresco source such as LockOwnerDynamicAuthority.java

As the term suggests, these dynamically determine if a user should have access.

You will need to extend AbstractLifecycleBean and implement DynamicAuthority.

When defining your Dynamic Authority override the hasAuthority() method which you can use to determine if the user satisfies the required criteria, in your case checking the custom properties e.t.c

You can also override the getAuthority() method which determines the access the user should have, such as consumer, editor e.t.c


0 Kudos
Getting started

Tags

Find what you came for

We want to make your experience in Hyland Connect as valuable as possible, so we put together some helpful links.

Copyright © 2024 Khoros, LLC