Hyland Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Extending the Permission Service to allow permissions based on aspects

vamirr
Champ on-the-rise
Champ on-the-rise

‎07-24-2015 12:14 PM

I would like to be able to assign permissions based on aspects.

Use case:
Our Alfresco deployment uses External Authentication for logging in. Our external authentication method allows users to log in by login/password or using a two factor method involving a Common Access Card.
The external authentication system sets an HTTP header variable that identifies which method the user used to log in.  An Alfresco extension sets an aspect attribute on the user's person node corresponding to their method of login.
Our Alfresco deployment houses a subset of documents that, by policy, should only be seen/accessed by users who have logged in via the two factor method.  These sensitive documents are marked as such using an aspect.
Permission to documents needs to be determined based on the whether the user has permission to the document through their site access, the user's authentication method and the document's sensitive.

Looking at some of the Alfresco documentation on the permission service (http://docs.alfresco.com/5.0/concepts/implserv-permiss.html), it appears that this is what I need to extend/modify in order to accomplish what I want. Note that the referenced page says that the permission service is responsible for 'Determining if the current, authenticated user has permission to a node'.

Outside of defining/modifying permission definitions, there's not a lot of information or examples on how to go about extending the permission service.  What classes of the permission service perform the action of determining whether a user has permission to a node. What is the best way to go about extending it to look at whether the user's aspect indicates they have authenticated via two-factor and whether the current document requires it for access.


Labels:
0 Kudos
2 REPLIES 2

afaust
Legendary Innovator
Legendary Innovator

‎07-27-2015 04:16 AM

Hello,

typically, you do not extend the PermissionService and even when - it is not a customization recommended by Alfresco. The extension points of custom permissions and dynamic authorities are - from my experience - more than enough to address between 95-99% of use cases. Your requirements sound like something that could be achieved using these two concepts with a bit of "creative coding". Also - instead of extending the permission service you might want to consider simply facading it to add your custom checks AFTER the standard implementation has run and only when appropriate.

Nevertheless, to answer your question: The PermissionServiceImpl is the class you are looking for. It is a self-contained collection of the service and the low level ACL evaluation ("Does user x have permission y?"). In case you do decide to extend it, maybe the best point would be the high-level hasPermission(NodeRef, PermissionReference) method - at lower levels you loose the context necessary to check you aspects.

Regards
Axel
0 Kudos

vamirr
Champ on-the-rise
Champ on-the-rise

‎07-28-2015 09:30 AM

Hi Axel,

Thank you for your comments, you have been extremely helpful.  I was able to achieve my requirement by implementing a MethodInterceptor and wiring that into the NodeService.
0 Kudos
Getting started

Tags

Find what you came for

We want to make your experience in Hyland Connect as valuable as possible, so we put together some helpful links.

Copyright © 2024 Khoros, LLC