Hyland Connect

jocsch · ‎10-18-2005

Oh, I am the first one to post in this forum, nice 😉
Do you really have removed security from the opensource version of the repository? Or do you only removed the administration mask?
I know you must earn money with this product and I
always supposed that there are some limitations to come.

But security is a must-have in nearly all areas where a repository is needed.
From the beginning on, when I read first about alfresco, I thought about using it as a repository in an opensource project. But without security features there is really no way to use it there. I think I would then go for the jackrabbit repository. But it is really a pitty. Hey, I don't need clustering or a web-UI or the content transformation thingy, but security is really basic.

my 2cents,
markus

kevinr · ‎10-18-2005

Hello,

A security implementation was never present in the Open version, the API is present, so we have not removed it. Simple authentication and basic user management is present, but yes Role and Group based access control and NTLM authentication features are not currently going to be available in the Open version.

Applogies if you feel we misled you about the security feature set but we feel that it is important enough to be made part of the support network package. So yes you are correct in that permissions and advanced security features such as NTLM single-signon are now part of the Profressional/Enterprise support network.

The permissions support provided for the Profressional/Enterprise version of Alfresco is advanced and very powerful. It provides features such as node level Allow, Deny, Users, Groups, ACLs, Inheritence, NTLM single-signon etc. through a XML based configuration. For the Open version it may be the case that we provide "simple" security features for people who don't require advanced security. The permissions interfaces are still exposed in the Open version, so a simple implementation for basic security features could be implemented.

Thanks,

Kevin

cfgert · ‎10-18-2005

Unfortunatly it sounds that this was Alfresco for the public :cry: . Noone has a use of a document system without normal permission possiblities. Perhaps for the personal documents, but for nothing else. For us e.g. as an non profit organisation the monthly fee is not afordable.

But it looked really nice….

jocsch · ‎10-19-2005

that's what I meant: not sure who can use this opensource product any longer. I think there are two possibilities this will evolve:

- no one with security considerations can use the opensource version.
- someone will create an add-on opensource version for the security management (is this possible or restricted by the licence?).

Mhm, I think jackrabbit also lacks a good security management. Could it really be so hard as acegi supports ACLs and the hooks are there? I will have a look into this issue in a few month, comparing these repos again.

Don't get me wrong guys. I really hope you can make money with this. But this security issue really hurts and is in my opinion a dead end.

markus

lgr · ‎10-20-2005

Hello,

I agree with you, this is a sad news. Anyway, we have the opportunity to see someone build a better rights management interface with the open-source version.

I think this is why there is an Alfresco Community network.

But after having read the products comparison PDF, i understand that the most desirable feature that will lack in the community network is this groups and role based user security management. I think we can understand that clustering, high availability, secure lifecycle management, or even NTLM SSO are intended for use by larger companies, but you're right that security and user management will really needed for basic use of Alfresco. Without it, it is nearly unusable in a professional world.

Furthermore, i imagine that the common evaluation process of Alfresco will be to install the Community network, then upgrade if necessary to the Pro or Entreprise network. Clustering and High availability are not necessary for evaluation, but there is no true evaluation without good security features.

Hmm .. Ok, let's try the final version first, and we will see which functionnalities are lacking or not.

Laurent.

janiner · ‎11-01-2005

I agree as well. I have no problem with things like clustering being available only for a fee, but groups and roles? Without them, what exactly is the point?

mfeldstein · ‎11-01-2005

I have to agree with the other posters here. If there isn't support for roles, groups, and permissions within the Open Source version of the product, then Alfresco suddenly gets a lot less interesting. These are pretty much part of the definition of content management. Heck, even WordPress has 'em. Leaving them out makes the whole "Open Source" thing feel like little more than a marketing gimmick.

If you want to charge for clustering, well and good. If you want to charge for add-ons, fine. But don't charge for components that are considered part of your product definition and call that product "Open Source." That's misleading and will just irritate potential customers, not to mention potential Open Source partner projects. If you must go this way, then call the whole thing "visible source" or "community source" or whatever and be done with it.

rdanner · ‎11-01-2005

Alfresco provides deep hooks for security. By deep I mean fine grained. The capability is there. The switch is not on. This is the first point. Alfresco has what many other OS products do not.

The second point is: Alfresco has to make money but where does the Vertical start.

I think this is a question that is in active debate at alfresco and very obviously on this forum.

I donÃ¢â‚¬â„¢t know what the people at alfresco will do with security and I have already gave by hot air on that so I will spare the expense of further bits on the subject but I think it's important to say…

The capability in terms of the software exists. This is huge. Even larger then that is that this community exists and the alfresco folks are engaged Balance is not achieved through a single stroke of the pendulum (by nature.)

I used to have anxiety over this issue. I am at the point where I can say for myself I think the community (alfresco organization) included will find the balance in the issue.

I'd type more on the subject but I have to add a few users to a couple spaces because I can't just add a group.

andy · ‎11-02-2005

Hi

First, the API for a Permission Service with object level APIs is defined in the open world, like the AuthenticationService and soon the AuthorityService for groups etc.

Anyway, we have the opportunity to see someone build a better rights management interface with the open-source version.

If there are any comments and suggestions about the PermissionService or any other API then let us know.

The open permission service currently enforces nothing. What the open version should be and its compatibility with other permission services (including external systems for storing ACLs, as well as our own) is under active discussion. The open authentication is fairly simple and does not offer single sign on via NTLM or LDAP for example.

Regards

Andy

lgr · ‎11-02-2005

The open permission service currently enforces nothing. What the open version should be and its compatibility with other permission services (including external systems for storing ACLs, as well as our own) is under active discussion. The open authentication is fairly simple and does not offer single sign on via NTLM or LDAP for example.

And i totally agree that LDAP or NTLM SSO support can be removed from the open-source version.

I'll be impatient to hear more information about the open version compatibility with other permission services …

Best regards,

Laurent.

Hyland Connect

Have you really removed security from the opensource version