cancel
Showing results for 
Search instead for 
Did you mean: 

[HOWTO] Custom Permissions in ALF Community 5.0.d

deajan
Champ on-the-rise
Champ on-the-rise
[EDIT]
I've managed to get stuff working for me !
Please see https://forums.alfresco.com/comment/156540#comment-156540 for a howto on custom Permissions
[/EDIT]

Hello,

I am trying to add a custom role to Alfresco based on Consumer role, with some modifications (basically i want a role that can comment but can't start a workflow).

I've followed the tutorial here: https://wiki.alfresco.com/wiki/Custom_Permissions_in_Share
I've double checked everything, but it seems that my modified file in <alfresco_root>/tomcat/shared/classes/alfresco/extension/sitePermissionDefinitions.xml never gets loaded.

My file contents:

<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE permissions >

<permissions>

    <!– Namespaces used in type references –>

   <namespaces>
      <namespace uri="http://www.alfresco.org/model/system/1.0" prefix="sys"/>
      <namespace uri="http://www.alfresco.org/model/content/1.0" prefix="cm"/>
      <namespace uri="http://www.alfresco.org/model/site/1.0" prefix="st"/>
   </namespaces>

   <!– ============================================ –>
   <!– Permissions specific to the wiki integration –>
   <!– ============================================ –>

   <permissionSet type="st:site" expose="selected">

      <permissionGroup name="SiteManager" allowFullControl="true" expose="true" />

      <permissionGroup name="SiteCollaborator" allowFullControl="false" expose="true">
         <includePermissionGroup permissionGroup="Collaborator" type="cm:cmobject" />
      </permissionGroup>

      <permissionGroup name="SiteContributor" allowFullControl="false" expose="true">
         <includePermissionGroup permissionGroup="Contributor" type="cm:cmobject" />
      </permissionGroup>

      <permissionGroup name="SiteConsumer" allowFullControl="false" expose="true">
         <includePermissionGroup permissionGroup="Consumer" type="cm:cmobject" />
         <includePermissionGroup permissionGroup="ReadPermissions" type="sys:base" />
      </permissionGroup>

      <permissionGroup name="SiteCommentator" allowFullControl="false" expose="true">
         <includePermissionGroup permissionGroup="Consumer" type="cm:cmobject" />
         <includePermissionGroup permissionGroup="ReadPermissions" type="sys:base" />
      </permissionGroup>

   </permissionSet>

</permissions>

Maybe my sitePermissionDefinitions.xml should go in another path ?

Any advices please ?

Regards,
Ozy.
16 REPLIES 16

kavilash23
Champ on-the-rise
Champ on-the-rise
Hello,

Did you make a context file to register your custom permission model?

deajan
Champ on-the-rise
Champ on-the-rise
Hello,
Well i must admit i didn't find anything about a context file in the documentation i've read.
Thanks for the tip. I've finally moved my sitePermissionsDefinition.xml to <alf_root>/tomcat/shared/classes/alfresco/extension/model and created a context file for my model as follows in <alf_root>/tomcat/shared/classes/alfresco/extension/custom-sitepermissions-context.xml


<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE beans PUBLIC '-//SPRING//DTD BEAN//EN' 'http://www.springframework.org/dtd/spring-beans.dtd'>

<beans>
    <bean id="myModule_permissionBootstrap" parent="permissionModelBootstrap">
      <property name="model" value="alfresco/extension/model/sitePermissionDefinitions.xml"/>
    </bean>
</beans>

Now i have a new problem, my custom model loads, but i get the following error (where SiteCommentator is the role i added):
<blockquote>
03230000 Wrapped Exception (with status template): 03230018 An authority was not found for GROUP_site_exploitation_SiteCommentator
</blockquote>

Is there any better documentation than the one i stated in my first post to achieve custom permissions ?

Regards,
Ozy.

deajan
Champ on-the-rise
Champ on-the-rise
Found out that the error only appears on already existing sites. New ones created after the role exists work great with the new role.
Any idea how to post create the missing authority for an existing site ?

Regards,
Ozy.

mauricio_neto
Champ in-the-making
Champ in-the-making
Hi friends,

I'm new with Alfresco, so I can't found the sitePermissionDefinitions.xml. I'm using Community 5.0.d.

Does anyone can help me, please?

Thks
Mauricio

Hello Mauricio,

You have to unzip <alfresco_root>/tomcat/webapps/alfresco/WEB-INF/lib/alfresco-repository-5.0.d.jar and find the file there.
Regards,
Ozy.

mauricio_neto
Champ in-the-making
Champ in-the-making
Thanks Ozy.

Regarding the problem over existing sites did you tried this fix? (https://issues.alfresco.com/jira/browse/MNT-2456)

Also how did your custom role can comment but can't start a wf? To my case I need to allow comment and not allow donwload.

Thanks
Regards

Hello Mauricio,
I actually read about the fix provided on jira, but the url description was false so i had fun time to make it work ( & instead of ? in the url, but when you're tired you don't pay attention to this level of detail). I've corrected the desc.xml file and made a quick and dirty howto for the fix, but it seems i can't add anything to MNT-2456, a shame ! Anyway, got the fix to work for me.

I have finished my customPermission models, i'll write the whole thing down very soon.

Regards,
Ozy.

deajan
Champ on-the-rise
Champ on-the-rise
Now that i've taken some time to investigate how to achieve custom permissions, i'll write down my findings.

My goal is to setup two custom permissions, one called "WriteOnly" which allows a user to write new content without being able to see other files, and a site role called "Commentator" that basically has the same rights than a Contributor, except that he can't accept or approve simple workflows.

So here's my full setup:

Extract (using unzip) the file <zip_path>/alfresco/model/permissionDefinitions.xml from <alfresco_path>/tomcat/webapps/alfresco/WEB-INF/lib/alfresco-repository-5.0.d.jar
Copy it to <alfresco_path>/tomcat/shared/classes/alfresco/extensions/model/permissionDefinitions.xml (if model directory doesn't exist, create it).

We'll add some dummy low level permission "WorkFlowPermissions" to the file which should then look like


      <!– Groups for low level permissions –>

      <permissionGroup name="ReadProperties" expose="true" allowFullControl="false" />
      <permissionGroup name="ReadChildren" expose="true" allowFullControl="false" />
      <permissionGroup name="WriteProperties" expose="true" allowFullControl="false" />
      <permissionGroup name="ReadContent" expose="false" allowFullControl="false" />
      <permissionGroup name="WriteContent" expose="false" allowFullControl="false" />
      <permissionGroup name="ExecuteContent" expose="false" allowFullControl="false" />
      <permissionGroup name="DeleteNode" expose="true" allowFullControl="false" />
      <permissionGroup name="DeleteChildren" expose="true" allowFullControl="false" />
      <permissionGroup name="CreateChildren" expose="true" allowFullControl="false" />
      <permissionGroup name="LinkChildren" expose="true" allowFullControl="false" />
      <permissionGroup name="DeleteAssociations" expose="true" allowFullControl="false" />
      <permissionGroup name="ReadAssociations" expose="true" allowFullControl="false" />
      <permissionGroup name="CreateAssociations" expose="true" allowFullControl="false" />
      <permissionGroup name="ReadPermissions" expose="true" allowFullControl="false" />
      <permissionGroup name="ChangePermissions" expose="true" allowFullControl="false" />
      <!– MOD OZY: Permission to start a Workflow –>
      <permissionGroup name="WorkFlowPermissions" expose="true" allowFullControl="false" />


We'll also add this permission to the following bloc:


      <!– ==================================================== –>
      <!– Permissions related to the management of permissions –>
      <!– ==================================================== –>

      <!– The permission to read the permissions on a node                              –>

      <permission name="_ReadPermissions" expose="false" >
        <grantedToGroup permissionGroup="ReadPermissions" />
        <!– Commented out parent permission check …
        <requiredPermission on="parent" name="_ReadChildren" implies="false"/>
        –>
      </permission>

      <!– The permission to the change the permissions associated with a node           –>

      <permission name="_ChangePermissions" expose="false" >
        <grantedToGroup permissionGroup="ChangePermissions" />
        <!– Commented out parent permission check …
        <requiredPermission on="parent" name="_ReadChildren" implies="false"/>
        –>
      </permission>

      <!– ======================================= –>
      <!– MOD OZY: Permission to start a WorkFlow –>
      <!– ======================================= –>

      <permission name="_WorkFlowPermissions" expose="false" >
        <grantedToGroup permissionGroup="WorkFlowPermissions" />
      </permission>


Now we have to add this dummy permission to every role we want to allow to approve / reject workflows.
Note that i also added two new roles, which are "Commentator" and "WriteOnly".
Role "Commentator" has basically the same rights as "Contributor", except for the WorkFlowPermissions we created.
Role "WriteOnly" has only write permissions based on low level perms.


   <!– ================================================ –>
   <!– Permissions available to all content and folders –>
   <!– ================================================ –>

   <permissionSet type="cm:cmobject" expose="selected">

       <!– Kept for backward compatibility - the administrator permission has   –>
      <!– been removed to avoid confusion –>
      <permissionGroup name="Administrator" allowFullControl="true" expose="false">
         <!– MOD OZY: Add WorkFlow permission because it's needed to allow action id –>
         <includePermissionGroup permissionGroup="WorkFlowPermissions" type="sys:base" />
      </permissionGroup>

      <!– A coordinator can do anything to the object or its children unless the     –>
      <!– permissions are set not to inherit or permission is denied.                 –>
      <permissionGroup name="Coordinator" allowFullControl="true" expose="true">
         <!– MOD OZY: Add WorkFlow permission because it's needed to allow action id –>
         <includePermissionGroup permissionGroup="WorkFlowPermissions" type="sys:base" />
      </permissionGroup>

      <!– A collaborator can do anything that an editor and a contributor can do –>
      <permissionGroup name="Collaborator" allowFullControl="false" expose="true">
         <includePermissionGroup permissionGroup="Editor" type="cm:cmobject" />
         <includePermissionGroup permissionGroup="Contributor" type="cm:cmobject" />
         <!– MOD OZY: Add WorkFlow permission because it's needed to allow action id –>
         <includePermissionGroup permissionGroup="WorkFlowPermissions" type="sys:base" />
      </permissionGroup>

      <!– A contributor can create content and then they have full permission on what –>
      <!– they have created - via the permissions assigned to the owner.              –>
      <permissionGroup name="Contributor" allowFullControl="false" expose="true" >
          <!– Contributor is a consumer who can add content, and then can modify via the –>
          <!– owner permissions.                                                      –>
          <includePermissionGroup permissionGroup="Consumer" type="cm:cmobject"/>
          <includePermissionGroup permissionGroup="AddChildren" type="sys:base"/>
          <includePermissionGroup permissionGroup="ReadPermissions" type="sys:base" />
          <!– MOD OZY: Add WorkFlow permission because it's needed to allow action id –>
          <includePermissionGroup permissionGroup="WorkFlowPermissions" type="sys:base" />
      </permissionGroup>

      <!– An editor can read and write to the object; they can not create    –>
      <!– new nodes. They can check out content into a space to which they have       –>
      <!– create permission.                                                          –>
      <permissionGroup name="Editor"  expose="true" allowFullControl="false" >
          <includePermissionGroup type="cm:cmobject" permissionGroup="Consumer"/>
          <includePermissionGroup type="sys:base" permissionGroup="Write"/>
          <includePermissionGroup type="cm:lockable" permissionGroup="CheckOut"/>
          <includePermissionGroup type="sys:base" permissionGroup="ReadPermissions"/>
      </permissionGroup>

      <!– The Consumer permission allows read to everything by default.                  –>
      <permissionGroup name="Consumer" allowFullControl="false" expose="true" >
          <includePermissionGroup permissionGroup="Read" type="sys:base" />
      </permissionGroup>

      <!– MOD OZY: Commentator permission is same as Contributor except i didn't add workflow permissions  –>
      <permissionGroup name="Commentator" allowFullControl="false" expose="true" >
          <includePermissionGroup permissionGroup="Consumer" type="cm:cmobject"/>
          <includePermissionGroup permissionGroup="AddChildren" type="sys:base"/>
          <includePermissionGroup permissionGroup="ReadPermissions" type="sys:base" />
      </permissionGroup>

      <!– MOD OZY: Document Library permission for uploads only –>
      <permissionGroup name="WriteOnly" allowFullControl="false" expose="true" >
          <includePermissionGroup permissionGroup="Write" type="sys:base" />
          <includePermissionGroup permissionGroup="AddChildren" type="sys:base" />
      </permissionGroup>

      <!– records permission –>
      <!– Should be tied to the aspect –>
      <!– ownership should be removed when using this permission –>
      <permissionGroup name="RecordAdministrator" allowFullControl="false" expose="false">
          <includePermissionGroup type="sys:base" permissionGroup="ReadProperties"/>
          <includePermissionGroup type="sys:base" permissionGroup="ReadChildren"/>
          <includePermissionGroup type="sys:base" permissionGroup="WriteProperties"/>
          <includePermissionGroup type="sys:base" permissionGroup="ReadContent"/>
          <includePermissionGroup type="sys:base" permissionGroup="DeleteChildren"/>
          <includePermissionGroup type="sys:base" permissionGroup="CreateChildren"/>
          <includePermissionGroup type="sys:base" permissionGroup="LinkChildren"/>
          <includePermissionGroup type="sys:base" permissionGroup="DeleteAssociations"/>
          <includePermissionGroup type="sys:base" permissionGroup="CreateAssociations"/>
          <!– MOD OZY: Add WorkFlow permission because it's needed to allow action id –>
          <includePermissionGroup permissionGroup="WorkFlowPermissions" type="sys:base" />
      </permissionGroup>

   </permissionSet>


Finally, we need to expose these roles to the GUI so they can be used.

   <!– =============================== –>
   <!– Permissions specific to content –>
   <!– =============================== –>

   <permissionSet type="cm:content" expose="selected">

      <!– Content specific roles.                                                       –>

      <permissionGroup name="Coordinator" extends="true" expose="true"/>
      <permissionGroup name="Collaborator" extends="true" expose="true"/>
      <permissionGroup name="Contributor" extends="true" expose="true"/>
      <permissionGroup name="Editor" extends="true" expose="true"/>
      <permissionGroup name="Consumer" extends="true" expose="true"/>
      <permissionGroup name="RecordAdministrator" extends="true" expose="false"/>
      <!– MOD OZY: Expose Commentator Permission on content –>
      <permissionGroup name="Commentator" extends="true" expose="true"/>
      <!– MOD OZY: Expose WriteOnly Permission on content –>
      <permissionGroup name="WriteOnly" extends="true" expose="true"/>
   </permissionSet>


    <permissionSet type="cm:folder" expose="selected">

      <!– Content folder specific roles.                                                       –>

      <permissionGroup name="Coordinator" extends="true" expose="true"/>
      <permissionGroup name="Collaborator" extends="true" expose="true"/>
      <permissionGroup name="Contributor" extends="true" expose="true"/>
      <permissionGroup name="Editor" extends="true" expose="true"/>
      <permissionGroup name="Consumer" extends="true" expose="true"/>
      <permissionGroup name="RecordAdministrator" extends="true" expose="false"/>
      <!– MOD OZY: Expose Commentator Permission on folders –>
      <permissionGroup name="Commentator" extends="true" expose="true"/>
      <!– MOD OZY: Expose WriteOnly Permission on folders –>
      <permissionGroup name="WriteOnly" extends="true" expose="true"/>
   </permissionSet>


Now that we've setup new permissions, we need to allow them to be exposed to the site UI.
In the extracted zip file, you'll find file <zip_path>/alfresco/models/sitePermissionDefinitions.xml which you must copy to <alfresco_path>/tomcat/shared/classes/alfresco/extensions/model

Modify it and add the two new created roles like:

   <!– ============================================ –>
   <!– Permissions specific to the wiki integration –>
   <!– ============================================ –>

   <permissionSet type="st:site" expose="selected">

      <permissionGroup name="SiteManager" allowFullControl="true" expose="true" />

      <permissionGroup name="SiteCollaborator" allowFullControl="false" expose="true">
         <includePermissionGroup permissionGroup="Collaborator" type="cm:cmobject" />
      </permissionGroup>

      <permissionGroup name="SiteContributor" allowFullControl="false" expose="true">
         <includePermissionGroup permissionGroup="Contributor" type="cm:cmobject" />
      </permissionGroup>

      <permissionGroup name="SiteConsumer" allowFullControl="false" expose="true">
         <includePermissionGroup permissionGroup="Consumer" type="cm:cmobject" />
         <includePermissionGroup permissionGroup="ReadPermissions" type="sys:base" />
      </permissionGroup>

      <!– MOD OZY: Expose SiteCommentator –>
      <permissionGroup name="SiteCommentator" allowFullControl="false" expose="true">
         <includePermissionGroup permissionGroup="Commentator" type="cm:cmobject" />
      </permissionGroup>

      <!– MOD OZY: Expose SiteWriteOnly –>
      <permissionGroup name="SiteWriteOnly" allowFullControl="false" expose="true">
         <includePermissionGroup permissionGroup="Write" type="sys:base" />
         <includePermissionGroup permissionGroup="AddChildren" type="sys:base" />
      </permissionGroup>

   </permissionSet>


We'll need to create a ressource file called <alfresco_path>/tomcat/shared/classes/alfresco/web-extension/messages/invitation-service.properties containing the following:

invitation.invitesender.email.role.SiteWriteOnly=Write Only
invitation.invitesender.email.role.SiteCommentator=Commentator


The ressource file will be loaded by the following bootstrap file <alfresco_path>/tomcat/shared/classes/alfresco/web-extension/invitation-service-context.xml

<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE beans PUBLIC '-//SPRING//DTD BEAN//EN' 'http://www.springframework.org/dtd/spring-beans.dtd'>
<beans>
     
    <bean id="invitationResourceBundles" class="org.alfresco.i18n.ResourceBundleBootstrapComponent">
     <property name="resourceBundles">
      <list>
       <value>alfresco.web-extension.messages.invitation-service</value>
      </list>
     </property>
   </bean>

</beans>


Another ressource file <alfresco_path>/tomcat/shared/classes/alfresco/web-extension/messages/slingshot.properties needs to be created containing

## Custom roles
role.SiteWriteOnly=Write Only
role.SiteCommentator=Commentator


Finally, copy the file <alfresco_path>/tomcat/shared/classes/alfresco/web-extension/custom-slingshot-application-context.xml.sample to custom-slingshot-application-context.xml and edit by adding the following bean definition

   <bean id="webscripts.resources" class="org.springframework.extensions.surf.util.ResourceBundleBootstrapComponent">
      <property name="resourceBundles">
         <list>
             <value>alfresco.messages.common</value>
             <value>alfresco.messages.slingshot</value>
            <value>alfresco.web-extension.messages.slingshot</value>
         </list>
      </property>
   </bean>


Both files permissionDefinitions.xml and sitePermissionDefinitions.xml have to be loaded by a bootstrap file <alfresco_path>/tomcat/shared/classes/alfresco/extensions/custom-permissions-context.xml containing

<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE beans PUBLIC '-//SPRING//DTD BEAN//EN' 'http://www.springframework.org/dtd/spring-beans.dtd'>

<beans>
    <bean id="CustomPerm_permissionBootstrap" parent="permissionModelBootstrap">
      <property name="model" value="alfresco/extension/model/permissionDefinitions.xml"/>
    </bean>
    <bean id="CustomSitePerm_permissionBootstrap" parent="permissionModelBootstrap">
      <property name="model" value="alfresco/extension/model/sitePermissionDefinitions.xml"/>
    </bean>
</beans>


From here, the role WriteOnly exists and works.
Now we need to restrict "approve" and "reject" to roles that have the WorkFlowPermissions permission.

Open file <alfresco_path>/tomcat/shared/classes/alfresco/web-extension/share-config-custom.xml to edit the config bloc that should look like

<!– Custom DocLibActions config section –>
   <config evaluator="string-compare" condition="DocLibActions">
      <actionGroups>
         <actionGroup id="document-browse">

            <!– Simple Repo Actions –>
            <!–
            <action index="340" id="document-extract-metadata" />
            <action index="350" id="document-increment-counter" />
            –>

            <!– Dialog Repo Actions –>
            <!–
            <action index="360" id="document-transform" />
            <action index="370" id="document-transform-image" />
            <action index="380" id="document-execute-script" />
            –>
            <action index="160" id="document-approve">
                    <permissions>
                         <permission allow="true">WorkFlowPermissions</permission>
                    </permissions>
            </action>
            <action index="170" id="document-reject">
                    <permissions>
                         <permission allow="true">WorkFlowPermissions</permission>
                    </permissions>
            </action>

         </actionGroup>
      </actionGroups>
   </config>


This will not prevent the menu from showing up, but will restrict it's usage.
Here's a quick list of action indexes you can add permissions to:

<actionGroup id="document-details">
            <action index="100" id="document-download" />
            <action index="110" id="document-view-content" />
            <action index="120" id="document-edit-metadata" /
            <action index="130" id="document-upload-new-version" />
            <action index="140" id="document-view-original" />
            <action index="150" id="document-view-working-copy" />
            <action index="160" id="document-approve" />
            <action index="170" id="document-reject" />
            <action index="180" id="document-inline-edit" />
            <action index="190" id="document-edit-online" />
            <action index="200" id="document-edit-offline" />
            <action index="210" id="document-view-googledoc" />
            <action index="220" id="document-checkout-to-googledocs" />
            <action index="230" id="document-checkin-from-googledocs" />
            <action index="240" id="document-copy-to" />
            <action index="250" id="document-move-to" />
            <action index="260" id="document-delete" />
            <action index="270" id="document-assign-workflow" />
            <action index="280" id="document-cancel-editing" />
            <action index="290" id="document-manage-site-permissions" />
            <action index="300" id="document-manage-repo-permissions" />
            <action index="310" id="document-manage-aspects" />
            <action index="320" id="document-change-type" />
            <action index="330" id="document-view-in-source-repository" />
            <action index="340" id="document-publish" />
            <action index="350" id="document-view-googlemaps" />
         </actionGroup>


Note: if someone has found a better way to also hide the menu, please be my guest and comment Smiley Happy

Fix for already existing sites:
Download the file https://issues.alfresco.com/jira/secure/attachment/54733/fixsiteauthorities.zip and extract it to <alfresco_path>/tomcat/webapps/alfresco/WEB-INF/classes/alfresco/templates/webscripts/fixsiteauthorities (create the path [..]/templates/webscripts/fixsiteauthorities)

Restart Alfresco and go to the following URI
http://your_alfresco_urlSmiley Tongueort/alfresco/s/index/package/fixsiteauthorities

You can then fix a site like "testsite" to add both groups we created earlier by going to the following URIs


http://your_alfresco_urlSmiley Tongueort/alfresco/s/fixsiteauthorities?customgroup=SiteWriteOnly&sitename=testsit...
http://your_alfresco_urlSmiley Tongueort/alfresco/s/fixsiteauthorities?customgroup=SiteCommentator&sitename=tests...

Note: I guess this howto could be improved for multilanguage support too, please feel free to help it become better.
Regards,
Ozy.

sandeepreddy
Champ in-the-making
Champ in-the-making
Hi deajan,
Thank you for [HOWTO], Craete Custom role with No download Permission., please help me deajan.