Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Hyland Connect
- Enterprise Platforms
- Alfresco
- Alfresco Archive
- Inheriting and security model in Alfresco
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Inheriting and security model in Alfresco
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-07-2012 10:37 AM
Hi,
I have a problem to configure security model with using inheritance feature.
By default all folders inherit "Everyone - Consumer" permission.
Without that setting users from my system would not be able to navigate folders.
Here is my bussiness solution.
I have site folder "Company documents" under sites.
Under this folder I have system folders and documentLibrery, under which I have specified DMS folders like HR, IT, etc.
Requirement is that director of the company can access all content in the repository, but other employees should be able to access only to specified folders, depending of their roles.
E.g. IT department should have "Contributor" role under IT folder.
Here is the problem:
If I leave "Company documents" to be accessed "Everyone - Consumer" like it is set by default (it is inherited from Sites folder), and if I set "Director - Contributor" to "Company documents",
director will inherit rights under child folder, but also all users will be able to access to company documents.
If I don't select for "Company documents" to inherit "Everyone - Consumer", my users will not be able to navigate to thier documents because they will not have navigate folder tree (they dont see root folder "Company documents").
Only way how I can finalize my business request is to set:
-"Everyone - Consumer" to root folder "Company documents"
-disallow inheritance too all child folders (IT, HR…)
-add rights to all child folders (IT department - IT folder…)
-add rights to director to all child folders - what is really strange that Alfresco didn't support such a case with inheritance.
It is very usual that company will have some DMS site with limited access to some users and inheritance request, like I have written in my example.
In my opinion problem is that user must be in role Consumer if we want to allow him to navigate site. But usually user sholud have different rights on child site folders, depending on his role in organization (user group). I think that all of users should have some role like “Contributor-Browser” by default, and that means that all users can brows site tree (site folders, not content!). So, read access should be specified separatelly for each folder, and in that case inheritance would not be the problem.
Can anyone experiaced with similar bussiness request can give me advice if I'm doing something wrong, or write me if Alfresco allready supports some feature to answer my request?
Best regards,
Ivana
I have a problem to configure security model with using inheritance feature.
By default all folders inherit "Everyone - Consumer" permission.
Without that setting users from my system would not be able to navigate folders.
Here is my bussiness solution.
I have site folder "Company documents" under sites.
Under this folder I have system folders and documentLibrery, under which I have specified DMS folders like HR, IT, etc.
Requirement is that director of the company can access all content in the repository, but other employees should be able to access only to specified folders, depending of their roles.
E.g. IT department should have "Contributor" role under IT folder.
Here is the problem:
If I leave "Company documents" to be accessed "Everyone - Consumer" like it is set by default (it is inherited from Sites folder), and if I set "Director - Contributor" to "Company documents",
director will inherit rights under child folder, but also all users will be able to access to company documents.
If I don't select for "Company documents" to inherit "Everyone - Consumer", my users will not be able to navigate to thier documents because they will not have navigate folder tree (they dont see root folder "Company documents").
Only way how I can finalize my business request is to set:
-"Everyone - Consumer" to root folder "Company documents"
-disallow inheritance too all child folders (IT, HR…)
-add rights to all child folders (IT department - IT folder…)
-add rights to director to all child folders - what is really strange that Alfresco didn't support such a case with inheritance.
It is very usual that company will have some DMS site with limited access to some users and inheritance request, like I have written in my example.
In my opinion problem is that user must be in role Consumer if we want to allow him to navigate site. But usually user sholud have different rights on child site folders, depending on his role in organization (user group). I think that all of users should have some role like “Contributor-Browser” by default, and that means that all users can brows site tree (site folders, not content!). So, read access should be specified separatelly for each folder, and in that case inheritance would not be the problem.
Can anyone experiaced with similar bussiness request can give me advice if I'm doing something wrong, or write me if Alfresco allready supports some feature to answer my request?
Best regards,
Ivana
Labels:
- Labels:
-
Archive
4 REPLIES 4
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-07-2012 10:55 AM
Hi,
I had a similar experience, and basically I tried to organize the repository matching the hierarchical organization thinking about requirements in terms of business objects and not only in terms of documents or folders.
Moreover I tried to obtain a segmentation of the repository in order to avoid the number of objects to grow up beyond 500/600 objects per container.
I managed to build up trees of folders each of them inheriting security from the respective container, and using webscirpts I added, modified and deleted authorities as needed.
To locate the roots of these trees, I used lucene path queries that allowed me to replicate the same structure many times (it was a company business object) and access every single object securely.
Obviously this is a matter of opinion, there may be better solutions depending on your requirements.
Regards,
Andrea
I had a similar experience, and basically I tried to organize the repository matching the hierarchical organization thinking about requirements in terms of business objects and not only in terms of documents or folders.
Moreover I tried to obtain a segmentation of the repository in order to avoid the number of objects to grow up beyond 500/600 objects per container.
I managed to build up trees of folders each of them inheriting security from the respective container, and using webscirpts I added, modified and deleted authorities as needed.
To locate the roots of these trees, I used lucene path queries that allowed me to replicate the same structure many times (it was a company business object) and access every single object securely.
Obviously this is a matter of opinion, there may be better solutions depending on your requirements.
Regards,
Andrea
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-08-2012 09:24 AM
Hi,
Thank you for your answer.
Are you using Alfresco Share or Alfresco Explorer as web client?
If I understand you right, you are using lucene path queries to navigate folders that users should access, because they don't have rights on parent node?
Best regards,
Ivana
Thank you for your answer.
Are you using Alfresco Share or Alfresco Explorer as web client?
If I understand you right, you are using lucene path queries to navigate folders that users should access, because they don't have rights on parent node?
Best regards,
Ivana
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-08-2012 09:33 AM
Hi,
well as web client I use Alfresco Explorer, even if for my project I use a custom client application…
But yes, if you're searching for nodes with lucene path queries you're assured that the user performing the action will find all nodes he has rights on.
Then, if you have properly organized your repository, you will always get one matching result (or zero in case of fault)
This is also a good way to manage nodes at a presentation level, making they look like as if they were in the same folder even if they are not.
Regards,
Andrea
well as web client I use Alfresco Explorer, even if for my project I use a custom client application…
But yes, if you're searching for nodes with lucene path queries you're assured that the user performing the action will find all nodes he has rights on.
Then, if you have properly organized your repository, you will always get one matching result (or zero in case of fault)
This is also a good way to manage nodes at a presentation level, making they look like as if they were in the same folder even if they are not.
Regards,
Andrea
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-09-2012 02:39 AM
Hi,
I understood. I didn't try lucene search, but as you said, it works the same like ordinary search in Alfresco Explorer search control. User gets folders in search results no mater if he have rights on parent folder, it is ok.
But did you even try to use Alfresco Share? (I have information that Alfresco will develop further Share app, Explorer will only be maintained until the EOL)
If I try to use the same settings on Alfresco Share, and if my root "Company Document" folder is created as site (Alfresco site is normal folder, with some additional features - e.g. users get better preview in A.Share, with wiki, site dashboard,etc), there is no way to setup the same configuration.
If I setup "Company Documents" folder not to inherit "Everybody-Consumer" (because everybody will not have rights to search all documents in company), users will not have option to see site at all! (my expectation was that users will see the site, but only containing folders that are allowed for them). So, I tried to allow "Everybody-Consumer" to site "Company Documents", but to disallow inheritance to one level bellow (folder "documentLibrary" which is automatically created under site), and to allow to "documentLibrary" my custom security policy (director-consumer etc), which should be inherited. So, my beyond folder levels (HR documents, IT documents) should inherit director-consumer, and add security settings for their own groups which should have access to them.
But, this settings do not work at all! I get "no documents" message for each user (only director can see documents because he has rights on parent folder "documentLibrary").
So, my conclusion is that I'm trying to setup very basic thing in Alfresco (inheritance with security model) and I have no idea to setup that in Alfresco Share.
In Alfresco Explorer it is possible with search feature, in Share, I don't see the option.
Best regards,
Ivana
I understood. I didn't try lucene search, but as you said, it works the same like ordinary search in Alfresco Explorer search control. User gets folders in search results no mater if he have rights on parent folder, it is ok.
But did you even try to use Alfresco Share? (I have information that Alfresco will develop further Share app, Explorer will only be maintained until the EOL)
If I try to use the same settings on Alfresco Share, and if my root "Company Document" folder is created as site (Alfresco site is normal folder, with some additional features - e.g. users get better preview in A.Share, with wiki, site dashboard,etc), there is no way to setup the same configuration.
If I setup "Company Documents" folder not to inherit "Everybody-Consumer" (because everybody will not have rights to search all documents in company), users will not have option to see site at all! (my expectation was that users will see the site, but only containing folders that are allowed for them). So, I tried to allow "Everybody-Consumer" to site "Company Documents", but to disallow inheritance to one level bellow (folder "documentLibrary" which is automatically created under site), and to allow to "documentLibrary" my custom security policy (director-consumer etc), which should be inherited. So, my beyond folder levels (HR documents, IT documents) should inherit director-consumer, and add security settings for their own groups which should have access to them.
But, this settings do not work at all! I get "no documents" message for each user (only director can see documents because he has rights on parent folder "documentLibrary").
So, my conclusion is that I'm trying to setup very basic thing in Alfresco (inheritance with security model) and I have no idea to setup that in Alfresco Share.
In Alfresco Explorer it is possible with search feature, in Share, I don't see the option.
Best regards,
Ivana
Related Content
- Alfresco Community Edition 23.4 Release Notes in Alfresco Blog
- PKIX path validation failed following certificate update in Alfresco Forum
- Access denied, on files , that where share to users that not belong to site in Alfresco Forum
- Elasticsearch Frequently Asked Question in Alfresco Blog
- Alfresco Dockerfiles Bakery: Streamlining Container Builds for Alfresco Products in Alfresco Blog
Getting started
Tags
Find what you came for
We want to make your experience in Hyland Connect as valuable as possible, so we put together some helpful links.
