Hyland Connect

ebogaard · ‎05-05-2010

I'd like to give some other people almost full administrator rights in Alfresc (so not just management rights in a site), so they can manage Alfresco / Share as well.
For security reasons, I'd lik to deny them the ability to change the password of other administrators, especially "admin".

The questions I'd like answered:
1. Is this possible?
2. Is there a ready-available role for this, or do I have to create a new role?
2b. How do I do this?
3. I can't find a rights-matrix that shows the roles and rights voor Alfresco as a whole, just for sites and content. Is such a matrix available?

We're running CE3.3.

Thanks

savic_prvoslav · ‎05-07-2010

http://forums.alfresco.com/en/viewtopic.php?f=9&t=26698

check this out, it should help .

ebogaard · ‎05-08-2010

The thread Savic points to gives some interesting information, but I'm not sure if that's what I need.
The main thing is that I can give another user the rights to enter the admin console and manage the users and groups, but nog be able to change user's passwords (at least not other admin's passwords)

Is this possible, and how?

savic_prvoslav · ‎05-09-2010

Now it is not, but you could use code in that post that I have put there and extend it.
also you could change change user pass dialog for this check isAdmin() and work it from there. really easy code.

ebogaard · ‎05-10-2010

This last option sounds interesting. Does this mean that the user can't change passwords anymore?
Is so, could you give some pointers about the code that is needed?

savic_prvoslav · ‎05-10-2010

You can edit

/jsp/user/users.jsp
<a:actionLink value="#{msg.change_password}" image="/images/icons/change_password.gif" showLink="false" action="dialog:changePassword" actionListener="#{DialogManager.bean.setupUserAction}">

to

<a:actionLink value="#{msg.change_password}" image="/images/icons/change_password.gif" showLink="false" action="dialog:changePassword" actionListener="#{DialogManager.bean.setupUserAction}" rendered="#{NavigationBean.currentUser.admin}">

explanation:
user has right to access user dialog, but would not have right to change pass because he would not be able to see action for this because rendered part.

edit:
you still need to use code to give access to admin console. I can not find time to print you some code, I hope that I will find time for this tomorrow, I wold really like to do this for you, it is fun feature.

intruction:
create filter witch extends "Admin Authentication Filter" witch can be found in web.xml.

before calling super.filter use the code witch I have given . in that code you check if user is in "admin group" and has right to do this( see admin console) .

ebogaard · ‎05-11-2010

This looks promising and is a good way in the right direction.
One remark: the users work in Share, nog Alfresco Explorer. So I need to find the right files and code for Share.

To further explain what I'd like the situation to be:
- I'm the only "super" admin.
- There are some other admins who can work with users groups, but can't change other admin's (and normal users's, if necessary) passwords.
- There are a bunch of normal users with normal permissions.

I think there are two options to get to this situation:
1. Make it so that "normal" administrators can't change other user's passwords, but have all the other permissions.
2. Let users access the administrator console, so they can work with user groups. Problem with thius might be that normal users can put themselves in the admin usergroup, so they can get full permissions.

I think option 1 is the better/safer solution, if combined with diabling access to Alfresco explorer for everyone but the super admin. In that case t is possible to disable the change other user's passwords in Share alltogether. That way only the super admin can change passwords in Alfresco Explorer

Does this clarify things?
Up till now, you've been a great help.

savic_prvoslav · ‎05-11-2010

I am working only with Alfresco Explorer not share, anything with Alfresco Explorer I now know to change and edit to fit my needs, share not so well ( you should see what I have done for my company in the past time )
Solution witch I have given on other forum topic is really good and covers most( you would probably need some coding when you reach bottom line) of needed code for Alfresco Explorer.
–
if you would use this solution you would most likely have all this in Alfresco Explorer but not in share, everything would be same in it

.

–
if Alfresco Explorer is exceptable you then use my solution and extend it until you have nice solution, if you need help ask for it. I'll be happy to help.

for share I did some changes for it but it is complicated a bit …

savic_prvoslav · ‎05-11-2010

http://forums.alfresco.com/en/viewtopic.php?f=9&t=26698

relevant code is hire.

ebogaard · ‎05-13-2010

Thanks for all the help.

I ended up editing "tomcat/webapps/share/WEB-INF/classes/alfresco/site-webscripts/org/alfresco/components/console/users.get.html.ftl"
In this file I set some classes to "hidden", so the "New Password" option isn't available to users (or me, but I can still use Alfresco Explorer).

Now I have to find a way to prevent users deleting the "admin"-user => Someone any idea?

Hyland Connect

(New) administrator role, without ability to change password