Hyland Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

New Role and ACL_METHOD

steel
Champ in-the-making
Champ in-the-making

‎03-01-2006 12:18 PM

Hi,

I am creating a new role to allow a person to act as an administrator and add  (create new) users and groups to their homespace. Temporarily I have attempted to elevate the priviledges of the Coordinator Role to allow creating a new person and group.

I did the following:

1. Set a globalPermission in permissionDefinitions.xml to give "ROLE_COORDINATOR" full control.

2. Added ACL_METHOD.ROLE_COORDINATOR to all the services required when creating a user in public-services-security-context.xml. 
For example this is one: org.alfresco.service.cmr.security.AuthorityService.createAuthority=ACL_METHOD.ROLE_COORDINATOR,ACL_METHOD.ROLE_ADMINISTRATOR

I added ACL_METHOD.ROLE_COORDINATOR to the following services:
AuthorityService.createAuthority
AuthorityService.addAuthority
AuthorityService.removeAuthority
AuthorityService.deleteAuthority

AuthenticationService.createAuthentication

PersonService.setPersonProperties
PersonService.createPerson

This these modifications I am still getting the "Access Denied" do not have enough permission to perform the action.

Any help would be great!

thanks.

-Steel
Labels:
0 Kudos
10 REPLIES 10

steel
Champ in-the-making
Champ in-the-making

‎03-01-2006 05:45 PM

anyone?
0 Kudos

steel
Champ in-the-making
Champ in-the-making

‎03-01-2006 06:43 PM

Ok, I found that I made a mistake with the whole ROLE_COORDINATOR I think. I corrected them and replaced it with ACL_NODE.0.cmSmiley Surprisedbject.Coordinator.  The person.CreatePerson runs find but it is getting stuck on PermissionService.getAllPermission which as a rule of ACL_ALLOW.

In the public services security context file it states:
<!– If one method cal requires security enforcement - all methods must gave a       –>
<!– security entry of some sort. ACL_ALLOW can be used to give access to all        –>
<!– ROLE_ADMINISTRATOR can be used to grant access to administrator related methods –>

I am not exactly sure exactly what this mean. ACL ALLOW can be used to give access to all? If it is all I am not sure why it is getting stuck at this point.

Here are some debugger info:
authentication:
net.sf.acegisecurity.providers.UsernamePasswordAuthenticationToken@317bdd: Username: net.sf.acegisecurity.providers.dao.User@bb02e3: Username: sfu; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_AUTHENTICATED; Password: [PROTECTED]; Authenticated: false; Details: net.sf.acegisecurity.providers.dao.User@bb02e3: Username: sfu; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_AUTHENTICATED; Granted Authorities: ROLE_AUTHENTICATED

detailed message:
Bad credentials presented

Can anyone shed some light on this? I would really appreciate it. Thanks!
0 Kudos

steel
Champ in-the-making
Champ in-the-making

‎03-02-2006 01:04 PM

I re-read the Security wiki and realized that this is the reverse of what I want to do with adding coordinator to the objectDefinitionSource line because it adds on to the requirement not takes away from it.

I'm trying to find documentation on how to implement an OR statement in the uri pattern to allow both admin and a coordinator.
0 Kudos

derek
Star Contributor
Star Contributor

‎03-07-2006 07:30 AM

Hi,

Admin will always be allowed.  The reason why some methods may require admin explicitly is that all methods on the interface have to have an entry.  So if you had a method that only admin was allowed to use, then you would have to put admin down otherwise Acegi would clear the security context when the method was used.

ACL_Allow is for those methods that don't require any protection.  But something still has to be put down for each method.

If you have Coordinator on a method, then admin is still allowed to use it.

Regards
0 Kudos

debraj
Champ in-the-making
Champ in-the-making

‎02-05-2008 04:38 AM

hi steel and derek,
I am also trying to configure the same thing.I want a user to have a role through which he can only create new users and groups.Can you please help me in this regard.
Thanks for any suggestions
0 Kudos

andy
Champ on-the-rise
Champ on-the-rise

‎02-05-2008 09:53 AM

Hi

You are probably best creating a group for these people (eg "woof") and then adding protection for this group on the methods. Then use ACL_METHOD.GROUP_woof.

Andy
0 Kudos

debraj
Champ in-the-making
Champ in-the-making

‎02-05-2008 11:56 PM

Thanks a lot for the reply. This is the first reply i got in the alfresco forum.  Smiley Very Happy  Can you please elaborate on adding protection for this group on this method. And also group creation is done on the ui. How can i put this in the source code. By group did you mean a permission group
0 Kudos

debraj
Champ in-the-making
Champ in-the-making

‎02-06-2008 01:40 AM

And also how will the admin console come up in the ui for the user in the group woof
0 Kudos

debraj
Champ in-the-making
Champ in-the-making

‎02-06-2008 03:47 AM

I created a group and added protection for this group in public-services-security-context.xml. But the user cannot view the admin console.

How can i bring up the admin console??

The admin console comes up when i add the user as a admin in authority-context.xml but this user can also operate on context and space.

I want the user to only create and delete user/group and he souldnt have permission for any other action.

Thanks a lot for any replies
0 Kudos
Getting started

Tags

Find what you came for

We want to make your experience in Hyland Connect as valuable as possible, so we put together some helpful links.

Copyright © 2024 Khoros, LLC