Hyland Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Override inherited permissions

deepacp
Champ in-the-making
Champ in-the-making

‎08-10-2015 08:26 AM

Hi,

I would like to override the inherited permissions of a particular user and set a new permission. I use the following code to achieve this

    AuthenticationUtil.runAsSystem(new AuthenticationUtil.RunAsWork<Object>() {
        public Object doWork() throws Exception {
            permissionService.deletePermission(ref, loggedInUser, null);
            permissionService.setPermission(ref, loggedInUser, PermissionService.CONSUMER, true);
            return "";
        }
    });

However, I get this error when InheritPermissions is set on the folder - "Caught exception Can not delete from this acl in a node context SHARED".

Is there any way to override the parent's inherited permissions other than disabling it completely - only select permissions need to be overrided.

Thanks
Deepa
Labels:
0 Kudos
2 REPLIES 2

steven_okennedy
Star Contributor
Star Contributor

‎08-10-2015 09:41 AM

Hi deepacp,

This is happening because you are effectively attempting to delete the inhertied ACL (which is shared with at least the parent node and possibly others up the inheritance tree).  You'll need to disable the inherited permissions and reapply any permissions that should be left on the node as local permissions.  See a similar thread on this question here: http://forums.alfresco.com/forum/developer-discussions/web-scripts/getpermissions-problem-08172009-1...

In out of the box Alfresco & Share, only ALLOW type permissions are used, and they lead to a sort of a high water mark type model when the permissions are evaluated, e.g. if a user inherits a Collaborator permission from a parent, and has a Consumer permission set locally on the node, the effective permission will still be Collaborator.

DENY permissions are actually supported by the repository though, which you could possibly use to restrict permissions inherited from a parent node, but could be messy because it will be dependent on the order of permission evaluations (i.e. you'd want DENY Collaborator, DENY Coordinator etc to be evaluated last. It may also cause complications with the Share UI and maintaining permissions since DENY permissions can't be set via the screen, so is not an option I'd want to look out without a lot of testing

Otherwise, the way to do it is turn off inherited permissions (nodeRef.setInheritsPermissions(false)) on the node and manually add back on the permissions you need in your code.  Bear in mind, this will cause you a lot of pain if you want use Group-based permissions and the user you're restricting is a member of a group that's been given greater permissions. 

The ALLOW only model is just not good at doing specific reductions in permissions for a subset of specific users where inheritance is in place. Also, turning off inheritance affects all users, not just the one you want to reduce to Consumer only, so your code would need to take care of locally repairing any of the permissions for other users removed by turning inheritance off

Regards

Steven
0 Kudos

deepacp
Champ in-the-making
Champ in-the-making
In response to steven_okennedy

‎08-12-2015 10:14 AM

Thank you so much for the elaborate explanation.
0 Kudos
Getting started

Tags

Find what you came for

We want to make your experience in Hyland Connect as valuable as possible, so we put together some helpful links.

Copyright © 2024 Khoros, LLC