Hyland Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Permissions, Role incorrectly assigned for user on space?

jamen
Confirmed Champ
Confirmed Champ

‎11-14-2008 01:02 AM

Hi Guys,

I've been scouring the web/wiki/forums etc and I'm trying to obtain some clear answers on how permissions work in Alfresco.  Hopefully with you assistance you can give me a clear direction on why I am experiencing the issues I'm facing.  I have provided a the custom fragment for the permissionDefinitions.xml file if anyone can assist it would be greatly appreciated.

      <!– A collaborator can do anything that a contributor can do –>
      <permissionGroup name="LMRM_RecOfficer" allowFullControl="false" expose="true">
         <includePermissionGroup permissionGroup="Contributor" type="cm:cmobject"/>
      </permissionGroup>
      
      <!– records permission –>
      <!– Should be tied to the aspect –>
      <!– onwership should be removed when using this permission –> 
      <permissionGroup name="LMRM_RecAdministrator"  allowFullControl="false" expose="true">
        <includePermissionGroup permissionGroup="LMRM_RecOfficer" type="cm:cmobject"/>
     </permissionGroup>

Problem:-
There are two permission groups defined for assignment (by role) in the samples permissions file.  These are LMRM_RecOfficer and LMRM_RecAdministrator respectively.  Note that these permissions extend from the Contributor permission group.

1. Create a folder "Test Space" in company home
2. Set the "Test Space" space not to inherit permissions and invite a test user rmadmin to have LMRM_RecAdministrator permissions and another user rmofficer to have LMRM_RecOfficer permissions on the space.
3. Set the "Test Space" to inherit permissions to the children
4. Using the rmofficer user create a space "Test Term" under "Test Space", the permissions should inherit to the child.

This is what I'm observing and believe to be correct (if this isn't what you would expect please comment):-
1. rmofficer should have full access (including delete) on "Test Term" as they are the owner?
2. rmofficer should not have delete access on "Test Space" as they only have the LMRM_RecOfficer role.

The issue I have is this.  When I use the permissionService.hasPermission(<Test_Term NODEREF>, "LMRM_RecAdministrator")  this returned "AccessStatus.ALLOWED".  I would expect this to be "AccessStatus.DENIED" but this is not the case.  I have not explicitly assigned any other permissions to either of the test spaces in question.

The ultimate goal I am trying to achieve is to allow a user to create a space, but if they do not have a particular role they SHOULDN'T have delete access to the node.  Hence I'm trying to revoke delete permissions.  The problem is that I can't ascertain whether I should revoke the permission at this stage.

Cheers
Jamen
Labels:
0 Kudos
1 REPLY 1

lpiguet
Champ in-the-making
Champ in-the-making

‎11-18-2008 10:59 AM

If I am not mistaken, users have full rights on the content they create. Therefore people have delete rights on the space they created, unless the ownership is yanked away, possibly by a space content rule.
Just a suggestion… I am by no means an expert, but hopefully this can help you.
0 Kudos
Getting started

Tags

Find what you came for

We want to make your experience in Hyland Connect as valuable as possible, so we put together some helpful links.

Copyright © 2026 Khoros, LLC