Hyland Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Security roles for 1.1

ell
Champ in-the-making
Champ in-the-making

‎12-07-2005 10:48 AM

Hello there

I am looking into the security roles for release 1.1
Could anyone please explain what rights each one of them has?
Is there a tutorial available on how to use these roles (maybe from the pro edition)?

I thought that if I was a guest, I shouldn't be able to add a space or create content. But what is more strange I can create a space, I can create content but I cannot add a content. Is this the case?

Also I have created a workflow rule which moves data from one space (drafts) to another (approved). In order for my content to move, it seems that the user should be a coordinator or contributor to the (approve) space as well. Can I configure it so that the user has only read access to the approve space?

Thanks
Labels:
0 Kudos
9 REPLIES 9

abrar
Champ in-the-making
Champ in-the-making

‎12-09-2005 01:59 AM

Hi

First thanks to the Alfresco team for releasing open source version 1.1 with roles Smiley Happy   This is really helpful.

I am experimenting with Alfresco Open source version 1.1 and I have the same question as in the previous post about roles. I am working with the Software Engineering Project template.  And only the user with coordinator role is able to request for approval and also approve. Other users with contributor or editor roles only have permission to edit or add content but are unable to request for approval. Would appreciate if someone throws light on the various alfresco roles. 

I want to know how to setup users so that the user who has rights to request for approval is different from the user that has right to approve. Currently AFAIK only coordinator has rights to request for approval and approve, which I think is not right.

Thanks
Abrar
0 Kudos

andy
Champ on-the-rise
Champ on-the-rise

‎12-09-2005 08:03 AM

Hi

All roles and permissions are defined in permissionDefinitions.xml in
config/alfresco/model.

I will go through the roles as they stand but bear in mind

1) You may be inheriting permissions
2) You may have permissions from the ALL group
3) You may have permissions from being the owner
4) And if you have groups you may have permissions becasue of group membership.

See http://www.alfresco.org/mediawiki/index.php/Security_and_Authentication

So:



   <!– ============================== –>
   <!– Permissions for spaces/folders –>
   <!– ============================== –>
   
   
   <permissionSet type="cm:folder" expose="selected">
        <!– Kept for backward compatibility - the folder administrator permission has   –>
        <!– been removed to aviod confusion –> 
        <permissionGroup name="Administrator" allowFullControl="true" expose="false" />
        
        <!– A coordinator can do anything in the folder or its childeren unless the     –>
        <!– permissions are set not to inherit or permission is denied.                 –>
        <permissionGroup name="Coordinator" allowFullControl="true" expose="true" />
        
        <!– A contributor can create content and then they have full permission on what –>
        <!– they have created - via the permissions assigned to the owner.              –>
        <permissionGroup name="Contributor" allowFullControl="false" expose="true" >
            <!– Contributor is a guest who can add content, and then can modify via the –>
            <!– owner permissions.                                                      –>
            <includePermissionGroup permissionGroup="Guest" type="cm:folder"/>
            <includePermissionGroup permissionGroup="AddChildren" type="sys:base"/>
            <!– Check out requires write permissions so this will not apply to all      –>
            <!– documents.                                                              –>
            <includePermissionGroup type="cm:lockable" permissionGroup="CheckOut"/>
        </permissionGroup> 
        
        <!– An editor can read and write to anything in a space; they can not create    –>
        <!– new nodes. They can cehck out content into a space to which they have       –>
        <!– create permission.                                                          –>
        <permissionGroup name="Editor"  expose="true" allowFullControl="false" >
            <includePermissionGroup type="cm:folder" permissionGroup="Guest"/>
            <includePermissionGroup type="sys:base" permissionGroup="Write"/>
            <includePermissionGroup type="cm:lockable" permissionGroup="CheckOut"/>
        </permissionGroup>
        
        <!– The guest permission allows read to everything by default.                  –>
        <permissionGroup name="Guest" allowFullControl="false" expose="true" >
            <includePermissionGroup permissionGroup="Read" type="sys:base" />
        </permissionGroup>
   </permissionSet>



To summarise:

Guest can read

Editor has all the permissions of Guest but can write properties and content. The editor can not create content. An editor can check out content - but the wolrking copy will have to be in a space to which they have create access e.g. their home space.

Contributor has guest permissions + creation + check out of things they can write.
They can not edit content they do not own. They get all permissions for the content they create - which by default they own. If they loose ownerhip they loose permissions ….unless you have explicitly given them permissions in some other way ….

Coordinator can do anything in the space and sub-spaces which inherit permissions.

I am not sure which permissions are used for approval check.


You can change the definitions - they are read at start up.



I thought that if I was a guest, I shouldn't be able to add a space or create content. But what is more strange I can create a space, I can create content but I cannot add a content. Is this the case? 
</code]

This sounds like you are also a contributor - this may be inherited …
I am not sure what add a content means - as opposed to create??

Regards

Andy
0 Kudos

abrar
Champ in-the-making
Champ in-the-making

‎12-12-2005 12:06 AM

Andy, Thanks for response. Glad to know that permissions can be altered via permissionDefinitions.xml.  I am able to add delete permissions to a role by modifying that file.

 
<permissionGroup name="Contributor" allowFullControl="false" expose="true" >

….

<! – Added  Delete permissions –>
      <includePermissionGroup permissionGroup="Delete" type="sys:base"/>

        </permissionGroup>

Now I would like to know if its possible to apply permission to rules or workflows, So user with that role will be able to execute a workflow without worrying about folder or node permissions. Please do point me in the right direction.  Any information would help.

Thanks
Abrar.
0 Kudos

andy
Champ on-the-rise
Champ on-the-rise

‎12-12-2005 05:38 AM

Hi

Rules set to run in the back ground run as "system".
Rules that execute at the end of a transaction runs as the current user.

I have raised bug AR-313 against this.

There is already an enhancement request for rules to "run as" another user.

So in the short term you can work round this issue by running the rule in the background.

Actions executed direct from the UI will always run as the system user.

Cheers

Andy
0 Kudos

erlywom
Champ in-the-making
Champ in-the-making

‎01-20-2006 06:29 AM

Hi,

I have faced some problems while using Alfresco.

1. If i'm the Contributor, can i send the document for approval?
2. If i'm not mistaken, when a workflow is created, i cannot assign the approver. So, may i know who has the access right to approve the document?

Thanks.
0 Kudos

gavinc
Champ in-the-making
Champ in-the-making

‎01-23-2006 04:33 AM

Hi,

The approve and reject actions are not protected by any permission, therefore it will depend on the permissions of the spaces involved in the workflow and the permissions assigned to them.

For example if you have a workflow that moves a document to space A when it is approved then the user approving the document must have "delete" permission on the existing space and "contributor" or "coordinator" on space A.

Feel free to raise a feature request on JIRA if you would like permissions to be applied to the actual approve and reject actions, or alternatively, you can define your own permissions and add a permission evaluator around the action in document-details.jsp

Hope this helps.
0 Kudos

paulhh
Champ in-the-making
Champ in-the-making

‎05-05-2006 04:32 AM

Just to update this thread to the latest default set of roles (1.2):

Consumer = Read spaces and content
Editor = Consumer + edit existing content
Contributor = Consumer + add new content
Collaborator = Editor + Contributor
Coordinator = Full Control

Paul.
0 Kudos

pej
Champ in-the-making
Champ in-the-making

‎03-01-2007 09:19 AM

What differs Coordinator from Collaborator?. If I look at it from a truthtable view they have the same rights. Is there more rights included in "Full Control" ?

Regards
0 Kudos

andy
Champ on-the-rise
Champ on-the-rise

‎03-02-2007 10:11 AM

Hi

Full control adds the rest - e.g. Setting permissions.

See http://wiki.alfresco.com/wiki/Security_and_Authentication#Default_Permissions
for the gory details.

Andy
0 Kudos
Getting started

Tags

Find what you came for

We want to make your experience in Hyland Connect as valuable as possible, so we put together some helpful links.

Copyright © 2025 Khoros, LLC