Hyland Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Simple workflow and permission limits

sweep
Champ in-the-making
Champ in-the-making

‎09-28-2006 11:47 AM

We need to create a simple workflow with 2 steps (using v. 1.3):
STEP 1) a USER send for approve a document and this document is moved to another space (pending document)
STEP 2)  ADMIN (who has permission to access pending document space) approve the document (and move them in another folder) or reject it (and move it .

We created a writer role to let user write in the pending document folder as explained in a previous message.

Now the document is in the pending document folder but if we add a content rule to approve/reject the initial user cannot send for approve.

Is there a workaround? I read some messages talking about saying to impersonate an admin user. Is this possible? How?
I was thinking about using a third space, using a script and a scheduler.

We haven't seen any reply and we need to start our project asap.

Thank you for help,

Marco
Labels:
0 Kudos
9 REPLIES 9

rivetlogic
Champ on-the-rise
Champ on-the-rise

‎09-30-2006 03:52 PM

Hi,

Now the document is in the pending document folder but if we add a content rule to approve/reject the initial user cannot send for approve.

Can you give more details on what you mean by this?

Regards,

–Aladdin
0 Kudos

sweep
Champ in-the-making
Champ in-the-making

‎10-02-2006 02:21 AM

If you create a user with createchild permission that can only write in a folder (no read and write permission),
you invite this user to the pending document folder,
you create a content rule to send for approve.

a) if no content rules are applied to pending document folder the user can move document using send for approve –> OK
b) if a content rule is applied to pending document folder the user cannot move document using send for approve –> KO permission denied.

It's not clear what kind of permission  controls content rule.

Marco
0 Kudos

rivetlogic
Champ on-the-rise
Champ on-the-rise

‎10-04-2006 01:18 AM

Hi,

The permissions for the different Alfresco services are defined in public-services-security-context.xml.

The service you're asking about is the RuleService, which states that:
<!– ================ –>
<!– The Rule Service –>
<!– ================ –>
    
<!– The rule service does not require any security restrictions, they are imposed   –>
<!– by the node service it uses to do its work.                                     –>
              
    <bean id="RuleService_security" class="org.alfresco.repo.security.permissions.impl.AlwaysProceedMethodInterceptor" />

In other words you need to look at the NodeService permissions. The reason you're having trouble with the simple workflow created in the pending approval space is due to the fact that upon firing of the rule some NodeService methods need to be called and require most if not all the permissions in the Read permission group (including ReadContent).

If you add all the permissions in the Read permission group (except for ReadContent) to the Writer role you will not get the permission denied error but the simple workflow will not be applied to the node when it enters the pending approval space.

A quick workaround would be to create two place holder spaces that act as interim steps (or hops) in the workflow. For example:

- Create two new spaces called _interim_Drafts and _interim_PendingApproval

- Make sure both Writers and Approvers have read/write access to those spaces

- Add a simple workflow in the _interim_PendingApproval space to add the Approve/Reject steps and then "move" the node to the Pending Approval space. That way you don't need any Read permissions on the Pending Approval Space. You would also need to make sure that the reject step will move the node to _interim_Drafts instead of Drafts.

- Use the same logic for the _interim_Drafts space by adding a simple workflow to Send for Approval as the accept step and move the document to the _interim_PendingApproval space. Then move the node to the Drafts space.

- You will also need to replicate the latter simple workflow on the Drafts space for items that are created or uploaded into it by the Writers.

It's a little complicated but it will work.

Hope this helps,

–Aladdin
0 Kudos

sweep
Champ in-the-making
Champ in-the-making

‎10-04-2006 02:36 AM

Thank you for help.
Your solution simply works…
One place holder space was enough because Draft folder was accessible by writer and approver.


Marco
0 Kudos

sweep
Champ in-the-making
Champ in-the-making

‎10-26-2006 08:10 AM

Hi all,
the solution proposed by RivetLogic is ok but if you have different workflows (ie. we have several approvals required in sequence) is not enough.

If the user is the creator of the document is ok.
We have a second user who has to verify the document and give his approval.

In this case the "Writer" role solution with Interim spaces doesn't work.
Marco
0 Kudos

seraphon
Champ in-the-making
Champ in-the-making

‎06-22-2007 04:42 AM

Hi

I dont know if this will interest anyone seeing how old the subject is but I found a solution to this problem.

I ve created a role in permissionDefinition.xml called Tester.
Tester has the custom permission I called Workf
Workf Is defined as such

     <permissionGroup name="Workf" expose="true" allowFullControl="false" >
       <includePermissionGroup type="sys:base" permissionGroup="MoveChildren"/>
      </permissionGroup>   


     <permissionGroup name="MoveChildren" expose="true" allowFullControl="false">
         <includePermissionGroup type="sys:base" permissionGroup="DeleteNode"/>
          <includePermissionGroup type="sys:base" permissionGroup="ReadProperties"/>
          <includePermissionGroup type="sys:base" permissionGroup="ReadChildren"/> 
          <includePermissionGroup type="sys:base" permissionGroup="ReadContent"/>
          <includePermissionGroup type="sys:base" permissionGroup="DeleteChildren"/>
          <includePermissionGroup type="sys:base" permissionGroup="CreateChildren"/>
          <includePermissionGroup type="sys:base" permissionGroup="LinkChildren"/>
          <includePermissionGroup type="sys:base" permissionGroup="DeleteAssociations"/>
          <includePermissionGroup type="sys:base" permissionGroup="CreateAssociations"/>
          <includePermissionGroup type="sys:base" permissionGroup="Write"/>        
     </permissionGroup>


Then I added a DummyPermission 

<permissionGroup name="DummyPermission" expose="true" allowFullControl="false" /> 


Add it to the group Delete.
Create 2 groups
CreateChildren2 that contains CreateChildren and DummyPermission
Write2 that contains Write and Dummypermission.

Whats the use of DummyPermission you wonder?
Well in order to approve(or reject) a workflow the user Tester must have the rights to create and delete a file (in short to move it) but of course we dont want this user Tester to actually be able to create or delete files.

In web-client-config-actions.xml, icons are associated to actions such as 

         <action id="edit_doc_http">
            <permissions>
            <permission allow="false">Workf</permission>     
               <permission allow="true">Write2</permission>
            </permissions>
            <evaluator>org.alfresco.web.action.evaluator.EditDocHttpEvaluator</evaluator>
            <label-id>edit</label-id>
            <image>/images/icons/edit_icon.gif</image>
            <action-listener>#{CheckinCheckoutBean.editFile}</action-listener>
            <params>
               <param name="id">#{actionContext.id}</param>
            </params>
            <!– can also specify style, class etc. but this is better done in 'actions' element –>
         </action>
But you can see that now this icon wont appear for the user Tester because he doesnt have the right Write2 even thought he have the right Write which is what is needed on order to actually write a file.
All you need to do now is to add

<action id="approve_doc">
         <permissions>
               <permission allow="true">Workf</permission>
            </permissions>…..
…..

So now the user Tester can see the approve icon even if he doesnt own the file and use it because he has all the necessary permissions.

Hope that helps some people and if it did, please help me in this matter  :wink: http://forums.alfresco.com/viewtopic.php?t=7080

If I did a mistake or if those change could bring some trouble please inform me for I am actually using it and it doesnt seem to bring problems.

Regards
seraphon
0 Kudos

lauvanya
Champ in-the-making
Champ in-the-making
In response to seraphon

‎07-15-2016 09:39 AM

Can any one help me to locate file 'permissionDefinition.xml'. I am not able to find the file in server
0 Kudos

steven_okennedy
Star Contributor
Star Contributor
In response to lauvanya

‎07-15-2016 05:31 PM

As of version 5.1 it's now held within the alfresco-repository.jar file (/alfresco/model/permissionDefinitions.xml)

Also pay attention to sitePermissionDefinitions.xml in the same location which layers on the permissions used in Share for sites.

Regards

Steven
0 Kudos

mgeorge
Champ in-the-making
Champ in-the-making

‎11-22-2010 04:06 AM

Hi Seraphon,

The above thread documents exactly my requirements (new user role should only have permission to Approve/Reject), but I am having some difficulty getting this to work. I have updated the permissionDefinitions.xml as explained, and also the web-client-config-actions.xml, but icons for other functionality is still appearing and they can delete doc etc.. Is the example complete ? e.g. You create a permissiongroup of CreateChildren2, but I can't see this referenced anywhere.

Does anyone have a complete permissionDefinitions.xml and web-client-config-actions.xml they can share ?

Thanks,
Mike
0 Kudos
Getting started

Tags

Find what you came for

We want to make your experience in Hyland Connect as valuable as possible, so we put together some helpful links.

Copyright © 2025 Khoros, LLC