Hyland Connect

emmanuel · ‎06-08-2006

Hi everybody,

I'm working on the alfresco project for my company, and it seems to be very powerful. But, however , I got some trouble … Let me explain:

I want to have a workflow (not very difficult, for this step :wink: )
So I have 3 folders:
=> "Drafts
=> "Pending approval"
=> "Published"

So, I have 3 groups:
=> "Writers"
=> "Approvers"
=> "Administrators"

Indeed, I want the writers to request an approval for a document, but not TO BE ABLE OF VIEWING THE FOLDER "Pending approval".

That's my problem, it seems that there is no solution except creating a new role. So, I decided to create a role, in order to write in a folder where the user cannot read.

In the permissionsDefinition.xml, i had the following:


<!– Rajout d'une permission permettant l'ajout de documents dans un dossier sur lequel, l'utilisateur n'a pas de droit de lecture –>
      <permissionGroup name="Redacteur" allowFullControl="false" expose="true">
    <!– <includePermissionGroup permissionGroup="Read" type="sys:base" /> –>
     <includePermissionGroup permissionGroup="AddChildren" type="sys:base" />
     <includePermissionGroup permissionGroup="Write" type="sys:base" />
     <includePermissionGroup permissionGroup="CheckOut" type="cm:lockable" />
      </permissionGroup>
‍‍‍‍‍‍‍‍‍

But, it still doesn't work! I don't wee where I could have done a mistake!

If someone has a solution, I hope for a lot of help :cry:

P.S: I have already tried to create a "temp" folder, where i created a copy rule, but it doesn't work too…

Thanks.

rivetlogic · ‎06-08-2006

Hi,

If I understand what you're trying to do correctly, then you don't really need to create a new role.

Your Writers have access to the Drafts folder and they edit documents there. When they're done they request approval upon which the document is copied to the Pending Approval folder. You don't want the Writers to even see the Pending Approval folder. But you would like for the Approvers to see it.

Before I tell you how to do that, keep in mind that by default space permissions are inherited from the parent. And also, by default there is a group called EVERYONE that has Consumer (read-only) access to Company Home.

So, to disallow Writers from seeing the Pending Approvals folder, you need to:

- Login as admin
- Browse to Pending Approvals folder
- Go to Manage Space Users
- Uncheck Inherit Parent Space Permissions
- Invite users/groups to that folder in the way you want them to see it
- Make sure that you don't invite Writers

Hope this helps.

–Aladdin

emmanuel · ‎06-08-2006

I agree with your point of view.

But When a user has not right for reading, he can't write in a folder.

So if my writers request for an approval, I want to move my file in the "Pending approval" folder. And actually, I can't… With your solution, i can't send my file to the approval folder.

I draw what i want:

1) Writer A writes doc1.

2) Writer A wants an approval of doc1.

3) I create a "simple workflow rule" => move doc1 in pending approval folder

4) Writer A applies the rule, doc1 is in the pending folder. Writer A doesn't see it.

5) Approver B see the file in the pending folder, and can validate or reject it.

Actually, I got a problem in the (3) I have the error " permission denied, work didn't commit", you dont have the right to write in this folder.

That's strange…

Another idea?

rivetlogic · ‎06-08-2006

Sorry, my apologies. You're right, to do that you need write and no-read access to the Pending Approval folder.

You will need to create a new role let's call it Writer.

In permissionDefinitions.xml you need to do the following:

<!– ============================================= –>
<!– Convenient groupings of low level permissions –>
<!– ============================================= –>
      
      …
      <permissionGroup name="CreateNodes" expose="true" allowFullControl="false" />‍‍‍‍‍‍

<!– The permission to create new nodes                                            –>
      
      <permission name="CreateChildren" expose="true" >
         <grantedToGroup permissionGroup="AddChildren" />
         <!– Add this line –>
         <grantedToGroup permissionGroup="CreateNodes" />
         <!– Commented out parent permission check …
         <requiredPermission on="parent" name="ReadChildren" implies="false" />
         –>
      </permission>‍‍‍‍‍‍‍‍‍‍

<!– Custom Role Begin –>
<!– A Writer can only create content     –>
   <permissionGroup name="Writer" allowFullControl="false" expose="true" >
     <includePermissionGroup type="sys:base" permissionGroup="CreateNodes" />
   </permissionGroup>
<!– Custom Role End –>‍‍‍‍‍‍

<permissionGroup name="Writer" extends="true" expose="true"/>‍

Invite Writers to the Pending Approval folder with the Writer role.

Hope this helps.

–Aladdin

emmanuel · ‎06-09-2006

thanks a lot for your help, i'll check that solution now!

I answer you if it works or not!

emmanuel · ‎06-09-2006

Hi,

First, thanks a lot to take care of my problem!

But it still doesn't work, i've done what you wrote, it was close of what I have done the first time. But it doesn't work…

I think we're close to the solution, but I can't see where the problem is!

If an alfresco engineer could help, it will be wonderful :wink:

rivetlogic · ‎06-09-2006

Hi,

I actually tried it and it works for me. How is it not working for you? What I do is:

- As admin I add a rule to the Drafts folder:

Pending Approval

Send for approval

- Invite Writers group to Pending Approval folder with Writer role that we defined earlier

- As a writer I upload a file into the Drafts folder

- Run Action: Send for approval

- The writer can't see the Pending Approval folder but the doc is copied into it

- I login as an Approver and I see the Pending Approval folder with the doc in it.

If these steps are different from what you do can you post the differences?

It would also help if you post your permissionDefinitions.xml file.

Thanks,

–Aladdin

emmanuel · ‎06-09-2006

Fine!

Thanks a lot it works!

I found the only difference between me and you: it's in the approval rule!

I explain, you've written Add simple workflow to copy doc, but I use the rule Add simple workflow to move doc. So I get the following error : Permission denied.

I tried your solution with your rule, indeed, it works! But you copy the file, and I wanted it to be moved, but it don't appeared to be possible right now!

I'll mail the administrator of the forum, to have a look at this conversation, I think it will improve the development of the future verson of alfresco!

Thanks a lot.

Hope a developper of the application could answer. :wink:

rivetlogic · ‎06-09-2006

Hi,

I tried moving the doc instead of copying it and it still works. I didn't have to change anything else. The roles are the same, and the simple workflow rule was changed to move the file instead of copy it.

I'm using Alfresco version 1.2.0 enterprise edition. I don't think you've hit an Alfresco bug. It's most probably something else.

Can you post your permissionDefinitions.xml file, or at least the relevant parts?

Cheers,

PS: If the copy worked but the move didn't, it seems that you do not have delete permissions on the Drafts folder.

–Aladdin

andy · ‎06-09-2006

Hi

It is possible to change the permissions required for move (and copy) in
config\alfresco\public-services-security-context.xml.

This would affect all moves.

If you want more control you could

1) Add an action that moves regardles of permissions
2) Use an action that can run as the person who created it
3) Add a new service and protect it and add an action for the service

I am not sure if option 2 is available in general.
It can be used for scheduled actions.

Regards

Andy

Hyland Connect

[Solved] Problem : Create a new role