Hyland Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Use of Deny Permissions using API's for PermissionService

jamen
Confirmed Champ
Confirmed Champ

‎02-10-2012 05:22 AM

Hi,

I'm trying to get some concrete examples of how to leverage DENY permissions on a particular node.  I have a use case where I want to grant a permission role on a folder (e.g. Collaborator), but then on some of the documents below it I won't want to allow for Edit rights.  I know that this is possible from other discussion threads, but I'm having trouble tracking down anything in Cookbooks etc.

I've been looking at the PermissionServiceImpl and am not sure of the implementation method that is used for this either.  If someone can provide me with an example in the code base if there isn't something readily available it would be most useful.

Thanks
Jamen
Labels:
0 Kudos
6 REPLIES 6

mrogers
Star Contributor
Star Contributor

‎02-10-2012 05:48 AM

I'm not sure DENY permissions are used anywhere, although as you have seen there's consideration for them in the permissions service.
0 Kudos

jamen
Confirmed Champ
Confirmed Champ

‎02-10-2012 05:25 PM

But do the existing service methods support application of DENY permissions?  That's what I'm unsure of.  I know Andy hind as mentioned DENY permissions on other forum posts.  But I've seen no programmatic evidence of this in terms of examples.
0 Kudos

andy
Champ on-the-rise
Champ on-the-rise

‎02-13-2012 10:26 AM

Hi

There are some examples in the test.
It is not used much as it is mot exposed in the UI.

Just use the permissions service API as you would to set - but set allow to false (ie deny)

Andy
0 Kudos

binduwavell
Star Contributor
Star Contributor
In response to andy

‎06-17-2013 05:59 PM

Andy,

I wrote a Java action that can apply a "DENIED" permission to a node. I ran the action on a folder in order to deny "Read" access to a user named "fisher". After running this I log the output of document.getPermissions() from some javascript, this returns the following:


ALLOWED;GROUP_Super;Coordinator,ALLOWED;GROUP_SysAdmin;Coordinator,DENIED;fisher;Read,ALLOWED;GROUP_Team;Coordinator,ALLOWED;GROUP_SysExec;Consumer


Note that fisher is in GROUP_Team. So she has Coordinator rights (this is an inherited permission for what it's worth) on the folder from that group but has specifically been denied Read access directly on the folder via her user id.

When I login as fisher and check document.hasPermission("Read") from some javascript, it returns true! I would expect false to be returned?

I validated that ${security.anyDenyDenies} is set to true (I did this in code by injecting that into a java bean and logging the value, so I know the default set in repository.properties is not being overridden.

FWIW, I have had a good look through the test cases, there is a lot there and some of it doesn't really make sense to me. I'm assuming those tests are passing in Enterprise 4.1.3… If they are, then I think that the above call to hasPermission("Read") should return false?

Taking a step back, what I want to do is the following… I have a folder structure like the following


Company Home
    eFiles
        eFile 1
        eFile 2


In general Team members should have access to everything under the eFiles folder. This is a large group that changes somewhat regularly. For legal reasons certain users are not allowed to interact with certain eFiles so we want to explicitly DENY access to eFile 2 for user fisher, who has a compliance conflict with being allowed to see the stuff in that folder.

We grant Coordinator rights to the Team group on the eFiles folder and by default all subfolders inherit this. However on eFile 2 we want to revoke access for this one user. I have tried denying "Read" or "All" for this user explicitly on the eFile 2 folder. In both cases the user is able to see the folder and when I login as her and check if she has "Read" permission on the folder she does.

Any advice would be greatly appreciated!
0 Kudos

jamen
Confirmed Champ
Confirmed Champ

‎02-13-2012 11:29 AM

Hi Andy,

Thanks for drawing my attention to that.  I should have picked up that PermissionServiceTest earlier.

One follow up question then on this, how do you clear a permission reference that's on DENY then?  Is it correct in observing that the permission service's permission deletion call treats the the assignment of a PermissionReference the same way for ALLOW and DENY?  For example you assign a permission and you have the option of setting allow to be true or false, hence you would remove the permission reference on the node if you didn't need it with no reference to whether the permission is allow or delete?

Thanks
Jamen
0 Kudos

andy
Champ on-the-rise
Champ on-the-rise

‎02-20-2012 06:13 AM

Hi

Yep.

  public void deletePermission(NodeRef nodeRef, String authority, String permission);

should remove matching permission that deny or allow.

Andy
0 Kudos
Getting started

Tags

Find what you came for

We want to make your experience in Hyland Connect as valuable as possible, so we put together some helpful links.

Copyright © 2025 Khoros, LLC