Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
User
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-09-2008 03:38 AM
The user tha menage system users must be Coordinator or it can have a specific permission.
We have need a user that can create user and manage permission but not modify content, space
Is it possible?
We have need a user that can create user and manage permission but not modify content, space
Is it possible?
Labels:
- Labels:
-
Archive
1 REPLY 1
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-10-2008 04:03 AM
We have not done this per se but can point you in the right direction. Try it and let us know how you succeed. In addition to the following files you might have to configure the permissions on the Alfresco web client. Some of the UI elements to create users and change permissions are only displayed for admin users. Once permissions are enabled on the foundation services the web client will require modification to display appropriate UI.
To manage permissions for a space, the user role needs to have read properties and write properties to the spaces. This is defined in /tomcat/webapps/alfresco/WEB-INF/classes/alfresco/mode/permissionDefinitions.xml file. The following section of the code is what you should be looking at;
To create users and to configure their authentication credentials the correct permissions are also required. These are located in /tomcat/webapps/alfresco/WEB-INF/classes/alfresco/public-services-security-context.xml. The following section of the code is what you need to look at. NB: You need to enable access to createPerson and createAuthentication (possibly createAuthority).
To manage permissions for a space, the user role needs to have read properties and write properties to the spaces. This is defined in /tomcat/webapps/alfresco/WEB-INF/classes/alfresco/mode/permissionDefinitions.xml file. The following section of the code is what you should be looking at;
<!– ================================================ –>
<!– Permissions available to all content and folders –>
<!– ================================================ –>
<permissionSet type="cm:cmobject" expose="selected">
<!– Kept for backward compatibility - the administrator permission has –>
<!– been removed to aviod confusion –>
<permissionGroup name="Administrator" allowFullControl="true" expose="false" />
<!– A coordinator can do anything to the object or its childeren unless the –>
<!– permissions are set not to inherit or permission is denied. –>
<permissionGroup name="Coordinator" allowFullControl="true" expose="true" />
<!– A collaborator can do anything that an editor and a contributor can do –>
<permissionGroup name="Collaborator" allowFullControl="false" expose="true">
<includePermissionGroup permissionGroup="Editor" type="cm:cmobject" />
<includePermissionGroup permissionGroup="Contributor" type="cm:cmobject" />
</permissionGroup>
<!– A contributor can create content and then they have full permission on what –>
<!– they have created - via the permissions assigned to the owner. –>
<permissionGroup name="Contributor" allowFullControl="false" expose="true" >
<!– Contributor is a consumer who can add content, and then can modify via the –>
<!– owner permissions. –>
<includePermissionGroup permissionGroup="Consumer" type="cm:cmobject"/>
<includePermissionGroup permissionGroup="AddChildren" type="sys:base"/>
<includePermissionGroup permissionGroup="ReadPermissions" type="sys:base" />
</permissionGroup>
<!– An editor can read and write to the object; they can not create –>
<!– new nodes. They can check out content into a space to which they have –>
<!– create permission. –>
<permissionGroup name="Editor" expose="true" allowFullControl="false" >
<includePermissionGroup type="cm:cmobject" permissionGroup="Consumer"/>
<includePermissionGroup type="sys:base" permissionGroup="Write"/>
<includePermissionGroup type="cm:lockable" permissionGroup="CheckOut"/>
</permissionGroup>
<!– The Consumer permission allows read to everything by default. –>
<permissionGroup name="Consumer" allowFullControl="false" expose="true" >
<includePermissionGroup permissionGroup="ReadProperties" type="sys:base" />
<includePermissionGroup permissionGroup="ReadContent" type="sys:base" />
</permissionGroup>
<!– The Consumer permission allows read to everything by default. –>
<permissionGroup name="Guest" allowFullControl="false" expose="true" >
<includePermissionGroup permissionGroup="Read" type="sys:base" />
</permissionGroup>
<!– records permission –>
<!– Should be tied to the aspect –>
<!– onwership should be removed when using this permission –>
<permissionGroup name="RecordAdministrator" allowFullControl="false" expose="false">
<includePermissionGroup type="sys:base" permissionGroup="ReadProperties"/>
<includePermissionGroup type="sys:base" permissionGroup="ReadChildren"/>
<includePermissionGroup type="sys:base" permissionGroup="WriteProperties"/>
<includePermissionGroup type="sys:base" permissionGroup="ReadContent"/>
<includePermissionGroup type="sys:base" permissionGroup="DeleteChildren"/>
<includePermissionGroup type="sys:base" permissionGroup="CreateChildren"/>
<includePermissionGroup type="sys:base" permissionGroup="LinkChildren"/>
<includePermissionGroup type="sys:base" permissionGroup="DeleteAssociations"/>
<includePermissionGroup type="sys:base" permissionGroup="CreateAssociations"/>
</permissionGroup>
</permissionSet>
<!– =============================== –>
<!– Permissions specific to content –>
<!– =============================== –>
<permissionSet type="cm:content" expose="selected">
<!– Content specific roles. –>
<permissionGroup name="Coordinator" extends="true" expose="true"/>
<permissionGroup name="Collaborator" extends="true" expose="true"/>
<permissionGroup name="Contributor" extends="true" expose="true"/>
<permissionGroup name="Editor" extends="true" expose="true"/>
<permissionGroup name="Consumer" extends="true" expose="true"/>
<permissionGroup name="RecordAdministrator" extends="true" expose="false"/>
</permissionSet>To create users and to configure their authentication credentials the correct permissions are also required. These are located in /tomcat/webapps/alfresco/WEB-INF/classes/alfresco/public-services-security-context.xml. The following section of the code is what you need to look at. NB: You need to enable access to createPerson and createAuthentication (possibly createAuthority).
<!– ===================== –>
<!– The Authority Service –>
<!– ===================== –>
<!– This service currently has no restrictions. –>
<bean id="AuthorityService_security" class="net.sf.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor">
<property name="authenticationManager"><ref bean="authenticationManager"/></property>
<property name="accessDecisionManager"><ref local="accessDecisionManager"/></property>
<property name="afterInvocationManager"><ref local="afterInvocationManager"/></property>
<property name="objectDefinitionSource">
<value>
org.alfresco.service.cmr.security.AuthorityService.hasAdminAuthority=ACL_ALLOW
org.alfresco.service.cmr.security.AuthorityService.getAuthorities=ACL_ALLOW
org.alfresco.service.cmr.security.AuthorityService.getAllAuthorities=ACL_ALLOW
org.alfresco.service.cmr.security.AuthorityService.getAllRootAuthorities=ACL_ALLOW
org.alfresco.service.cmr.security.AuthorityService.createAuthority=ACL_METHOD.ROLE_ADMINISTRATOR
org.alfresco.service.cmr.security.AuthorityService.addAuthority=ACL_METHOD.ROLE_ADMINISTRATOR
org.alfresco.service.cmr.security.AuthorityService.removeAuthority=ACL_METHOD.ROLE_ADMINISTRATOR
org.alfresco.service.cmr.security.AuthorityService.deleteAuthority=ACL_METHOD.ROLE_ADMINISTRATOR
org.alfresco.service.cmr.security.AuthorityService.getContainedAuthorities=ACL_ALLOW
org.alfresco.service.cmr.security.AuthorityService.getContainingAuthorities=ACL_ALLOW
org.alfresco.service.cmr.security.AuthorityService.getShortName=ACL_ALLOW
org.alfresco.service.cmr.security.AuthorityService.getName=ACL_ALLOW
org.alfresco.service.cmr.security.AuthorityService.authorityExists=ACL_METHOD.ROLE_ADMINISTRATOR
org.alfresco.service.cmr.security.AuthorityService.getAuthoritiesForUser=ACL_METHOD.ROLE_ADMINISTRATOR
</value>
</property>
</bean>
<!– =============================================== –>
<!– The Authentication Service security interceptor –>
<!– =============================================== –>
<!– NOTE: Authentication is excluded as it sets or clears authentication –>
<!– The same for validate ticaket –>
<!– Update authentication checks internally –>
<bean id="AuthenticationService_security" class="net.sf.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor">
<property name="authenticationManager"><ref bean="authenticationManager"/></property>
<property name="accessDecisionManager"><ref local="accessDecisionManager"/></property>
<property name="afterInvocationManager"><ref local="afterInvocationManager"/></property>
<property name="objectDefinitionSource">
<value>
org.alfresco.service.cmr.security.AuthenticationService.createAuthentication=ACL_METHOD.ROLE_ADMINISTRATOR
org.alfresco.service.cmr.security.AuthenticationService.updateAuthentication=ACL_ALLOW
org.alfresco.service.cmr.security.AuthenticationService.setAuthentication=ACL_METHOD.ROLE_ADMINISTRATOR
org.alfresco.service.cmr.security.AuthenticationService.deleteAuthentication=ACL_METHOD.ROLE_ADMINISTRATOR
org.alfresco.service.cmr.security.AuthenticationService.setAuthenticationEnabled=ACL_METHOD.ROLE_ADMINISTRATOR
org.alfresco.service.cmr.security.AuthenticationService.getAuthenticationEnabled=ACL_METHOD.ROLE_ADMINISTRATOR
org.alfresco.service.cmr.security.AuthenticationService.authenticationExists=ACL_METHOD.ROLE_ADMINISTRATOR
org.alfresco.service.cmr.security.AuthenticationService.getCurrentUserName=ACL_ALLOW
org.alfresco.service.cmr.security.AuthenticationService.invalidateUserSession=ACL_METHOD.ROLE_ADMINISTRATOR
org.alfresco.service.cmr.security.AuthenticationService.invalidateTicket=ACL_ALLOW
org.alfresco.service.cmr.security.AuthenticationService.getCurrentTicket=ACL_ALLOW
org.alfresco.service.cmr.security.AuthenticationService.clearCurrentSecurityContext=ACL_ALLOW
org.alfresco.service.cmr.security.AuthenticationService.isCurrentUserTheSystemUser=ACL_ALLOW
org.alfresco.service.cmr.security.AuthenticationService.guestUserAuthenticationAllowed=ACL_ALLOW
org.alfresco.service.cmr.security.AuthenticationService.getDomains=ACL_METHOD.ROLE_ADMINISTRATOR
org.alfresco.service.cmr.security.AuthenticationService.getDomainsThatAllowUserCreation=ACL_METHOD.ROLE_ADMINISTRATOR
org.alfresco.service.cmr.security.AuthenticationService.getDomainsThatAllowUserDeletion=ACL_METHOD.ROLE_ADMINISTRATOR
org.alfresco.service.cmr.security.AuthenticationService.getDomiansThatAllowUserPasswordChanges=ACL_METHOD.ROLE_ADMINISTRATOR
</value>
</property>
</bean>
<!– =================== –>
<!– The Ownable Service –>
<!– =================== –>
<!– This service currently has no restrictions. –>
<!– TODO: respect the permissions on the ownable service –>
<bean id="OwnableService_security" class="net.sf.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor">
<property name="authenticationManager"><ref bean="authenticationManager"/></property>
<property name="accessDecisionManager"><ref local="accessDecisionManager"/></property>
<property name="afterInvocationManager"><ref local="afterInvocationManager"/></property>
<property name="objectDefinitionSource">
<value>
org.alfresco.service.cmr.security.OwnableService.getOwner=ACL_NODE.0.sys:base.ReadProperties
org.alfresco.service.cmr.security.OwnableService.setOwner=ACL_NODE.0.cm:ownable.SetOwner
org.alfresco.service.cmr.security.OwnableService.takeOwnership=ACL_NODE.0.cm:ownable.TakeOwnership
org.alfresco.service.cmr.security.OwnableService.hasOwner=ACL_NODE.0.sys:base.ReadProperties
</value>
</property>
</bean>
<!– Person Service –>
<bean id="PersonService_security" class="net.sf.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor">
<property name="authenticationManager"><ref bean="authenticationManager"/></property>
<property name="accessDecisionManager"><ref local="accessDecisionManager"/></property>
<property name="afterInvocationManager"><ref local="afterInvocationManager"/></property>
<property name="objectDefinitionSource">
<value>
org.alfresco.service.cmr.security.PersonService.getPerson=AFTER_ACL_NODE.sys:base.ReadProperties
org.alfresco.service.cmr.security.PersonService.personExists=ACL_ALLOW
org.alfresco.service.cmr.security.PersonService.createMissingPeople=ACL_ALLOW
org.alfresco.service.cmr.security.PersonService.setCreateMissingPeople=ACL_METHOD.ROLE_ADMINISTRATOR
org.alfresco.service.cmr.security.PersonService.getMutableProperties=ACL_ALLOW
org.alfresco.service.cmr.security.PersonService.setPersonProperties=ACL_METHOD.ROLE_ADMINISTRATOR
org.alfresco.service.cmr.security.PersonService.isMutable=ACL_ALLOW
org.alfresco.service.cmr.security.PersonService.createPerson=ACL_METHOD.ROLE_ADMINISTRATOR
org.alfresco.service.cmr.security.PersonService.deletePerson=ACL_METHOD.ROLE_ADMINISTRATOR
org.alfresco.service.cmr.security.PersonService.getAllPeople=ACL_ALLOW
org.alfresco.service.cmr.security.PersonService.getPeopleContainer=ACL_ALLOW
org.alfresco.service.cmr.security.PersonService.getUserNamesAreCaseSensitive=ACL_ALLOW
org.alfresco.service.cmr.security.PersonService.getUserIdentifier=ACL_ALLOW
</value>
</property>
</bean>
Related Content
- RuntimeService APSv24.3 doesn't backward compatible in Alfresco Forum
- Access denied, on files , that where share to users that not belong to site in Alfresco Forum
- Alfresco Lead Technical Architect in Alfresco Forum
- System Administrator error in Alfresco Forum
- Alfresco Dockerfiles Bakery: Streamlining Container Builds for Alfresco Products in Alfresco Blog
Getting started
Tags
Find what you came for
We want to make your experience in Hyland Connect as valuable as possible, so we put together some helpful links.
