Hyland Connect

hsjawanda · ‎12-07-2005

Hi,

I wasn't sure which forum to post this message in… just trying it here.

I was thinking of using the infrastructure provided in Alfresco code to implement my security stuff. The plan was that I'll have my own means of creating and managing users, and I will only need to give the PermissionService a username, and a NodeRef to get/set permissions.

Then I realized that there is no real implementation of the permissions service (I could only find). If I have to roll my own permissions service, where do I store the permissions? What do I have to do to make inheritance work?

I am currently using v1.0. Does v1.1 have actual implementations for PermissionService and others? When, if ever, will the security-related implementations make it into the open-source version?

Thanks.

andy · ‎12-08-2005

Hi

The open 1.1 release has a permission service implementation.
It includes inheritance and persists to hibernate.

You need to create your own authentiation component and DAO and wire these up to manage users yourself.

See
http://www.alfresco.org/mediawiki/index.php/Security_and_Authentication

Out of curiosity, how are you intending to manage users?

Regards

Andy

hsjawanda · ‎12-09-2005

Out of curiosity, how are you intending to manage users?

Well, we already have a means of creating users in a database. I was thinking that I would only need the username to wire my stuff into Alfresco's PermissionService. Also, we are already doing authentication (only) using this database.

andy · ‎12-12-2005

Hi

Sounds good to me.

Regards

Andy

hsjawanda · ‎12-15-2005

Hi Andy,

I'd read that wiki earlier, and I've been reading it since. I still have some questions (or issues I want to get confirmed) :-)…

From the wiki (Security_and_Authentication😞

'Deny takes precidence. If "bob" is a member of the group "rats" and "bob" is allowed "read" and "rats" is denied "read" then "bob" will be allowed read. Any allow allows access, as opposed to a single deny denies all as used by the microsoft file systems.'

Shouldn't the part '"bob" will be allowed read' actually say that he will not be allowed to read (since deny takes precedence).

Also:

'Each permission or grouping of permissions applies only in the context of a type or aspect or to all types.'

Does this mean that I can define permissions perm1 and perm2 such that perm1 is only applicable to folders and perm2 is only applicable to assets?

Some clarifications:

Usernames, role names and group names are different types of authorities, correct?

If a (type of) permission is not explicitly defined on a node, and it either doesn't inherit permissions or none of its parents defines that particular permission, then the permission is assumed to be denied, correct? For example, if there's an asset node that doesn't have READ permission defined for any user, and it doesn't inherit permissions – then that means that everybody is denied READ permission on that node.

What does PermissionService.ALL_AUTHORITIES mean (or would it be more correct to ask when is it used)?

PermissionService#getOwnerAuthority() seems to imply that roles and groups can also be owners. Is that so?

The implementation of the PermissionService seems tied closely to the authentication component (all of the methods that require an authority get it from the authentication component, instead of getting it as a method parameter), so does this mean that I can't use PermissionServiceImpl stand-alone, that I will have to use the whole shebang or none at all?

I had been hoping that I could just pass in the username (or group- or role-name), NodeRef and permission type to the PermissionService, and get a decision on whether the user has permissions on the node in question.

Thanks for all your help and patience.

andy · ‎12-19-2005

Hi


Shouldn't the part '"bob" will be allowed read' actually say that he will not be allowed to read (since deny takes precedence). 
‍‍‍

The example is correct

Bob is in group Rats.

Rats is denied read on a folder
Bob is allowed read on a folder….

Bob has access as ANY ALLOW ALLOWS….

If Rats is given read access to the parent folder (the folder inherits) then Rats will not have access as a result of the deny. Deny takes precedence. Bob will still have access.
Rats will have access to the parent folder.

You can have permissions linked to type, if that makes sense to you.
As an example, we have ownership permissions that relate to the Ownable aspect and service.

UserNames and Groups are authorities

Permissions and PermissionGroups are Permissions

Roles are confused generally. In the Alfresco UI we mean convenient groups of permissions, and is therefore a permission. In other systems it is an authority. You can do the latter if you want but I would not recommend it.

ALL_AUTHORITIES is there for when you want to assign permissions to everyone( except guest - which will be coming soon ….)

Owner is a dynamic authority. The permission service will give you the reserved name. When evaluating permissions, for read for example, if any of the authorities you are granted have read you are in. That is your user name authority , group authorities , and maybe the owner authority - if you are dynamically evaluated to be the owner of the object.

Authentication means putting the valid user in a thread local security context. It is also used by auditing etc. You should set this up correctly and there is a method on AbstractAuthenticationComponent to help.
The same class supports reading this thread local information when required. The permissions are evaluated for the "current user" for this security context. You coud always force a context switch.

Regards

Andy

Hyland Connect

Using security features