Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Hyland Connect
- Enterprise Platforms
- Alfresco
- Alfresco Blog
- Access Control Lists V1
resplin
Elite Collaborator
Options
- Subscribe to RSS Feed
- Mark as New
- Mark as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
06-05-2015
07:40 PM
Obsolete Pages{{Obsolete}}
The official documentation is at: http://docs.alfresco.com
Table of Contents
Permissions
Permissions and roles are defined in an XML configuration file. They apply in the context of a particular type or aspect. These permissions and roles can be bound to authorities (groups and users) in two ways.
Firstly, as global permission definitions, in which a permission or role is simple assigned to an authority. This assignment is valid regardless of any context, and regardless of any permissions assigned to the authority in that context (ACLs). If you were to assign the 'Consumer' role to 'GROUP_EVERYONE' then everyone would be able to read content regardless of any specific permissions set on a node for this authority or how permission are inherited for the node. Global permissions are currently assigned in the same XML file as the permission model.
Secondly, there are ACLs where a permission or role is granted or denied to a given authority for a given node. By default, an ACL entry is inherited by all children of the node.
Permissions and roles are enforced at the node level. This is best explained by considering 'Read' permission. Due to interactions with search (which indexes information at the node level) it makes sense that all properties have the same read access as the node. (If not, the values of properties could be deduced by how a readable node was found from a search on restricted properties). If you require finer grained permission for properties this can be achieved by using sub-nodes to partition those properties. Permissions that affect mutability could be enforced at the attribute level but they are not.
Applying read ACLs at the property level would require a change to the indexing implementation or a complex post analysis to work out how nodes were matched in the search and to remove properties that should not be seen. This could be done by integrating permissions in the lucene search. For example, defining a lucene query object that supports permission checks and wrapping all properties that can support specific ALCs with the normal query and a permission query.
The best compromise is to index as we are now but only allow different read access for properties that are not indexed - so their content can not be determined via query. Alternatively, only index properties etc that have the same access permissions as the node.
In both cases the content can not be determined from the index. We could have additional indexing to support searching against these restricted properties.
Types and Aspects
Types and aspects define the permissions that are associated with them in XML configuration files. This is separate to the data dictionary and can be regarded as an augmentation.
In the alfresco implementation, a permission or role is defined by a name scoped by the fully qualified name of the type or aspect.
The permissions and roles available will depend on the node types and what aspects have been applied to the node.
Grouping of permissions into Roles
We support collections of permissions as roles. These definitions are defined in XML.
Some role assignments are dynamic; such as giving the owner of a node a particular role. In this case there is a dynamic authority. When a permision check is carried out an evalutaion takes place to determine if the current user owns the node. If they do, they get assigned the owner authority and therefore they have any roles and permissions assigned to the owner authority.
Permission and role checks are coaaried out against the actual permission required. To have the role of Contributor you only need the permissions it comprises. You do not need to be explicitly assigned that role - if you have enough permission - by whatever means - you have the role.
ACLs
An ACL
- allows or denies deny access
for a given
- authority - user or group
for
- a given permission or role.
There is a group that includes all user except guest. Assigning some roles may grant all rights.
By default permissions are inherited from the parent unless this is explicitly denied.
Java Doc
Voters
- RoleVoter - use Acegi
- ACLEntryVoter
- ACLEntryAfterInvocationProvider
RoleVoter
ACLEntryVote recognises:
- StoreRef - use root node;
- NodeRef - use node ref;
- ChildAssocRef - use child node ref;
for extracting the context node.
ACLEntryAfterInvocationProvider recognises:
- StoreRef - use root node;
- NodeRef - use node ref;
- ChildAssocRef - use child node ref;
- FileInfo;
- ResultSet;
- Collection;
- Object[];
For applying security to return parameters of function calls.
Performance
- Initially rely on the L2 cache (done)
- Cache permission evaluations (done)
- Implement a bridge table
- parent
- child
- isLeaf
- isTop
- level
- hasPermissionEntries
- parent
- Cache and preload directory entries that have permissions set
- Implement read permission checks as part fo teh query which could also support property level security
Implementation
- Store node permissions in hibernate
- Define permissions model in xml
- Usename, role group mappings via hibernate
Labels:
Related Content
- Alfresco Dockerfiles Bakery: Streamlining Container Builds for Alfresco Products in Alfresco Blog
- Summarization of textual content in Alfresco repository with Amazon Bedrock in Alfresco Blog
- Impossible to assign a system group to a Space Template access list in Alfresco Forum
- Alfresco 7.4.0.1 - Docker compose in Alfresco Forum
- Security Headers in Alfresco Forum
