cancel
Showing results for 
Search instead for 
Did you mean: 

ACLs on a content type and metadata basis

ranjeetsi
Star Contributor
Star Contributor

Hi all,

We can have ACLs on the basis of folders in Alfresco but we need to have ACLS(allow and deny content access) requirement.

For a user OR group - 

a) How can we restrict allow or deny access to a content type or folder type(defined in content model) for eg claim is a document type in content model, expense report is a content type. 

b) How we can allow or deny content access on the basis of metadata properties . For eg . If metadata says sensitive=true , then deny access to all and allow access to only admin. If sensitive value is made false then , the content can be accessible by a service user / group.

Note: We can set permissions on a content/folder type but the minimum pemissions is consumer and the content can be read/accessible.

Please suggest.

Alfresco Content Services Certified Engineer (ACSCE)
1 ACCEPTED ANSWER

afaust
Legendary Innovator
Legendary Innovator

Alfresco does not support such kind of ACL management out-of-the-box with any of their high-level services. There aren't even any (simple) alternative approaches that I could readily recommend, due to being untested/unverified and having potentially significant side effects on other parts of the application. Technically, something like this "should" be possible if one were to hijack the low-level handling of ACL inheritance via behaviours / service extensions, but for reasons stated I won't go into any details about this idea of mine...

A rather simple / limited solution I implemented for a customer of mine once handled a somewhat similar requirement by adding a service extension for the permission service, which post-processed metadata check for the custom sensible state after the basic read permission was already checked, and another service extension to the search service which transparently rewrote FTS / CMIS queries to include filter queries for the relevant metadata, so that the query already selected only the accessible nodes and there was no need for any further post-processing.

View answer in original post

3 REPLIES 3

afaust
Legendary Innovator
Legendary Innovator

Alfresco does not support such kind of ACL management out-of-the-box with any of their high-level services. There aren't even any (simple) alternative approaches that I could readily recommend, due to being untested/unverified and having potentially significant side effects on other parts of the application. Technically, something like this "should" be possible if one were to hijack the low-level handling of ACL inheritance via behaviours / service extensions, but for reasons stated I won't go into any details about this idea of mine...

A rather simple / limited solution I implemented for a customer of mine once handled a somewhat similar requirement by adding a service extension for the permission service, which post-processed metadata check for the custom sensible state after the basic read permission was already checked, and another service extension to the search service which transparently rewrote FTS / CMIS queries to include filter queries for the relevant metadata, so that the query already selected only the accessible nodes and there was no need for any further post-processing.

ranjeetsi
Star Contributor
Star Contributor

Thanks Alex for suggestion:

I had found some links so thought to get suggestion:

https://docs.alfresco.com/5.2/concepts/secur-permissions.html

https://docs.alfresco.com/6.1/references/dev-extension-points-permissions.html

Alfresco Content Services Certified Engineer (ACSCE)

ranjeetsi
Star Contributor
Star Contributor

Hi Alex,

Thanks for your response!.

Question:

For the extension in Permission service , the extension has to check the user/group against which it has to filter or provide access , so user/group has to be validated ?!

In that case - this has to be hardcoded in code for checking the a user/group access?

For eg:

A finance user needs to have access to invoice only ? So where we can do the mapping so that it can be used in code?

thanks,

Ranjeet

Alfresco Content Services Certified Engineer (ACSCE)