12-17-2020 11:51 PM
Hi all,
We can have ACLs on the basis of folders in Alfresco but we need to have ACLS(allow and deny content access) requirement.
For a user OR group -
a) How can we restrict allow or deny access to a content type or folder type(defined in content model) for eg claim is a document type in content model, expense report is a content type.
b) How we can allow or deny content access on the basis of metadata properties . For eg . If metadata says sensitive=true , then deny access to all and allow access to only admin. If sensitive value is made false then , the content can be accessible by a service user / group.
Note: We can set permissions on a content/folder type but the minimum pemissions is consumer and the content can be read/accessible.
Please suggest.
12-22-2020 12:35 PM
Alfresco does not support such kind of ACL management out-of-the-box with any of their high-level services. There aren't even any (simple) alternative approaches that I could readily recommend, due to being untested/unverified and having potentially significant side effects on other parts of the application. Technically, something like this "should" be possible if one were to hijack the low-level handling of ACL inheritance via behaviours / service extensions, but for reasons stated I won't go into any details about this idea of mine...
A rather simple / limited solution I implemented for a customer of mine once handled a somewhat similar requirement by adding a service extension for the permission service, which post-processed metadata check for the custom sensible state after the basic read permission was already checked, and another service extension to the search service which transparently rewrote FTS / CMIS queries to include filter queries for the relevant metadata, so that the query already selected only the accessible nodes and there was no need for any further post-processing.
12-22-2020 12:35 PM
Alfresco does not support such kind of ACL management out-of-the-box with any of their high-level services. There aren't even any (simple) alternative approaches that I could readily recommend, due to being untested/unverified and having potentially significant side effects on other parts of the application. Technically, something like this "should" be possible if one were to hijack the low-level handling of ACL inheritance via behaviours / service extensions, but for reasons stated I won't go into any details about this idea of mine...
A rather simple / limited solution I implemented for a customer of mine once handled a somewhat similar requirement by adding a service extension for the permission service, which post-processed metadata check for the custom sensible state after the basic read permission was already checked, and another service extension to the search service which transparently rewrote FTS / CMIS queries to include filter queries for the relevant metadata, so that the query already selected only the accessible nodes and there was no need for any further post-processing.
12-22-2020 12:46 PM
Thanks Alex for suggestion:
I had found some links so thought to get suggestion:
https://docs.alfresco.com/5.2/concepts/secur-permissions.html
https://docs.alfresco.com/6.1/references/dev-extension-points-permissions.html
12-22-2020 03:20 PM
Hi Alex,
Thanks for your response!.
Question:
For the extension in Permission service , the extension has to check the user/group against which it has to filter or provide access , so user/group has to be validated ?!
In that case - this has to be hardcoded in code for checking the a user/group access?
For eg:
A finance user needs to have access to invoice only ? So where we can do the mapping so that it can be used in code?
thanks,
Ranjeet
Explore our Alfresco products with the links below. Use labels to filter content by product module.