Hyland Connect

mahesh_alfresco · ‎08-08-2017

When I try to search and adding User on the site, it shows following error:

11150004 Wrapped Exception (with status template): 11150008 Failed to execute script 'classpath*:alfresco/templates/webscripts/org/alfresco/repository/site/membership/potentialmembers.get.js': 11150007 Access Denied. You do not have the appropriate permissions to perform this operation.

When i try "Start Workflow" > New Task > Assign To

It shows the following Error:

org.alfresco.repo.security.permissions.AccessDeniedException: 11150012 Access Denied. You do not have the appropriate permissions to perform this operation.

afaust · ‎08-16-2017

You need to provide more information, e.g. the full stack trace / log output for your errors, or otherwise it is quite hard to help you. Did you make sure you are in the proper user groups / have the correct roles for the operations you tried to perform? Which Alfresco version are you using? Are you using any 3rd-party addons? More details help get replies quicker - without needing to double post...

mahesh_alfresco · ‎08-25-2017

Hi,

I am using alfresco 5.2.0. I migrated from 4.2.0. In earlier version i could add user send workflow etc easily.

In migrated version 5.2.0 i am unable to select the user name in both the cases.. Following the output of alfresco.log

2017-08-26 14:50:50,074 ERROR [org.springframework.extensions.webscripts.AbstractRuntime] [http-apr-8081-exec-3] Exception from executeScript - redirecting to status template error: 07260006 Wrapped Exception (with status template): 07260013 Failed to execute script 'classpath*:alfresco/templates/webscripts/org/alfresco/repository/site/membership/potentialmembers.get.js': 07260012 Access Denied. You do not have the appropriate permissions to perform this operation.
org.springframework.extensions.webscripts.WebScriptException: 07260006 Wrapped Exception (with status template): 07260013 Failed to execute script 'classpath*:alfresco/templates/webscripts/org/alfresco/repository/site/membership/potentialmembers.get.js': 07260012 Access Denied. You do not have the appropriate permissions to perform this operation.
   at org.springframework.extensions.webscripts.AbstractWebScript.createStatusException(AbstractWebScript.java:1138)
   at org.springframework.extensions.webscripts.DeclarativeWebScript.execute(DeclarativeWebScript.java:171)
   at org.alfresco.repo.web.scripts.RepositoryContainer$3.execute(RepositoryContainer.java:505)
   at org.alfresco.repo.transaction.RetryingTransactionHelper.doInTransaction(RetryingTransactionHelper.java:457)
   at org.alfresco.repo.web.scripts.RepositoryContainer.transactionedExecute(RepositoryContainer.java:580)
   at org.alfresco.repo.web.scripts.RepositoryContainer.transactionedExecuteAs(RepositoryContainer.java:649)
   at org.alfresco.repo.web.scripts.RepositoryContainer.executeScriptInternal(RepositoryContainer.java:421)
   at org.alfresco.repo.web.scripts.RepositoryContainer.executeScript(RepositoryContainer.java:301)
   at org.springframework.extensions.webscripts.AbstractRuntime.executeScript(AbstractRuntime.java:382)
   at org.springframework.extensions.webscripts.AbstractRuntime.executeScript(AbstractRuntime.java:210)
   at org.springframework.extensions.webscripts.servlet.WebScriptServlet.service(WebScriptServlet.java:132)
   at javax.servlet.http.HttpServlet.service(HttpServlet.java:727)
   at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303)
   at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
   at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
   at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
   at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
   at org.alfresco.web.app.servlet.GlobalLocalizationFilter.doFilter(GlobalLocalizationFilter.java:61)
   at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
   at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
   at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220)
   at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)
   at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:504)
   at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:170)
   at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
   at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950)
   at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
   at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:421)
   at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1074)
   at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:611)
   at org.apache.tomcat.util.net.AprEndpoint$SocketWithOptionsProcessor.run(AprEndpoint.java:2403)
   at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
   at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
   at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
   at java.lang.Thread.run(Thread.java:745)
Caused by: org.alfresco.scripts.ScriptException: 07260013 Failed to execute script 'classpath*:alfresco/templates/webscripts/org/alfresco/repository/site/membership/potentialmembers.get.js': 07260012 Access Denied. You do not have the appropriate permissions to perform this operation.
   at org.alfresco.repo.jscript.RhinoScriptProcessor.execute(RhinoScriptProcessor.java:204)
   at org.alfresco.repo.processor.ScriptServiceImpl.execute(ScriptServiceImpl.java:212)
   at org.alfresco.repo.processor.ScriptServiceImpl.executeScript(ScriptServiceImpl.java:174)
   at org.alfresco.repo.web.scripts.RepositoryScriptProcessor.executeScript(RepositoryScriptProcessor.java:102)
   at org.springframework.extensions.webscripts.AbstractWebScript.executeScript(AbstractWebScript.java:1376)
   at org.springframework.extensions.webscripts.DeclarativeWebScript.execute(DeclarativeWebScript.java:86)
   ... 33 more
Caused by: org.alfresco.repo.security.permissions.AccessDeniedException: 07260012 Access Denied. You do not have the appropriate permissions to perform this operation.
   at org.alfresco.repo.security.permissions.impl.ExceptionTranslatorMethodInterceptor.invoke(ExceptionTranslatorMethodInterceptor.java:50)
   at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
   at org.alfresco.repo.audit.AuditMethodInterceptor.invoke(AuditMethodInterceptor.java:159)
   at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
   at org.springframework.transaction.interceptor.TransactionInterceptor$1.proceedWithInvocation(TransactionInterceptor.java:96)
   at org.springframework.transaction.interceptor.TransactionAspectSupport.invokeWithinTransaction(TransactionAspectSupport.java:260)
   at org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:94)
   at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
   at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
   at com.sun.proxy.$Proxy78.getAuthenticationEnabled(Unknown Source)
   at org.alfresco.repo.jscript.People.isAccountEnabled(People.java:400)
   at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
   at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
   at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
   at java.lang.reflect.Method.invoke(Method.java:497)
   at org.mozilla.javascript.MemberBox.invoke(MemberBox.java:126)
   at org.mozilla.javascript.NativeJavaMethod.call(NativeJavaMethod.java:225)
   at org.mozilla.javascript.optimizer.OptRuntime.call1(OptRuntime.java:32)
   at org.mozilla.javascript.gen.classpath__alfresco_templates_webscripts_org_alfresco_repository_site_membership_potentialmembers_get_js_20._c_main_1(classpath*:alfresco/templates/webscripts/org/alfresco/repository/site/membership/potentialmembers.get.js:44)
   at org.mozilla.javascript.gen.classpath__alfresco_templates_webscripts_org_alfresco_repository_site_membership_potentialmembers_get_js_20.call(classpath*:alfresco/templates/webscripts/org/alfresco/repository/site/membership/potentialmembers.get.js)
   at org.mozilla.javascript.optimizer.OptRuntime.callName0(OptRuntime.java:74)
   at org.mozilla.javascript.gen.classpath__alfresco_templates_webscripts_org_alfresco_repository_site_membership_potentialmembers_get_js_20._c_script_0(classpath*:alfresco/templates/webscripts/org/alfresco/repository/site/membership/potentialmembers.get.js:99)
   at org.mozilla.javascript.gen.classpath__alfresco_templates_webscripts_org_alfresco_repository_site_membership_potentialmembers_get_js_20.call(classpath*:alfresco/templates/webscripts/org/alfresco/repository/site/membership/potentialmembers.get.js)
   at org.mozilla.javascript.ContextFactory.doTopCall(ContextFactory.java:394)
   at org.mozilla.javascript.ScriptRuntime.doTopCall(ScriptRuntime.java:3091)
   at org.mozilla.javascript.gen.classpath__alfresco_templates_webscripts_org_alfresco_repository_site_membership_potentialmembers_get_js_20.call(classpath*:alfresco/templates/webscripts/org/alfresco/repository/site/membership/potentialmembers.get.js)
   at org.mozilla.javascript.gen.classpath__alfresco_templates_webscripts_org_alfresco_repository_site_membership_potentialmembers_get_js_20.exec(classpath*:alfresco/templates/webscripts/org/alfresco/repository/site/membership/potentialmembers.get.js)
   at org.alfresco.repo.jscript.RhinoScriptProcessor.executeScriptImpl(RhinoScriptProcessor.java:502)
   at org.alfresco.repo.jscript.RhinoScriptProcessor.execute(RhinoScriptProcessor.java:200)
   ... 38 more
Caused by: net.sf.acegisecurity.AccessDeniedException: Access is denied.
   at net.sf.acegisecurity.vote.AffirmativeBased.decide(AffirmativeBased.java:86)
   at net.sf.acegisecurity.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:398)
   at net.sf.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor.invoke(MethodSecurityInterceptor.java:77)
   at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
   at org.alfresco.repo.security.permissions.impl.ExceptionTranslatorMethodInterceptor.invoke(ExceptionTranslatorMethodInterceptor.java:46)
   ... 66 more
2017-08-26 14:57:42,141 ERROR [org.springframework.extensions.webscripts.AbstractRuntime] [http-apr-8081-exec-3] Exception from executeScript - redirecting to status template error: 07260007 Wrapped Exception (with status template): 07260020 Failed to execute script 'classpath*:alfresco/templates/webscripts/org/alfresco/repository/site/membership/potentialmembers.get.js': 07260019 Access Denied. You do not have the appropriate permissions to perform this operation.
org.springframework.extensions.webscripts.WebScriptException: 07260007 Wrapped Exception (with status template): 07260020 Failed to execute script 'classpath*:alfresco/templates/webscripts/org/alfresco/repository/site/membership/potentialmembers.get.js': 07260019 Access Denied. You do not have the appropriate permissions to perform this operation.
   at org.springframework.extensions.webscripts.AbstractWebScript.createStatusException(AbstractWebScript.java:1138)
   at org.springframework.extensions.webscripts.DeclarativeWebScript.execute(DeclarativeWebScript.java:171)
   at org.alfresco.repo.web.scripts.RepositoryContainer$3.execute(RepositoryContainer.java:505)
   at org.alfresco.repo.transaction.RetryingTransactionHelper.doInTransaction(RetryingTransactionHelper.java:457)
   at org.alfresco.repo.web.scripts.RepositoryContainer.transactionedExecute(RepositoryContainer.java:580)
   at org.alfresco.repo.web.scripts.RepositoryContainer.transactionedExecuteAs(RepositoryContainer.java:649)
   at org.alfresco.repo.web.scripts.RepositoryContainer.executeScriptInternal(RepositoryContainer.java:421)
   at org.alfresco.repo.web.scripts.RepositoryContainer.executeScript(RepositoryContainer.java:301)
   at org.springframework.extensions.webscripts.AbstractRuntime.executeScript(AbstractRuntime.java:382)
   at org.springframework.extensions.webscripts.AbstractRuntime.executeScript(AbstractRuntime.java:210)
   at org.springframework.extensions.webscripts.servlet.WebScriptServlet.service(WebScriptServlet.java:132)
   at javax.servlet.http.HttpServlet.service(HttpServlet.java:727)
   at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303)
   at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
   at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
   at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
   at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
   at org.alfresco.web.app.servlet.GlobalLocalizationFilter.doFilter(GlobalLocalizationFilter.java:61)
   at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
   at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
   at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220)
   at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)
   at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:504)
   at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:170)
   at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
   at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950)
   at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
   at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:421)
   at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1074)
   at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:611)
   at org.apache.tomcat.util.net.AprEndpoint$SocketProcessor.doRun(AprEndpoint.java:2466)
   at org.apache.tomcat.util.net.AprEndpoint$SocketProcessor.run(AprEndpoint.java:2455)
   at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
   at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
   at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
   at java.lang.Thread.run(Thread.java:745)
Caused by: org.alfresco.scripts.ScriptException: 07260020 Failed to execute script 'classpath*:alfresco/templates/webscripts/org/alfresco/repository/site/membership/potentialmembers.get.js': 07260019 Access Denied. You do not have the appropriate permissions to perform this operation.
   at org.alfresco.repo.jscript.RhinoScriptProcessor.execute(RhinoScriptProcessor.java:204)
   at org.alfresco.repo.processor.ScriptServiceImpl.execute(ScriptServiceImpl.java:212)
   at org.alfresco.repo.processor.ScriptServiceImpl.executeScript(ScriptServiceImpl.java:174)
   at org.alfresco.repo.web.scripts.RepositoryScriptProcessor.executeScript(RepositoryScriptProcessor.java:102)
   at org.springframework.extensions.webscripts.AbstractWebScript.executeScript(AbstractWebScript.java:1376)
   at org.springframework.extensions.webscripts.DeclarativeWebScript.execute(DeclarativeWebScript.java:86)
   ... 34 more
Caused by: org.alfresco.repo.security.permissions.AccessDeniedException: 07260019 Access Denied. You do not have the appropriate permissions to perform this operation.
   at org.alfresco.repo.security.permissions.impl.ExceptionTranslatorMethodInterceptor.invoke(ExceptionTranslatorMethodInterceptor.java:50)
   at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
   at org.alfresco.repo.audit.AuditMethodInterceptor.invoke(AuditMethodInterceptor.java:159)
   at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
   at org.springframework.transaction.interceptor.TransactionInterceptor$1.proceedWithInvocation(TransactionInterceptor.java:96)
   at org.springframework.transaction.interceptor.TransactionAspectSupport.invokeWithinTransaction(TransactionAspectSupport.java:260)
   at org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:94)
   at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
   at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
   at com.sun.proxy.$Proxy78.getAuthenticationEnabled(Unknown Source)
   at org.alfresco.repo.jscript.People.isAccountEnabled(People.java:400)
   at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
   at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
   at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
   at java.lang.reflect.Method.invoke(Method.java:497)
   at org.mozilla.javascript.MemberBox.invoke(MemberBox.java:126)
   at org.mozilla.javascript.NativeJavaMethod.call(NativeJavaMethod.java:225)
   at org.mozilla.javascript.optimizer.OptRuntime.call1(OptRuntime.java:32)
   at org.mozilla.javascript.gen.classpath__alfresco_templates_webscripts_org_alfresco_repository_site_membership_potentialmembers_get_js_20._c_main_1(classpath*:alfresco/templates/webscripts/org/alfresco/repository/site/membership/potentialmembers.get.js:44)
   at org.mozilla.javascript.gen.classpath__alfresco_templates_webscripts_org_alfresco_repository_site_membership_potentialmembers_get_js_20.call(classpath*:alfresco/templates/webscripts/org/alfresco/repository/site/membership/potentialmembers.get.js)
   at org.mozilla.javascript.optimizer.OptRuntime.callName0(OptRuntime.java:74)
   at org.mozilla.javascript.gen.classpath__alfresco_templates_webscripts_org_alfresco_repository_site_membership_potentialmembers_get_js_20._c_script_0(classpath*:alfresco/templates/webscripts/org/alfresco/repository/site/membership/potentialmembers.get.js:99)
   at org.mozilla.javascript.gen.classpath__alfresco_templates_webscripts_org_alfresco_repository_site_membership_potentialmembers_get_js_20.call(classpath*:alfresco/templates/webscripts/org/alfresco/repository/site/membership/potentialmembers.get.js)
   at org.mozilla.javascript.ContextFactory.doTopCall(ContextFactory.java:394)
   at org.mozilla.javascript.ScriptRuntime.doTopCall(ScriptRuntime.java:3091)
   at org.mozilla.javascript.gen.classpath__alfresco_templates_webscripts_org_alfresco_repository_site_membership_potentialmembers_get_js_20.call(classpath*:alfresco/templates/webscripts/org/alfresco/repository/site/membership/potentialmembers.get.js)
   at org.mozilla.javascript.gen.classpath__alfresco_templates_webscripts_org_alfresco_repository_site_membership_potentialmembers_get_js_20.exec(classpath*:alfresco/templates/webscripts/org/alfresco/repository/site/membership/potentialmembers.get.js)
   at org.alfresco.repo.jscript.RhinoScriptProcessor.executeScriptImpl(RhinoScriptProcessor.java:502)
   at org.alfresco.repo.jscript.RhinoScriptProcessor.execute(RhinoScriptProcessor.java:200)
   ... 39 more
Caused by: net.sf.acegisecurity.AccessDeniedException: Access is denied.
   at net.sf.acegisecurity.vote.AffirmativeBased.decide(AffirmativeBased.java:86)
   at net.sf.acegisecurity.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:398)
   at net.sf.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor.invoke(MethodSecurityInterceptor.java:77)
   at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
   at org.alfresco.repo.security.permissions.impl.ExceptionTranslatorMethodInterceptor.invoke(ExceptionTranslatorMethodInterceptor.java:46)

Any guidance...?

Mahesh

mahesh_alfresco · ‎08-29-2017

Hi

Any guidance..?

afaust · ‎08-29-2017

It looks like there might be a bug in the security checks for the getAuthenticationEnabled method on the AuthenticationService - it tries to perform an ACL check but it does not have a node to check.

mahesh_alfresco · ‎08-29-2017

OK. Any way to short out this issue like doing changes in configuration file or so....?

afaust · ‎08-29-2017

You could fix it by a change to the AuthenticationService_Security bean defined inthe public-services-security-context.xml. Simply remove the AFTER_ACL... part for the method and you should be fine.

mahesh_alfresco · ‎08-30-2017

I searched the AFTER_ACL under bead id "AuthenticationService_Security" from custom-public-services-security-context.xml

But i did not find such TAG..... Please refer following.....

<bean id="AuthenticationService_security" class="org.alfresco.repo.security.permissions.impl.acegi.MethodSecurityInterceptor">
        <property name="authenticationManager"><ref bean="authenticationManager"/></property>
        <property name="accessDecisionManager"><ref local="accessDecisionManager"/></property>
        <property name="afterInvocationManager"><ref local="afterInvocationManager"/></property>
        <property name="objectDefinitionSource">
            <value>
                org.alfresco.service.cmr.security.MutableAuthenticationService.isAuthenticationMutable=ACL_ALLOW
                org.alfresco.service.cmr.security.MutableAuthenticationService.isAuthenticationCreationAllowed=ACL_ALLOW
                org.alfresco.service.cmr.security.MutableAuthenticationService.createAuthentication=ACL_METHOD.ROLE_ADMINISTRATOR
                org.alfresco.service.cmr.security.MutableAuthenticationService.updateAuthentication=ACL_ALLOW
                org.alfresco.service.cmr.security.MutableAuthenticationService.setAuthentication=ACL_METHOD.ROLE_ADMINISTRATOR
                org.alfresco.service.cmr.security.MutableAuthenticationService.deleteAuthentication=ACL_METHOD.ROLE_ADMINISTRATOR
                org.alfresco.service.cmr.security.MutableAuthenticationService.setAuthenticationEnabled=ACL_METHOD.ROLE_ADMINISTRATOR
                org.alfresco.service.cmr.security.AuthenticationService.getAuthenticationEnabled=ACL_METHOD.ROLE_ADMINISTRATOR
                org.alfresco.service.cmr.security.AuthenticationService.authenticationExists=ACL_METHOD.ROLE_ADMINISTRATOR
                org.alfresco.service.cmr.security.AuthenticationService.getCurrentUserName=ACL_ALLOW
                org.alfresco.service.cmr.security.AuthenticationService.invalidateUserSession=ACL_METHOD.ROLE_ADMINISTRATOR
                org.alfresco.service.cmr.security.AuthenticationService.invalidateTicket=ACL_ALLOW
                org.alfresco.service.cmr.security.AuthenticationService.getCurrentTicket=ACL_ALLOW
                org.alfresco.service.cmr.security.AuthenticationService.clearCurrentSecurityContext=ACL_ALLOW
                org.alfresco.service.cmr.security.AuthenticationService.isCurrentUserTheSystemUser=ACL_ALLOW
                org.alfresco.service.cmr.security.AuthenticationService.guestUserAuthenticationAllowed=ACL_ALLOW
                org.alfresco.service.cmr.security.AuthenticationService.getDomains=ACL_METHOD.ROLE_ADMINISTRATOR
                org.alfresco.service.cmr.security.AuthenticationService.getDomainsThatAllowUserCreation=ACL_METHOD.ROLE_ADMINISTRATOR
                org.alfresco.service.cmr.security.AuthenticationService.getDomainsThatAllowUserDeletion=ACL_METHOD.ROLE_ADMINISTRATOR
                org.alfresco.service.cmr.security.AuthenticationService.getDomiansThatAllowUserPasswordChanges=ACL_METHOD.ROLE_ADMINISTRATOR
            </value>
        </property>
    </bean>

Here is the full details in "custom-public-services-security-context.xml"

------------------------------------------------------------------------------------------------------------------------------------------------------------------

<?xml version="1.0" encoding="UTF-8" ?>

<!DOCTYPE beans (View Source for full doctype...)>

- <!--

 ==========================

-->

- <!--

 Enforcement of permissions

-->

- <!--

 ==========================

-->

- <!--

-->

- <!--

 This file defines the beans that intercept method calls to the repository services

-->

- <!--

 and enforce security based on the currently authenticated user.

-->

- <!--

-->

- <beans default-lazy-init="false" default-autowire="no" default-dependency-check="none">

- <!--

 =====================

-->

- <!--

 Permissions Model DAO

-->

- <!--

 =====================

-->

- <bean id="permissionsModelDAO" class="org.alfresco.repo.security.permissions.impl.model.PermissionModel" init-method="init" lazy-init="default" autowire="default" dependency-check="default">

- <property name="model">

<value>alfresco/model/permissionDefinitions.xml</value>

</property>

- <property name="dtdSchema">

<value>alfresco/model/permissionSchema.dtd</value>

</property>

- <property name="nodeService">

</property>

- <property name="dictionaryService">

</property>

</bean>

- <!--

 =======================

-->

- <!--

 Support for permissions

-->

- <!--

 ========================

-->

- <bean id="permissionService" class="org.springframework.transaction.interceptor.TransactionProxyFactoryBean" lazy-init="default" autowire="default" dependency-check="default">

- <property name="proxyInterfaces">

<value>org.alfresco.repo.security.permissions.PermissionServiceSPI</value>

</property>

- <property name="transactionManager">

</property>

- <property name="target">

</property>

- <property name="transactionAttributes">

- <props>

<prop key="*">${server.transaction.mode.default}</prop>

</props>

</property>

</bean>

- <!--

      <bean id="permissionServiceImpl" class="org.alfresco.repo.security.permissions.noop.PermissionServiceNOOPImpl" />

-->

- <bean id="permissionServiceImpl" class="org.alfresco.repo.security.permissions.impl.PermissionServiceImpl" init-method="init" lazy-init="default" autowire="default" dependency-check="default">

- <property name="nodeService">

</property>

- <property name="tenantService">

</property>

- <property name="dictionaryService">

</property>

- <property name="permissionsDaoComponent">

</property>

- <property name="modelDAO">

</property>

- <property name="authorityService">

</property>

- <property name="accessCache">

</property>

- <property name="readersCache">

</property>

- <property name="readersDeniedCache">

</property>

- <property name="policyComponent">

</property>

- <property name="aclDAO">

</property>

- <property name="ownableService">

</property>

- <property name="anyDenyDenies">

<value>${security.anyDenyDenies}</value>

</property>

- <property name="dynamicAuthorities">

- <list>

</list>

</property>

</bean>

- <!--

 ===================

-->

- <!--

 Dynamic Authorities

-->

- <!--

 ===================

-->

- <!--

 The provider to evaluate if the current authentication is the owner of a node.

-->

- <bean id="ownerDynamicAuthority" class="org.alfresco.repo.security.permissions.dynamic.OwnerDynamicAuthority" lazy-init="default" autowire="default" dependency-check="default">

</bean>

- <!--

 The provider to evaluate if the currfent authentication is the local owner on a node

-->

- <bean id="lockOwnerDynamicAuthority" class="org.alfresco.repo.security.permissions.dynamic.LockOwnerDynamicAuthority" lazy-init="default" autowire="default" dependency-check="default">

- <!--

 Done by bootstrap due to circular dependency

-->

- <!--

 <property name="checkOutCheckInService" ref="checkOutCheckInService" />

-->

- <property name="requiredFor">

- <list>

<value>Unlock</value>

<value>CheckIn</value>

<value>CancelCheckOut</value>

</list>

</property>

</bean>

- <!--

 ===========================

-->

- <!--

 Permissions Model Bootstrap

-->

- <!--

 ===========================

-->

- <bean id="permissionModelBootstrap" class="org.alfresco.repo.security.permissions.impl.model.PermissionModelBootstrap" abstract="true" init-method="init" lazy-init="default" autowire="default" dependency-check="default">

</bean>

- <!--

 ======

-->

- <!--

 Voters

-->

- <!--

 ======

-->

- <!--

 A voter to allow access base on the current authentication having authorities

-->

- <!--

 starting with the prefix "ROLE_"

-->

- <!--

 Any match grants

-->

- <bean id="roleVoter" class="net.sf.acegisecurity.vote.RoleVoter" abstract="false" singleton="true" lazy-init="default" autowire="default" dependency-check="default">

- <property name="rolePrefix">

</property>

</bean>

- <!--

 A voter to allow access base on the current authentication having authorities

-->

- <!--

 starting with the prefix "GROUP_"

-->

- <!--

 Any match grants

-->

- <bean id="groupVoter" class="net.sf.acegisecurity.vote.RoleVoter" abstract="false" singleton="true" lazy-init="default" autowire="default" dependency-check="default">

- <property name="rolePrefix">

<value>GROUP_</value>

</property>

</bean>

- <!--

 A voter to allow access based on node access control.

-->

- <!--

 These start ACL_NODE or ACL_PARENT and are followed by .methodArgumentPosition

-->

- <!--

 then object type (prefix:localname) . permission

-->

- <!--

-->

- <!--

 All permissions starting ACL_NODE and ACL_PARENT must be present for access to

-->

- <!--

 be granted.

-->

- <!--

-->

- <!--

 Note: ff the context evaluates to null (e.g. doing an exists test on a node

-->

- <!--

 that does not exist) then access will be allowed.

-->

- <bean id="aclEntryVoter" class="org.alfresco.repo.security.permissions.impl.acegi.ACLEntryVoter" abstract="false" singleton="true" lazy-init="default" autowire="default" dependency-check="default">

- <property name="permissionService">

</property>

- <property name="namespacePrefixResolver">

</property>

- <property name="nodeService">

</property>

- <property name="ownableService">

</property>

- <property name="authenticationService">

</property>

- <property name="authorityService">

</property>

</bean>

- <!--

 =======================

-->

- <!--

 Access decision manager

-->

- <!--

 =======================

-->

- <!--

 The access decision manager asks voters in order if they should allow access

-->

- <!--

 Role and group access do not require ACL based access

-->

- <bean id="accessDecisionManager" class="org.alfresco.repo.security.permissions.impl.acegi.AffirmativeBasedAccessDecisionManger" lazy-init="default" autowire="default" dependency-check="default">

- <property name="allowIfAllAbstainDecisions">

<value>false</value>

</property>

- <property name="decisionVoters">

- <list>

</list>

</property>

</bean>

- <!--

 ========================================

-->

- <!--

 Post method call application of security

-->

- <!--

 ========================================

-->

- <bean id="afterAcl" class="org.alfresco.repo.security.permissions.impl.acegi.ACLEntryAfterInvocationProvider" abstract="false" singleton="true" lazy-init="default" autowire="default" dependency-check="default">

- <property name="permissionService">

</property>

- <property name="namespacePrefixResolver">

</property>

- <property name="nodeService">

</property>

- <property name="authenticationService">

</property>

- <property name="maxPermissionCheckTimeMillis">

<value>${system.acl.maxPermissionCheckTimeMillis}</value>

</property>

- <property name="maxPermissionChecks">

<value>${system.acl.maxPermissionChecks}</value>

</property>

- <property name="optimisePermissionsCheck">

<value>${system.readpermissions.optimise}</value>

</property>

- <property name="optimisePermissionsBulkFetchSize">

<value>${system.readpermissions.bulkfetchsize}</value>

</property>

- <property name="anyDenyDenies">

<value>${security.anyDenyDenies}</value>

</property>

- <property name="postProcessDenies">

<value>${security.postProcessDenies}</value>

</property>

</bean>

- <!--

 Link up after method call security

-->

- <bean id="afterInvocationManager" class="net.sf.acegisecurity.afterinvocation.AfterInvocationProviderManager" lazy-init="default" autowire="default" dependency-check="default">

- <property name="providers">

- <list>

</list>

</property>

</bean>

- <!--

 ================================

-->

- <!--

 Beans that enforce secure access

-->

- <!--

 ================================

-->

- <!--

 Each bean defines a new methos security interceptor wired up with the

-->

- <!--

 authenticationManager, accessDecisionManager and afterInvocationManager, which

-->

- <!--

 can all be reused.

-->

- <!--

 If one method cal requires security enforcement - all methods must gave a

-->

- <!--

 security entry of some sort. ACL_ALLOW can be used to give access to all

-->

- <!--

 ROLE_ADMINISTRATOR can be used to grant access to administrator related methods

-->

- <!--

 The namespace service does not enforce any security requirements

-->

- <!--

 The dictionary service does not enforce any security requirements

-->

- <!--

 ========================

-->

- <!--

 Node service permissions

-->

- <!--

 ========================

-->

- <!--

 See the NodeService for the parameters required for each method call.

-->

- <!--

-->

- <!--

 getStores

-->

- <!--

      returns a list fo the stores to which the curent authentication has Read

-->

- <!--

      permission. (See the permission model defintion for what this means)

-->

- <!--

 createStore

-->

- <!--

      only a user with the administrator role can create new stores

-->

- <!--

 exists

-->

- <!--

      check if a node exists. If the current user does not have read access then

-->

- <!--

      the node will not exist.

-->

- <!--

 getRootNode

-->

- <!--

      get the root node for a store - access will be denied for users who do not

-->

- <!--

      have Read permission for the root node of the store.

-->

- <!--

 createNode

-->

- <!--

      requires that the current authentication has the permission to create

-->

- <!--

      children for the containing node.

-->

- <!--

 moveNode

-->

- <!--

      requires that the current authentication has the permission to delete the

-->

- <!--

      the node in the source folder and create it in the destination folder.

-->

- <!--

 setChildAssociationIndex

-->

- <!--

      required write properties permission on the parent

-->

- <!--

 getType

-->

- <!--

      obtaining the type of a node requires read access

-->

- <!--

 addAspect

-->

- <!--

      adding an aspect updates a multi-valued property so this requires write

-->

- <!--

      access to properties.

-->

- <!--

 removeAspect

-->

- <!--

      removing an aspect updates a multi-valued property so this requires write

-->

- <!--

      access to properties.

-->

- <!--

 hasAspect

-->

- <!--

      querying for an aspect requires read access to a property

-->

- <!--

 getAspects

-->

- <!--

      querying for all aspect requires read access to a property

-->

- <!--

 deleteNode

-->

- <!--

      requires the delete permission

-->

- <!--

 addChild

-->

- <!--

      requires create children on the parent

-->

- <!--

 removeChild

-->

- <!--

      Requires delete children from the parent & delete for the child IF PRIMARY

-->

- <!--

 removeChildAssociation

-->

- <!--

      Requires delete children from the parent & delete for the child IF PRIMARY

-->

- <!--

 getProperties

-->

- <!--

      Requires read properties for the node

-->

- <!--

 getProperty

-->

- <!--

      Requires read properties for the node

-->

- <!--

 setProperties

-->

- <!--

      Requires write properties for the node

-->

- <!--

 setProperty

-->

- <!--

      Requires write properties for the node

-->

- <!--

 getParentAssocs

-->

- <!--

      Requires read on the node and returns only parents that can be seen

-->

- <!--

      It is possible that no parents are accessible

-->

- <!--

 getChildAssocs

-->

- <!--

      Requires read on the node and returns only children that can be seen

-->

- <!--

      It is possible that no children are accessible

-->

- <!--

 getPrimaryParent

-->

- <!--

      Requires read on the node an aceess error will be thrown if the primary

-->

- <!--

      parent can not be read

-->

- <!--

 createAssociation

-->

- <!--

      NOT SET YET

-->

- <!--

 removeAssociation

-->

- <!--

      NOT SET YET

-->

- <!--

 getTargetAssocs

-->

- <!--

      NOT SET YET

-->

- <!--

 getSourceAssocs

-->

- <!--

      NOT SET YET

-->

- <!--

 getPath

-->

- <!--

      Requires read for the node

-->

- <!--

 getPaths

-->

- <!--

      Requires read for the node

-->

- <bean id="NodeService_security" class="org.alfresco.repo.security.permissions.impl.acegi.MethodSecurityInterceptor" lazy-init="default" autowire="default" dependency-check="default">

- <property name="authenticationManager">

</property>

- <property name="accessDecisionManager">

</property>

- <property name="afterInvocationManager">

</property>

- <property name="objectDefinitionSource">

<value>org.alfresco.service.cmr.repository.NodeService.getStores=ACL_ALLOW,AFTER_ACL_NODE.sys:base.ReadProperties org.alfresco.service.cmr.repository.NodeService.createStore=ACL_METHOD.ROLE_ADMINISTRATOR org.alfresco.service.cmr.repository.NodeService.exists=ACL_ALLOW org.alfresco.service.cmr.repository.NodeService.getNodeStatus=ACL_NODE.0.sys:base.ReadProperties org.alfresco.service.cmr.repository.NodeService.getNodeRef=AFTER_ACL_NODE.sys:base.ReadProperties org.alfresco.service.cmr.repository.NodeService.getAllRootNodes=ACL_NODE.0.sys:base.ReadProperties,AFTER_ACL_NODE.sys:base.ReadProperties org.alfresco.service.cmr.repository.NodeService.getRootNode=ACL_NODE.0.sys:base.ReadProperties org.alfresco.service.cmr.repository.NodeService.createNode=ACL_NODE.0.sys:base.CreateChildren org.alfresco.service.cmr.repository.NodeService.moveNode=ACL_NODE.0.sys:base.DeleteNode,ACL_NODE.1.sys:base.CreateChildren org.alfresco.service.cmr.repository.NodeService.setChildAssociationIndex=ACL_PARENT.0.sys:base.WriteProperties org.alfresco.service.cmr.repository.NodeService.getType=ACL_ALLOW org.alfresco.service.cmr.repository.NodeService.setType=ACL_NODE.0.sys:base.WriteProperties org.alfresco.service.cmr.repository.NodeService.addAspect=ACL_NODE.0.sys:base.WriteProperties,ACL_ITEM.0.cm

wnable.TakeOwnership org.alfresco.service.cmr.repository.NodeService.removeAspect=ACL_NODE.0.sys:base.WriteProperties org.alfresco.service.cmr.repository.NodeService.hasAspect=ACL_NODE.0.sys:base.ReadProperties org.alfresco.service.cmr.repository.NodeService.getAspects=ACL_NODE.0.sys:base.ReadProperties org.alfresco.service.cmr.repository.NodeService.deleteNode=ACL_NODE.0.sys:base.DeleteNode org.alfresco.service.cmr.repository.NodeService.addChild=ACL_NODE.0.sys:base.CreateChildren,ACL_NODE.1.sys:base.ReadProperties org.alfresco.service.cmr.repository.NodeService.removeChild=ACL_NODE.0.sys:base.DeleteChildren,ACL_PRI_CHILD_ASSOC_ON_CHILD.0.1.sys:base.DeleteNode org.alfresco.service.cmr.repository.NodeService.removeChildAssociation=ACL_PARENT.0.sys:base.DeleteChildren,ACL_PRI_CHILD_ASSOC_ON_CHILD.0.sys:base.DeleteNode org.alfresco.service.cmr.repository.NodeService.getProperties=ACL_NODE.0.sys:base.ReadProperties org.alfresco.service.cmr.repository.NodeService.getProperty=ACL_NODE.0.sys:base.ReadProperties org.alfresco.service.cmr.repository.NodeService.setProperties=ACL_NODE.0.sys:base.WriteProperties,ACL_ITEM.0.cm

wnable.TakeOwnership org.alfresco.service.cmr.repository.NodeService.addProperties=ACL_NODE.0.sys:base.WriteProperties,ACL_ITEM.0.cm

wnable.TakeOwnership org.alfresco.service.cmr.repository.NodeService.setProperty=ACL_NODE.0.sys:base.WriteProperties,ACL_ITEM.0.cm

wnable.TakeOwnership org.alfresco.service.cmr.repository.NodeService.removeProperty=ACL_NODE.0.sys:base.WriteProperties org.alfresco.service.cmr.repository.NodeService.getParentAssocs=ACL_NODE.0.sys:base.ReadProperties org.alfresco.service.cmr.repository.NodeService.getChildAssocs=ACL_NODE.0.sys:base.ReadChildren,AFTER_ACL_NODE.sys:base.ReadProperties org.alfresco.service.cmr.repository.NodeService.getChildByName=ACL_NODE.0.sys:base.ReadChildren,AFTER_ACL_NODE.sys:base.ReadProperties org.alfresco.service.cmr.repository.NodeService.getChildAssocsByPropertyValue=ACL_NODE.0.sys:base.ReadChildren,AFTER_ACL_NODE.sys:base.ReadProperties org.alfresco.service.cmr.repository.NodeService.getChildrenByName=ACL_NODE.0.sys:base.ReadChildren,AFTER_ACL_NODE.sys:base.ReadProperties org.alfresco.service.cmr.repository.NodeService.getPrimaryParent=ACL_NODE.0.sys:base.ReadProperties org.alfresco.service.cmr.repository.NodeService.createAssociation=ACL_ALLOW org.alfresco.service.cmr.repository.NodeService.removeAssociation=ACL_ALLOW org.alfresco.service.cmr.repository.NodeService.setAssociations=ACL_ALLOW org.alfresco.service.cmr.repository.NodeService.getTargetAssocs=ACL_ALLOW org.alfresco.service.cmr.repository.NodeService.getSourceAssocs=ACL_ALLOW org.alfresco.service.cmr.repository.NodeService.getAssoc=ACL_ALLOW org.alfresco.service.cmr.repository.NodeService.getPath=ACL_NODE.0.sys:base.ReadProperties org.alfresco.service.cmr.repository.NodeService.getPaths=ACL_NODE.0.sys:base.ReadProperties org.alfresco.service.cmr.repository.NodeService.getStoreArchiveNode=ACL_NODE.0.sys:base.Read org.alfresco.service.cmr.repository.NodeService.restoreNode=ACL_NODE.0.sys:base.DeleteNode,ACL_NODE.1.sys:base.CreateChildren org.alfresco.service.cmr.repository.NodeService.getChildAssocsWithoutParentAssocsOfType=ACL_NODE.0.sys:base.ReadProperties,AFTER_ACL_NODE.sys:base.ReadProperties org.alfresco.service.cmr.repository.NodeService.countChildAssocs=ACL_NODE.0.sys:base.ReadChildren org.alfresco.service.cmr.repository.NodeService.*=ACL_DENY</value>

</property>

</bean>

- <!--

 ==============================

-->

- <!--

 FileFolder Service Permissions

-->

- <!--

 ==============================

-->

- <bean id="FileFolderService_security" class="org.alfresco.repo.security.permissions.impl.acegi.MethodSecurityInterceptor" lazy-init="default" autowire="default" dependency-check="default">

- <property name="authenticationManager">

</property>

- <property name="accessDecisionManager">

</property>

- <property name="afterInvocationManager">

</property>

- <property name="objectDefinitionSource">

<value>org.alfresco.service.cmr.model.FileFolderService.list=ACL_NODE.0.sys:base.ReadChildren,AFTER_ACL_NODE.sys:base.ReadProperties org.alfresco.service.cmr.model.FileFolderService.listFiles=ACL_NODE.0.sys:base.ReadChildren,AFTER_ACL_NODE.sys:base.ReadProperties org.alfresco.service.cmr.model.FileFolderService.listFolders=ACL_NODE.0.sys:base.ReadChildren,AFTER_ACL_NODE.sys:base.ReadProperties org.alfresco.service.cmr.model.FileFolderService.listDeepFolders=ACL_NODE.0.sys:base.ReadChildren,AFTER_ACL_NODE.sys:base.ReadProperties org.alfresco.service.cmr.model.FileFolderService.getLocalizedSibling=ACL_ALLOW,AFTER_ACL_NODE.sys:base.ReadProperties org.alfresco.service.cmr.model.FileFolderService.search=ACL_NODE.0.sys:base.ReadChildren,AFTER_ACL_NODE.sys:base.Read org.alfresco.service.cmr.model.FileFolderService.searchSimple=ACL_NODE.0.sys:base.ReadChildren,AFTER_ACL_NODE.sys:base.Read org.alfresco.service.cmr.model.FileFolderService.rename=ACL_NODE.0.sys:base.WriteProperties org.alfresco.service.cmr.model.FileFolderService.move=ACL_NODE.0.sys:base.DeleteNode,ACL_NODE.1.sys:base.CreateChildren org.alfresco.service.cmr.model.FileFolderService.moveFrom=ACL_NODE.0.sys:base.DeleteNode,ACL_NODE.2.sys:base.CreateChildren org.alfresco.service.cmr.model.FileFolderService.copy=ACL_NODE.0.sys:base.Read,ACL_NODE.1.sys:base.CreateChildren org.alfresco.service.cmr.model.FileFolderService.create=ACL_NODE.0.sys:base.CreateChildren org.alfresco.service.cmr.model.FileFolderService.delete=ACL_NODE.0.sys:base.DeleteNode org.alfresco.service.cmr.model.FileFolderService.getNamePath=ACL_NODE.1.sys:base.ReadProperties org.alfresco.service.cmr.model.FileFolderService.getNameOnlyPath=ACL_NODE.1.sys:base.ReadProperties org.alfresco.service.cmr.model.FileFolderService.resolveNamePath=ACL_ALLOW,AFTER_ACL_NODE.sys:base.ReadProperties org.alfresco.service.cmr.model.FileFolderService.getFileInfo=ACL_NODE.0.sys:base.ReadProperties org.alfresco.service.cmr.model.FileFolderService.toFileInfoList=ACL_ALLOW org.alfresco.service.cmr.model.FileFolderService.getReader=ACL_NODE.0.sys:base.ReadContent org.alfresco.service.cmr.model.FileFolderService.getWriter=ACL_NODE.0.sys:base.WriteContent org.alfresco.service.cmr.model.FileFolderService.exists=ACL_ALLOW org.alfresco.service.cmr.model.FileFolderService.getType=ACL_ALLOW org.alfresco.service.cmr.model.FileFolderService.isHidden=ACL_NODE.0.sys:base.ReadProperties org.alfresco.service.cmr.model.FileFolderService.setHidden=ACL_NODE.0.sys:base.WriteProperties org.alfresco.service.cmr.model.FileFolderService.*=ACL_DENY</value>

</property>

</bean>

- <bean id="FileFolderService_security_list" class="org.alfresco.repo.security.permissions.impl.acegi.MethodSecurityBean" lazy-init="default" autowire="default" dependency-check="default">

</bean>

- <!--

 ===========================

-->

- <!--

 Content Service Permissions

-->

- <!--

 ===========================

-->

- <!--

 Reading requires the permission to read content

-->

- <!--

 Writing required the permission to write conent

-->

- <bean id="ContentService_security" class="org.alfresco.repo.security.permissions.impl.acegi.MethodSecurityInterceptor" lazy-init="default" autowire="default" dependency-check="default">

- <property name="authenticationManager">

</property>

- <property name="accessDecisionManager">

</property>

- <property name="afterInvocationManager">

</property>

- <property name="objectDefinitionSource">

<value>org.alfresco.service.cmr.repository.ContentService.getStoreTotalSpace=ACL_ALLOW org.alfresco.service.cmr.repository.ContentService.getStoreFreeSpace=ACL_ALLOW org.alfresco.service.cmr.repository.ContentService.getRawReader=ACL_METHOD.ROLE_ADMINISTRATOR org.alfresco.service.cmr.repository.ContentService.getReader=ACL_NODE.0.sys:base.ReadContent org.alfresco.service.cmr.repository.ContentService.getWriter=ACL_NODE.0.sys:base.WriteContent org.alfresco.service.cmr.repository.ContentService.isTransformable=ACL_ALLOW org.alfresco.service.cmr.repository.ContentService.getTransformer=ACL_ALLOW org.alfresco.service.cmr.repository.ContentService.getMaxSourceSizeBytes=ACL_ALLOW org.alfresco.service.cmr.repository.ContentService.getImageTransformer=ACL_ALLOW org.alfresco.service.cmr.repository.ContentService.transform=ACL_ALLOW org.alfresco.service.cmr.repository.ContentService.getTempWriter=ACL_ALLOW org.alfresco.service.cmr.repository.ContentService.*=ACL_DENY</value>

</property>

</bean>

- <!--

 ================

-->

- <!--

 MimeType Service

-->

- <!--

 ================

-->

- <!--

 There are no permissions around mime types

-->

- <!--

 ==============

-->

- <!--

 Search Service

-->

- <!--

 ==============

-->

- <!--

 All search results are filtered to exclude nodes that the current user can not

-->

- <!--

 read. Other methods restrict queries to those nodes the user can read

-->

- <bean id="SearchService_security" class="org.alfresco.repo.security.permissions.impl.acegi.MethodSecurityInterceptor" lazy-init="default" autowire="default" dependency-check="default">

- <property name="authenticationManager">

</property>

- <property name="accessDecisionManager">

</property>

- <property name="afterInvocationManager">

</property>

- <property name="objectDefinitionSource">

<value>org.alfresco.service.cmr.search.SearchService.query=ACL_ALLOW,AFTER_ACL_NODE.sys:base.Read org.alfresco.service.cmr.search.SearchService.selectNodes=ACL_ALLOW,AFTER_ACL_NODE.sys:base.Read org.alfresco.service.cmr.search.SearchService.selectProperties=ACL_NODE.0.sys:base.Read org.alfresco.service.cmr.search.SearchService.contains=ACL_NODE.0.sys:base.Read org.alfresco.service.cmr.search.SearchService.like=ACL_NODE.0.sys:base.Read org.alfresco.service.cmr.search.SearchService.*=ACL_DENY</value>

</property>

</bean>

- <bean id="StasService_security" class="org.alfresco.repo.security.permissions.impl.acegi.MethodSecurityInterceptor" lazy-init="default" autowire="default" dependency-check="default">

- <property name="authenticationManager">

</property>

- <property name="accessDecisionManager">

</property>

- <property name="afterInvocationManager">

</property>

- <property name="objectDefinitionSource">

<value>org.alfresco.service.cmr.search.StatsService.query=ACL_ALLOW,AFTER_ACL_NODE.sys:base.Read org.alfresco.service.cmr.search.StatsService.*=ACL_DENY</value>

</property>

</bean>

- <!--

 ================

-->

- <!--

 Category Service

-->

- <!--

 ================

-->

- <!--

 Category queries are filtered for nodes that are visible to the current user

-->

- <!--

 Other methods are unrestricted at the moment

-->

- <!--

 Uses the public node service for all mutations -  access is allowed here and enforced by the public node service

-->

- <bean id="CategoryService_security" class="org.alfresco.repo.security.permissions.impl.acegi.MethodSecurityInterceptor" lazy-init="default" autowire="default" dependency-check="default">

- <property name="authenticationManager">

</property>

- <property name="accessDecisionManager">

</property>

- <property name="afterInvocationManager">

</property>

- <property name="objectDefinitionSource">

<value>org.alfresco.service.cmr.search.CategoryService.getChildren=ACL_ALLOW,AFTER_ACL_NODE.sys:base.ReadProperties org.alfresco.service.cmr.search.CategoryService.getCategories=ACL_ALLOW,AFTER_ACL_NODE.sys:base.ReadProperties org.alfresco.service.cmr.search.CategoryService.getClassifications=ACL_ALLOW,AFTER_ACL_NODE.sys:base.ReadProperties org.alfresco.service.cmr.search.CategoryService.getRootCategories=ACL_ALLOW,AFTER_ACL_NODE.sys:base.ReadProperties org.alfresco.service.cmr.search.CategoryService.getClassificationAspects=ACL_ALLOW org.alfresco.service.cmr.search.CategoryService.createClassification=ACL_ALLOW org.alfresco.service.cmr.search.CategoryService.createRootCategory=ACL_ALLOW org.alfresco.service.cmr.search.CategoryService.createCategory=ACL_ALLOW org.alfresco.service.cmr.search.CategoryService.deleteClassification=ACL_ALLOW org.alfresco.service.cmr.search.CategoryService.deleteCategory=ACL_ALLOW org.alfresco.service.cmr.search.CategoryService.getTopCategories=ACL_ALLOW org.alfresco.service.cmr.search.CategoryService.*=ACL_DENY</value>

</property>

</bean>

- <!--

 ============

-->

- <!--

 Copy Service

-->

- <!--

 ============

-->

- <!--

 The copy service does not require any security restrictions, they are imposed

-->

- <!--

 by the node service it uses to do its work.

-->

- <bean id="CopyService_security" class="org.alfresco.repo.security.permissions.impl.acegi.MethodSecurityInterceptor" lazy-init="default" autowire="default" dependency-check="default">

- <property name="authenticationManager">

</property>

- <property name="accessDecisionManager">

</property>

- <property name="afterInvocationManager">

</property>

- <property name="objectDefinitionSource">

<value>org.alfresco.service.cmr.repository.CopyService.copy=ACL_ALLOW org.alfresco.service.cmr.repository.CopyService.copyAndRename=ACL_ALLOW org.alfresco.service.cmr.repository.CopyService.getOriginal=ACL_NODE.0.sys:base.ReadProperties,AFTER_ACL_NODE.sys:base.ReadProperties org.alfresco.service.cmr.repository.CopyService.getCopies=ACL_NODE.0.sys:base.ReadProperties,AFTER_ACL_NODE.sys:base.ReadProperties org.alfresco.service.cmr.repository.CopyService.*=ACL_DENY</value>

</property>

</bean>

- <bean id="CopyService_security_getCopies" class="org.alfresco.repo.security.permissions.impl.acegi.MethodSecurityBean" lazy-init="default" autowire="default" dependency-check="default">

</bean>

- <!--

 ================

-->

- <!--

 The Lock Service

-->

- <!--

 ================

-->

- <!--

 Lock and Unlock require the related aspect specific permissions. Querying the

-->

- <!--

 lock status just requires read access to the node.

-->

- <bean id="LockService_security" class="org.alfresco.repo.security.permissions.impl.acegi.MethodSecurityInterceptor" lazy-init="default" autowire="default" dependency-check="default">

- <property name="authenticationManager">

</property>

- <property name="accessDecisionManager">

</property>

- <property name="afterInvocationManager">

</property>

- <property name="objectDefinitionSource">

<value>org.alfresco.service.cmr.lock.LockService.lock=ACL_NODE.0.cm:lockable.Lock org.alfresco.service.cmr.lock.LockService.unlock=ACL_NODE.0.cm:lockable.Unlock org.alfresco.service.cmr.lock.LockService.getLockStatus=ACL_NODE.0.sys:base.ReadProperties org.alfresco.service.cmr.lock.LockService.getLockType=ACL_NODE.0.sys:base.ReadProperties org.alfresco.service.cmr.lock.LockService.checkForLock=ACL_NODE.0.sys:base.ReadProperties org.alfresco.repo.lock.LockServiceImpl.getLocks=ACL_NODE.0.sys:base.ReadProperties org.alfresco.service.cmr.lock.LockService.*=ACL_DENY</value>

</property>

</bean>

- <!--

 ===============

-->

- <!--

 Version Service

-->

- <!--

 ===============

-->

- <!--

 The version service does not have any restrictions applied at the moment. It

-->

- <!--

 does not use a node service that would apply any permissions.

-->

- <!--

 ===============================

-->

- <!--

 Multilingual Content Service

-->

- <!--

 ===============================

-->

- <!--

 The version service does not have any restrictions applied at the moment. It

-->

- <!--

 does not use a node service that would apply any permissions.

-->

- <bean id="MultilingualContentService_security" class="org.alfresco.repo.security.permissions.impl.acegi.MethodSecurityInterceptor" lazy-init="default" autowire="default" dependency-check="default">

- <property name="authenticationManager">

</property>

- <property name="accessDecisionManager">

</property>

- <property name="afterInvocationManager">

</property>

- <property name="objectDefinitionSource">

<value>org.alfresco.service.cmr.ml.MultilingualContentService.getTranslationContainer=ACL_ALLOW org.alfresco.service.cmr.ml.MultilingualContentService.getTranslations=ACL_NODE.0.sys:base.Read,AFTER_ACL_NODE.sys:base.Read org.alfresco.service.cmr.ml.MultilingualContentService.getTranslationForLocale=ACL_NODE.0.sys:base.Read,AFTER_ACL_NODE.sys:base.Read org.alfresco.service.cmr.ml.MultilingualContentService.getMissingTranslations=ACL_ALLOW org.alfresco.service.cmr.ml.MultilingualContentService.getPivotTranslation=ACL_NODE.0.sys:base.Read,AFTER_ACL_NODE.sys:base.Read org.alfresco.service.cmr.ml.MultilingualContentService.isTranslation=ACL_NODE.0.sys:base.Read org.alfresco.service.cmr.ml.MultilingualContentService.makeTranslation=ACL_NODE.0.sys:base.Write org.alfresco.service.cmr.ml.MultilingualContentService.unmakeTranslation=ACL_NODE.0.sys:base.Write org.alfresco.service.cmr.ml.MultilingualContentService.addTranslation=ACL_NODE.0.sys:base.Read,ACL_NODE.1.sys:base.Write org.alfresco.service.cmr.ml.MultilingualContentService.addEmptyTranslation=ACL_NODE.0.sys:base.Read,ACL_NODE.0.sys:base.CreateChildren org.alfresco.service.cmr.ml.MultilingualContentService.copyTranslationContainer=ACL_NODE.0.sys:base.Read,ACL_NODE.1.sys:base.CreateChildren org.alfresco.service.cmr.ml.MultilingualContentService.moveTranslationContainer=ACL_NODE.0.sys:base.DeleteNode,ACL_NODE.1.sys:base.CreateChildren org.alfresco.service.cmr.ml.MultilingualContentService.deleteTranslationContainer=ACL_NODE.0.sys:base.DeleteNode,ACL_NODE.0.sys:base.DeleteChildren org.alfresco.service.cmr.ml.MultilingualContentService.*=ACL_DENY</value>

</property>

</bean>

- <!--

 ===================

-->

- <!--

 Edition  Service

-->

- <!--

 ===================

-->

- <bean id="EditionService_security" class="org.alfresco.repo.security.permissions.impl.acegi.MethodSecurityInterceptor" lazy-init="default" autowire="default" dependency-check="default">

- <property name="authenticationManager">

</property>

- <property name="accessDecisionManager">

</property>

- <property name="afterInvocationManager">

</property>

- <property name="objectDefinitionSource">

<value>org.alfresco.service.cmr.ml.EditionService.createEdition=ACL_NODE.0.sys:base.Read org.alfresco.service.cmr.ml.EditionService.getEditions=ACL_NODE.0.sys:base.Read org.alfresco.service.cmr.ml.EditionService.getVersionedTranslations=ACL_ALLOW org.alfresco.service.cmr.ml.EditionService.getVersionedMetadatas=ACL_ALLOW org.alfresco.service.cmr.ml.EditionService.*=ACL_DENY</value>

</property>

</bean>

- <!--

 ==============================

-->

- <!--

 The Check-out/Check-in service

-->

- <!--

 ==============================

-->

- <!--

 To check out a node requires that you have permission to check out the node and

-->

- <!--

 create the working copy in the specified location. Check in requires the

-->

- <!--

 the associated permission, as does cancel check out. See the permission model

-->

- <!--

 for how these permissions are granted.

-->

- <bean id="CheckOutCheckInService_security" class="org.alfresco.repo.security.permissions.impl.acegi.MethodSecurityInterceptor" lazy-init="default" autowire="default" dependency-check="default">

- <property name="authenticationManager">

</property>

- <property name="accessDecisionManager">

</property>

- <property name="afterInvocationManager">

</property>

- <property name="objectDefinitionSource">

<value>org.alfresco.service.cmr.coci.CheckOutCheckInService.checkout=ACL_NODE.0.cm:lockable.CheckOut org.alfresco.service.cmr.coci.CheckOutCheckInService.checkin=ACL_NODE.0.cm:workingcopy.CheckIn org.alfresco.service.cmr.coci.CheckOutCheckInService.cancelCheckout=ACL_NODE.0.cm:workingcopy.CancelCheckOut org.alfresco.service.cmr.coci.CheckOutCheckInService.getWorkingCopy=ACL_NODE.0.sys:base.Read org.alfresco.service.cmr.coci.CheckOutCheckInService.getCheckedOut=ACL_NODE.0.sys:base.Read org.alfresco.service.cmr.coci.CheckOutCheckInService.isWorkingCopy=ACL_NODE.0.sys:base.Read org.alfresco.service.cmr.coci.CheckOutCheckInService.isCheckedOut=ACL_NODE.0.sys:base.Read org.alfresco.service.cmr.coci.CheckOutCheckInService.*=ACL_DENY</value>

</property>

</bean>

- <!--

 ================

-->

- <!--

 The Rule Service

-->

- <!--

 ================

-->

- <!--

 The rule service does not require any security restrictions, they are imposed

-->

- <!--

 by the node service it uses to do its work.

-->

- <!--

 ====================

-->

- <!--

 The Importer Service

-->

- <!--

 ====================

-->

- <!--

 The importer service does not require any security restrictions, they are

-->

- <!--

 imposed by the node service it uses to do its work.

-->

- <!--

 ==================

-->

- <!--

 The Action Service

-->

- <!--

 ==================

-->

- <!--

 The action service does not require any security restrictions, they are imposed

-->

- <!--

 by the node service it uses to do its work.

-->

- <!--

 ======================

-->

- <!--

 The Permission Service

-->

- <!--

 ======================

-->

- <!--

 Requests to this service are controlled by the ReadPermissions and

-->

- <!--

 and ChangePermissions permissions. Access to some methods are not restricted at

-->

- <!--

 the moment.

-->

- <bean id="PermissionService_security" class="org.alfresco.repo.security.permissions.impl.acegi.MethodSecurityInterceptor" lazy-init="default" autowire="default" dependency-check="default">

- <property name="authenticationManager">

</property>

- <property name="accessDecisionManager">

</property>

- <property name="afterInvocationManager">

</property>

- <property name="objectDefinitionSource">

<value>org.alfresco.service.cmr.security.PermissionService.getOwnerAuthority=ACL_ALLOW org.alfresco.service.cmr.security.PermissionService.getAllAuthorities=ACL_ALLOW org.alfresco.service.cmr.security.PermissionService.getAllPermission=ACL_ALLOW org.alfresco.service.cmr.security.PermissionService.getPermissions=ACL_NODE.0.sys:base.ReadPermissions org.alfresco.service.cmr.security.PermissionService.getAllSetPermissions=ACL_NODE.0.sys:base.ReadPermissions org.alfresco.service.cmr.security.PermissionService.getSettablePermissions=ACL_ALLOW org.alfresco.service.cmr.security.PermissionService.hasPermission=ACL_ALLOW org.alfresco.service.cmr.security.PermissionService.getReaders=ACL_METHOD.ROLE_ADMINISTRATOR org.alfresco.service.cmr.security.PermissionService.deletePermissions=ACL_NODE.0.sys:base.ChangePermissions org.alfresco.service.cmr.security.PermissionService.deletePermission=ACL_NODE.0.sys:base.ChangePermissions org.alfresco.service.cmr.security.PermissionService.setPermission=ACL_NODE.0.sys:base.ChangePermissions org.alfresco.service.cmr.security.PermissionService.setInheritParentPermissions=ACL_NODE.0.sys:base.ChangePermissions org.alfresco.service.cmr.security.PermissionService.getInheritParentPermissions=ACL_ALLOW org.alfresco.service.cmr.security.PermissionService.clearPermission=ACL_NODE.0.sys:base.ChangePermissions org.alfresco.service.cmr.security.PermissionService.*=ACL_DENY</value>

</property>

</bean>

- <!--

 =====================

-->

- <!--

 The Authority Service

-->

- <!--

 =====================

-->

- <!--

 This service currently has no restrictions.

-->

- <bean id="AuthorityService_security" class="org.alfresco.repo.security.permissions.impl.acegi.MethodSecurityInterceptor" lazy-init="default" autowire="default" dependency-check="default">

- <property name="authenticationManager">

</property>

- <property name="accessDecisionManager">

</property>

- <property name="afterInvocationManager">

</property>

- <property name="objectDefinitionSource">

<value>org.alfresco.service.cmr.security.AuthorityService.hasAdminAuthority=ACL_ALLOW org.alfresco.service.cmr.security.AuthorityService.hasGuestAuthority=ACL_ALLOW org.alfresco.service.cmr.security.AuthorityService.isAdminAuthority=ACL_ALLOW org.alfresco.service.cmr.security.AuthorityService.isGuestAuthority=ACL_ALLOW org.alfresco.service.cmr.security.AuthorityService.countUsers=ACL_ALLOW org.alfresco.service.cmr.security.AuthorityService.countGroups=ACL_ALLOW org.alfresco.service.cmr.security.AuthorityService.getAuthorities=ACL_ALLOW org.alfresco.service.cmr.security.AuthorityService.getAuthoritiesInfo=ACL_ALLOW org.alfresco.service.cmr.security.AuthorityService.getAuthoritiesForUser=ACL_METHOD.ROLE_ADMINISTRATOR org.alfresco.service.cmr.security.AuthorityService.getAllAuthorities=ACL_ALLOW org.alfresco.service.cmr.security.AuthorityService.findAuthorities=ACL_ALLOW org.alfresco.service.cmr.security.AuthorityService.getAllRootAuthorities=ACL_ALLOW org.alfresco.service.cmr.security.AuthorityService.getAuthorityNodeRef=ACL_ALLOW org.alfresco.service.cmr.security.AuthorityService.createAuthority=ACL_METHOD.ROLE_ADMINISTRATOR org.alfresco.service.cmr.security.AuthorityService.addAuthority=ACL_METHOD.ROLE_ADMINISTRATOR org.alfresco.service.cmr.security.AuthorityService.removeAuthority=ACL_METHOD.ROLE_ADMINISTRATOR org.alfresco.service.cmr.security.AuthorityService.deleteAuthority=ACL_METHOD.ROLE_ADMINISTRATOR org.alfresco.service.cmr.security.AuthorityService.getContainedAuthorities=ACL_ALLOW org.alfresco.service.cmr.security.AuthorityService.getContainingAuthorities=ACL_ALLOW org.alfresco.service.cmr.security.AuthorityService.getContainingAuthoritiesInZone=ACL_ALLOW org.alfresco.service.cmr.security.AuthorityService.getShortName=ACL_ALLOW org.alfresco.service.cmr.security.AuthorityService.getName=ACL_ALLOW org.alfresco.service.cmr.security.AuthorityService.authorityExists=ACL_ALLOW org.alfresco.service.cmr.security.AuthorityService.setAuthorityDisplayName=ACL_METHOD.ROLE_ADMINISTRATOR org.alfresco.service.cmr.security.AuthorityService.getAuthorityDisplayName=ACL_ALLOW org.alfresco.service.cmr.security.AuthorityService.getOrCreateZone=ACL_METHOD.ROLE_ADMINISTRATOR org.alfresco.service.cmr.security.AuthorityService.getZone=ACL_ALLOW org.alfresco.service.cmr.security.AuthorityService.getAuthorityZones=ACL_ALLOW org.alfresco.service.cmr.security.AuthorityService.getAllAuthoritiesInZone=ACL_ALLOW org.alfresco.service.cmr.security.AuthorityService.getAllRootAuthoritiesInZone=ACL_ALLOW org.alfresco.service.cmr.security.AuthorityService.addAuthorityToZones=ACL_METHOD.ROLE_ADMINISTRATOR org.alfresco.service.cmr.security.AuthorityService.removeAuthorityFromZones=ACL_METHOD.ROLE_ADMINISTRATOR org.alfresco.service.cmr.security.AuthorityService.getDefaultZones=ACL_ALLOW org.alfresco.service.cmr.security.AuthorityService.*=ACL_DENY</value>

</property>

</bean>

- <bean id="AuthorityService_security_getAuthorities" class="org.alfresco.repo.security.permissions.impl.acegi.MethodSecurityBean" lazy-init="default" autowire="default" dependency-check="default">

</bean>

- <!--

 ===============================================

-->

- <!--

 The Authentication Service security interceptor

-->

- <!--

 ===============================================

-->

- <!--

 NOTE: Authentication is excluded as it sets or clears authentication

-->

- <!--

 The same for validate ticaket

-->

- <!--

 Update authentication checks internally

-->

- <bean id="AuthenticationService_security" class="org.alfresco.repo.security.permissions.impl.acegi.MethodSecurityInterceptor" lazy-init="default" autowire="default" dependency-check="default">

- <property name="authenticationManager">

</property>

- <property name="accessDecisionManager">

</property>

- <property name="afterInvocationManager">

</property>

- <property name="objectDefinitionSource">

<value>org.alfresco.service.cmr.security.MutableAuthenticationService.isAuthenticationMutable=ACL_ALLOW org.alfresco.service.cmr.security.MutableAuthenticationService.isAuthenticationCreationAllowed=ACL_ALLOW org.alfresco.service.cmr.security.MutableAuthenticationService.createAuthentication=ACL_METHOD.ROLE_ADMINISTRATOR org.alfresco.service.cmr.security.MutableAuthenticationService.updateAuthentication=ACL_ALLOW org.alfresco.service.cmr.security.MutableAuthenticationService.setAuthentication=ACL_METHOD.ROLE_ADMINISTRATOR org.alfresco.service.cmr.security.MutableAuthenticationService.deleteAuthentication=ACL_METHOD.ROLE_ADMINISTRATOR org.alfresco.service.cmr.security.MutableAuthenticationService.setAuthenticationEnabled=ACL_METHOD.ROLE_ADMINISTRATOR org.alfresco.service.cmr.security.AuthenticationService.getAuthenticationEnabled=ACL_METHOD.ROLE_ADMINISTRATOR org.alfresco.service.cmr.security.AuthenticationService.authenticationExists=ACL_METHOD.ROLE_ADMINISTRATOR org.alfresco.service.cmr.security.AuthenticationService.getCurrentUserName=ACL_ALLOW org.alfresco.service.cmr.security.AuthenticationService.invalidateUserSession=ACL_METHOD.ROLE_ADMINISTRATOR org.alfresco.service.cmr.security.AuthenticationService.invalidateTicket=ACL_ALLOW org.alfresco.service.cmr.security.AuthenticationService.getCurrentTicket=ACL_ALLOW org.alfresco.service.cmr.security.AuthenticationService.clearCurrentSecurityContext=ACL_ALLOW org.alfresco.service.cmr.security.AuthenticationService.isCurrentUserTheSystemUser=ACL_ALLOW org.alfresco.service.cmr.security.AuthenticationService.guestUserAuthenticationAllowed=ACL_ALLOW org.alfresco.service.cmr.security.AuthenticationService.getDomains=ACL_METHOD.ROLE_ADMINISTRATOR org.alfresco.service.cmr.security.AuthenticationService.getDomainsThatAllowUserCreation=ACL_METHOD.ROLE_ADMINISTRATOR org.alfresco.service.cmr.security.AuthenticationService.getDomainsThatAllowUserDeletion=ACL_METHOD.ROLE_ADMINISTRATOR org.alfresco.service.cmr.security.AuthenticationService.getDomiansThatAllowUserPasswordChanges=ACL_METHOD.ROLE_ADMINISTRATOR</value>

</property>

</bean>

- <!--

 ===================

-->

- <!--

 The Ownable Service

-->

- <!--

 ===================

-->

- <!--

 This service currently has no restrictions.

-->

- <!--

 TODO: respect the permissions on the ownable service

-->

- <bean id="OwnableService_security" class="org.alfresco.repo.security.permissions.impl.acegi.MethodSecurityInterceptor" lazy-init="default" autowire="default" dependency-check="default">

- <property name="authenticationManager">

</property>

- <property name="accessDecisionManager">

</property>

- <property name="afterInvocationManager">

</property>

- <property name="objectDefinitionSource">

<value>org.alfresco.service.cmr.security.OwnableService.getOwner=ACL_NODE.0.sys:base.ReadProperties org.alfresco.service.cmr.security.OwnableService.setOwner=ACL_NODE.0.cm

wnable.SetOwner org.alfresco.service.cmr.security.OwnableService.takeOwnership=ACL_NODE.0.cm

wnable.TakeOwnership org.alfresco.service.cmr.security.OwnableService.hasOwner=ACL_NODE.0.sys:base.ReadProperties org.alfresco.service.cmr.security.OwnableService.*=ACL_DENY</value>

</property>

</bean>

- <!--

 Person Service

-->

- <bean id="PersonService_security" class="org.alfresco.repo.security.permissions.impl.acegi.MethodSecurityInterceptor" lazy-init="default" autowire="default" dependency-check="default">

- <property name="authenticationManager">

</property>

- <property name="accessDecisionManager">

</property>

- <property name="afterInvocationManager">

</property>

- <property name="objectDefinitionSource">

<value>org.alfresco.service.cmr.security.PersonService.getPerson=ACL_ALLOW,AFTER_ACL_NODE.sys:base.ReadProperties org.alfresco.service.cmr.security.PersonService.getPersonOrNull=ACL_ALLOW,AFTER_ACL_NODE.sys:base.ReadProperties org.alfresco.service.cmr.security.PersonService.personExists=ACL_ALLOW org.alfresco.service.cmr.security.PersonService.isEnabled=ACL_ALLOW org.alfresco.service.cmr.security.PersonService.createMissingPeople=ACL_ALLOW org.alfresco.service.cmr.security.PersonService.setCreateMissingPeople=ACL_METHOD.ROLE_ADMINISTRATOR org.alfresco.service.cmr.security.PersonService.getMutableProperties=ACL_ALLOW org.alfresco.service.cmr.security.PersonService.setPersonProperties=ACL_METHOD.ROLE_ADMINISTRATOR org.alfresco.service.cmr.security.PersonService.isMutable=ACL_ALLOW org.alfresco.service.cmr.security.PersonService.createPerson=ACL_METHOD.ROLE_ADMINISTRATOR org.alfresco.service.cmr.security.PersonService.deletePerson=ACL_METHOD.ROLE_ADMINISTRATOR org.alfresco.service.cmr.security.PersonService.notifyPerson=ACL_METHOD.ROLE_ADMINISTRATOR org.alfresco.service.cmr.security.PersonService.getAllPeople=ACL_ALLOW org.alfresco.service.cmr.security.PersonService.getPeople=ACL_ALLOW,AFTER_ACL_NODE.sys:base.ReadProperties org.alfresco.service.cmr.security.PersonService.getPeopleFilteredByProperty=ACL_ALLOW org.alfresco.service.cmr.security.PersonService.getPeopleContainer=ACL_ALLOW org.alfresco.service.cmr.security.PersonService.getUserNamesAreCaseSensitive=ACL_ALLOW org.alfresco.service.cmr.security.PersonService.getUserIdentifier=ACL_ALLOW org.alfresco.service.cmr.security.PersonService.countPeople=ACL_ALLOW org.alfresco.service.cmr.security.PersonService.*=ACL_DENY</value>

</property>

</bean>

- <bean id="PersonService_security_getPeople" class="org.alfresco.repo.security.permissions.impl.acegi.MethodSecurityBean" lazy-init="default" autowire="default" dependency-check="default">

</bean>

- <!--

 ====================

-->

- <!--

 The Template Service

-->

- <!--

 ====================

-->

- <!--

 This service currently has no restrictions.

-->

- <!--

 ====================

-->

- <!--

 The Script Service

-->

- <!--

 ====================

-->

- <!--

 This service currently has no restrictions.

-->

- <!--

 ================

-->

- <!--

 Workflow Service

-->

- <!--

 ================

-->

- <bean id="WorkflowService_security" class="org.alfresco.service.cmr.workflow.WorkflowPermissionInterceptor" lazy-init="default" autowire="default" dependency-check="default">

- <property name="personService">

</property>

- <property name="authorityService">

</property>

- <property name="workflowService">

</property>

</bean>

- <!--

 =============

-->

- <!--

 Audit Service

-->

- <!--

 =============

-->

- <!--

 TODO: Add audit security

-->

- <bean id="AuditService_security" class="org.alfresco.repo.security.permissions.impl.acegi.MethodSecurityInterceptor" lazy-init="default" autowire="default" dependency-check="default">

- <property name="authenticationManager">

</property>

- <property name="accessDecisionManager">

</property>

- <property name="afterInvocationManager">

</property>

- <property name="objectDefinitionSource">

<value>org.alfresco.service.cmr.audit.AuditService.*=ACL_METHOD.ROLE_ADMINISTRATOR</value>

</property>

</bean>

- <!--

 ============

-->

- <!--

 Blog Service

-->

- <!--

 ============

-->

- <bean id="BlogService_security" class="org.alfresco.repo.security.permissions.impl.acegi.MethodSecurityInterceptor" lazy-init="default" autowire="default" dependency-check="default">

- <property name="authenticationManager">

</property>

- <property name="accessDecisionManager">

</property>

- <property name="afterInvocationManager">

</property>

- <property name="objectDefinitionSource">

<value>org.alfresco.service.cmr.blog.BlogService.getDrafts=ACL_ALLOW,AFTER_ACL_NODE.sys:base.ReadProperties org.alfresco.service.cmr.blog.BlogService.getPublished=ACL_ALLOW,AFTER_ACL_NODE.sys:base.ReadProperties org.alfresco.service.cmr.blog.BlogService.getPublishedExternally=ACL_ALLOW,AFTER_ACL_NODE.sys:base.ReadProperties org.alfresco.service.cmr.blog.BlogService.getMyDraftsAndAllPublished=ACL_NODE.0.sys:base.ReadChildren,AFTER_ACL_NODE.sys:base.ReadProperties org.alfresco.service.cmr.blog.BlogService.*=ACL_ALLOW</value>

</property>

</bean>

- <!--

 ============

-->

- <!--

 Site Service

-->

- <!--

 ============

-->

- <bean id="SiteService_security" class="org.alfresco.repo.security.permissions.impl.acegi.MethodSecurityInterceptor" lazy-init="default" autowire="default" dependency-check="default">

- <property name="authenticationManager">

</property>

- <property name="accessDecisionManager">

</property>

- <property name="afterInvocationManager">

</property>

- <property name="objectDefinitionSource">

<value>org.alfresco.service.cmr.site.SiteService.cleanSitePermissions=ACL_NODE.0.sys:base.ReadProperties org.alfresco.service.cmr.site.SiteService.createContainer=ACL_ALLOW,AFTER_ACL_NODE.sys:base.ReadProperties org.alfresco.service.cmr.site.SiteService.createSite= ACL_METHOD.ROLE_ADMINISTRATOR org.alfresco.service.cmr.site.SiteService.deleteSite=ACL_ALLOW org.alfresco.service.cmr.site.SiteService.findSites=ACL_ALLOW,AFTER_ACL_NODE.sys:base.ReadProperties org.alfresco.service.cmr.site.SiteService.getContainer=ACL_ALLOW,AFTER_ACL_NODE.sys:base.ReadProperties org.alfresco.service.cmr.site.SiteService.listContainers=ACL_ALLOW,AFTER_ACL_NODE.sys:base.ReadProperties org.alfresco.service.cmr.site.SiteService.getMembersRole=ACL_ALLOW org.alfresco.service.cmr.site.SiteService.getMembersRoleInfo=ACL_ALLOW org.alfresco.service.cmr.site.SiteService.resolveSite=ACL_ALLOW org.alfresco.service.cmr.site.SiteService.getSite=ACL_ALLOW,AFTER_ACL_NODE.sys:base.ReadProperties org.alfresco.service.cmr.site.SiteService.getSiteShortName=ACL_ALLOW,AFTER_ACL_NODE.sys:base.ReadProperties org.alfresco.service.cmr.site.SiteService.getSiteGroup=ACL_ALLOW org.alfresco.service.cmr.site.SiteService.getSiteRoleGroup=ACL_ALLOW org.alfresco.service.cmr.site.SiteService.getSiteRoles=ACL_ALLOW org.alfresco.service.cmr.site.SiteService.getSiteRoot=ACL_ALLOW,AFTER_ACL_NODE.sys:base.ReadProperties org.alfresco.service.cmr.site.SiteService.hasContainer=ACL_ALLOW org.alfresco.service.cmr.site.SiteService.hasCreateSitePermissions=ACL_ALLOW org.alfresco.service.cmr.site.SiteService.hasSite=ACL_ALLOW org.alfresco.service.cmr.site.SiteService.isMember=ACL_ALLOW org.alfresco.service.cmr.site.SiteService.listMembers=ACL_ALLOW org.alfresco.service.cmr.site.SiteService.listMembersInfo=ACL_ALLOW org.alfresco.service.cmr.site.SiteService.listMembersPaged=ACL_ALLOW org.alfresco.service.cmr.site.SiteService.listSites=ACL_ALLOW,AFTER_ACL_NODE.sys:base.ReadProperties org.alfresco.service.cmr.site.SiteService.listSitesPaged=ACL_ALLOW,AFTER_ACL_NODE.sys:base.ReadProperties org.alfresco.service.cmr.site.SiteService.removeMembership=ACL_ALLOW org.alfresco.service.cmr.site.SiteService.canAddMember=ACL_ALLOW org.alfresco.service.cmr.site.SiteService.setMembership=ACL_ALLOW org.alfresco.service.cmr.site.SiteService.updateSite=ACL_ALLOW org.alfresco.service.cmr.site.SiteService.countAuthoritiesWithRole=ACL_ALLOW org.alfresco.service.cmr.site.SiteService.isSiteAdmin=ACL_ALLOW org.alfresco.service.cmr.site.SiteService.*=ACL_DENY</value>

</property>

</bean>

- <bean id="SiteService_security_listSites" class="org.alfresco.repo.security.permissions.impl.acegi.MethodSecurityBean" lazy-init="default" autowire="default" dependency-check="default">

</bean>

- <!--

 ====================

-->

- <!--

 The Calendar Service

-->

- <!--

 ====================

-->

- <!--

 The calendar service itself does not require any security restrictions,

-->

- <!--

  they are imposed by the node and site services it uses to do its work.

-->

- <!--

 The canned queries that the calendar service uses do however need to check

-->

- <bean id="CalendarService_CannedQuery_security" class="org.alfresco.repo.security.permissions.impl.acegi.MethodSecurityInterceptor" lazy-init="default" autowire="default" dependency-check="default">

- <property name="authenticationManager">

</property>

- <property name="accessDecisionManager">

</property>

- <property name="afterInvocationManager">

</property>

- <property name="objectDefinitionSource">

<value>org.alfresco.service.cmr.calendar.CalendarService.listCalendarEntries=ACL_ALLOW,AFTER_ACL_NODE.sys:base.ReadProperties org.alfresco.service.cmr.calendar.CalendarService.listOutlookCalendarEntries=ACL_ALLOW,AFTER_ACL_NODE.sys:base.ReadProperties</value>

</property>

</bean>

- <bean id="CalendarService_security_listCalendarEntries" class="org.alfresco.repo.security.permissions.impl.acegi.MethodSecurityBean" lazy-init="default" autowire="default" dependency-check="default">

</bean>

- <!--

 ====================

-->

- <!--

 The Download Service

-->

- <!--

 ====================

-->

- <!--

 The download service itself does not require any security restrictions,

-->

- <!--

  they are imposed by the node and site services it uses to do its work.

-->

- <!--

 The canned queries that the calendar service uses do however need to check

-->

- <bean id="DownloadService_CannedQuery_security" class="org.alfresco.repo.security.permissions.impl.acegi.MethodSecurityInterceptor" lazy-init="default" autowire="default" dependency-check="default">

- <property name="authenticationManager">

</property>

- <property name="accessDecisionManager">

</property>

- <property name="afterInvocationManager">

</property>

- <property name="objectDefinitionSource">

<value>org.alfresco.service.cmr.download.DownloadService.deleteDownloads=ACL_ALLOW</value>

</property>

</bean>

- <bean id="DownloadService_security_deleteDownloads" class="org.alfresco.repo.security.permissions.impl.acegi.MethodSecurityBean" lazy-init="default" autowire="default" dependency-check="default">

</bean>

- <!--

 ====================

-->

- <!--

 The Links Service

-->

- <!--

 ====================

-->

- <!--

 The links service itself does not require any security restrictions,

-->

- <!--

  they are imposed by the node and site services it uses to do its work.

-->

- <!--

 The canned queries that the links service uses do however need to check

-->

- <bean id="LinksService_CannedQuery_security" class="org.alfresco.repo.security.permissions.impl.acegi.MethodSecurityInterceptor" lazy-init="default" autowire="default" dependency-check="default">

- <property name="authenticationManager">

</property>

- <property name="accessDecisionManager">

</property>

- <property name="afterInvocationManager">

</property>

- <property name="objectDefinitionSource">

<value>org.alfresco.service.cmr.links.LinksService.listLinks=ACL_ALLOW,AFTER_ACL_NODE.sys:base.ReadProperties</value>

</property>

</bean>

- <bean id="LinksService_security_listLinks" class="org.alfresco.repo.security.permissions.impl.acegi.MethodSecurityBean" lazy-init="default" autowire="default" dependency-check="default">

</bean>

- <!--

 ====================

-->

- <!--

 The Wiki Services

-->

- <!--

 ====================

-->

- <!--

 The wiki service itself does not require any security restrictions,

-->

- <!--

  they are imposed by the node and site services it uses to do its work.

-->

- <!--

 The canned queries that the wiki services use do however need to check

-->

- <bean id="WikiService_CannedQuery_security" class="org.alfresco.repo.security.permissions.impl.acegi.MethodSecurityInterceptor" lazy-init="default" autowire="default" dependency-check="default">

- <property name="authenticationManager">

</property>

- <property name="accessDecisionManager">

</property>

- <property name="afterInvocationManager">

</property>

- <property name="objectDefinitionSource">

<value>org.alfresco.service.cmr.wiki.WikiService.listWikiPages=ACL_ALLOW,AFTER_ACL_NODE.sys:base.ReadProperties</value>

</property>

</bean>

- <bean id="WikiService_security_listWikiPages" class="org.alfresco.repo.security.permissions.impl.acegi.MethodSecurityBean" lazy-init="default" autowire="default" dependency-check="default">

</bean>

- <!--

 =========================

-->

- <!--

 The Discussions Services

-->

- <!--

 =========================

-->

- <!--

 The discussion service itself does not require any security restrictions,

-->

- <!--

  they are imposed by the node and site services it uses to do its work.

-->

- <!--

 The canned queries that the discussion services use do however need to check

-->

- <bean id="DiscussionService_CannedQuery_security" class="org.alfresco.repo.security.permissions.impl.acegi.MethodSecurityInterceptor" lazy-init="default" autowire="default" dependency-check="default">

- <property name="authenticationManager">

</property>

- <property name="accessDecisionManager">

</property>

- <property name="afterInvocationManager">

</property>

- <property name="objectDefinitionSource">

<value>org.alfresco.service.cmr.discussion.DiscussionService.listPosts=ACL_ALLOW,AFTER_ACL_NODE.sys:base.ReadProperties</value>

</property>

</bean>

- <bean id="DiscussionService_security_listPosts" class="org.alfresco.repo.security.permissions.impl.acegi.MethodSecurityBean" lazy-init="default" autowire="default" dependency-check="default">

</bean>

- <!--

 =================================

-->

- <!--

 The Remote Credentials Service

-->

- <!--

 =================================

-->

- <!--

 The remote credentials service itself does not require any security restrictions,

-->

- <!--

  they are imposed by the node service it uses to do its work.

-->

- <!--

 ========================

-->

- <!--

 Repository Admin Service

-->

- <!--

 ========================

-->

- <!--

 TODO: Add repository admin security

-->

- <bean id="RepoAdminService_security" class="org.alfresco.repo.security.permissions.impl.acegi.MethodSecurityInterceptor" lazy-init="default" autowire="default" dependency-check="default">

- <property name="authenticationManager">

</property>

- <property name="accessDecisionManager">

</property>

- <property name="afterInvocationManager">

</property>

- <property name="objectDefinitionSource">

<value>org.alfresco.service.cmr.admin.RepoAdminService.getRestrictions=ACL_ALLOW org.alfresco.service.cmr.admin.RepoAdminService.getUsageStatus=ACL_ALLOW org.alfresco.service.cmr.admin.RepoAdminService.*=ACL_METHOD.ROLE_ADMINISTRATOR</value>

</property>

</bean>

- <!--

 =====================

-->

- <!--

 Content Usage Service

-->

- <!--

 =====================

-->

- <!--

 TODO: Add content usage security

-->

- <bean id="PublicServiceAccessService_security" class="org.alfresco.repo.security.permissions.impl.acegi.MethodSecurityInterceptor" lazy-init="default" autowire="default" dependency-check="default">

- <property name="authenticationManager">

</property>

- <property name="accessDecisionManager">

</property>

- <property name="afterInvocationManager">

</property>

- <property name="objectDefinitionSource">

<value>org.alfresco.service.cmr.security.PublicServiceAccessService.hasAccess=ACL_ALLOW</value>

</property>

</bean>

- <!--

 ====================

-->

- <!--

 The Archived Nodes service

-->

- <!--

 ====================

-->

- <!--

 This service currently has no restrictions.

-->

- <bean id="ArchivedNodes_security_listArchivedNodes" class="org.alfresco.repo.security.permissions.impl.acegi.MethodSecurityBean" lazy-init="default" autowire="default" dependency-check="default">

</bean>

</beans>

------------------------------------------------------------------------------------------------------------------------------

Any guidance....?

mahesh_alfresco · ‎09-01-2017

Hi,

Any further guidance...?

afaust · ‎09-01-2017

Well, if you already have a custom-public-services-security-context.xml with these kinds of changes to the security definition of AuthenticationService (and maybe other services - I have not compared everything line-by-line) then it's no wonder you get this kind of exception. The security configurations should not be changed / overriden in that extent unless you really, really, really know what you are doing. I would suggest you first try to work with the default security configuration by renaming the custom file to *.xml.deactivated (or something that will cause it not to be picked up anymore).

Hyland Connect

Unable to Add User