Hyland Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Access right for group: cannot deny "remove" permission while granting "write" permission.

Tùng_Aroma
Champ in-the-making
Champ in-the-making

‎12-26-2013 10:37 AM

From my point of view, and also as my needs:

  • It's easy to understand the logics of group: to manage the access rights for a lot of users in bulk, without having to repeat the action of editing (of the same) rights for each single users

  • It's also popular case that we want grant Write permission to a group of users so that they can create topic, add comment... while denying them from Remove right so that they cannot delete topics, content...

As mentioned in the Nuxeo Docs http://doc.nuxeo.com/display/public/USERDOC58/Document+Management+Concepts

  • Remove right is included in the Write right.

  • The Remove permission is most intended to be denied, so as to restrict the actions available to users with "Write" permission.

At first what stated in Nuxeo Docs seems to fit very well with the needs I mentioned above, but in reality it turns out to be the other way:

  • In my Nuxeo intsance, the workspace nam "aroma marketing" in DM: I grant Write permission to "aroma-marketing" group and deny Remove permission to this group with the logics that they can create content (topic) but cannot delete topic just exactly what is mentioned in Nuxeo Docs. But it fact, with this permission setting, users in "aroma-marketing" group still can delete content. It means that they are granted with "Write" (inlcuding Delete rights) but they are not denied from deleting as supposed to be with Remove right denial.

  • When I take closer look at the Nuxeo Docs with the link above and further with this link : http://doc.nuxeo.com/display/public/USERDOC58/Managing+Access+Rights

It seems to me that you can grant Write rights to group of user, and you cannot deny Romve rights to that group of user at the same time, but you can only deny Remove right to USERS (NOT GROUP) in order to have the final permission: they can create but cannot delete. If this is the case, it will be quite inconvinient because the users group are born so that we can manage permission of users in bulk without having to repeat the same permision setting to every single user. In this case, I can grant Write right in bulk (using group) but then I have to deny Remove right to every single user?

I hope that I'm wrong here because it will be exhausted if I have to deny remove right to evey single user hundreds of them), in every single workspace (hundreds of workspace) because generally I just want the normal user to be able to create and comment, not to delete.

Can anyone help me to clearify this? Or if I'm wrong here could you please tell me how to let a group of user to be able to create content, but not be able to delete content.

Thanks in advance.

0 Kudos
4 REPLIES 4

sdenef_
Confirmed Champ
Confirmed Champ

‎12-26-2013 05:38 PM

Hi,

http://doc.nuxeo.com/display/public/USERDOC58/Managing+Access+Rights

The fact that the rights are given or denied to a single user or a group doesn't have any influence.

So it's not a problem of users or groups

granted rights have priority over denied rights

Here is the point. If you give a GRANT, you can change it with a DENY in a subfolder but not at the same level. (because of this rule)

Hope it helps.

PS: An other "rule" not explained in the doc. In "inherited rights" if you see somthing like : username ; granted permissions ; denied permissions jonh doe ; Read ; Read the closest permission (grant or deny) in the hierarchy is applied. It's seems obvious, but difficult to understand the first time.

0 Kudos

Tùng_Aroma
Champ in-the-making
Champ in-the-making
In response to sdenef_

‎12-26-2013 09:32 PM

Thank you for your reply. Your information is quite clear and supportive and now I know how Nuxeo technically behave in this case.

0 Kudos

Tùng_Aroma
Champ in-the-making
Champ in-the-making
In response to sdenef_

‎12-26-2013 09:55 PM

It's just like visitor going a museum.

0 Kudos

sdenef_
Confirmed Champ
Confirmed Champ
In response to sdenef_

‎12-27-2013 06:14 AM

Maybe you can do that

0 Kudos
Getting started

Find what you came for

We want to make your experience in Hyland Connect as valuable as possible, so we put together some helpful links.

Copyright © 2024 Khoros, LLC