Hyland Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Deny Remove permission but Delete button still enabled

Go to answer
ChristopheL_
Champ in-the-making
Champ in-the-making

‎02-15-2012 04:03 PM

Hello,

I have just dowloaded and installed Nuxeo Document Management 5.5 and I tried what is described at http://doc.nuxeo.com/display/DMDOC/Managing+access+rights about access rights management.

So I did the following steps:

As Administrator

  • login
  • create a John Do user
  • create a workspace
  • On the Manage tab, add two permissions: John Do - Grant - Write + John Do - Deny - Remove
  • create a note in the workspace

as John Do user

  • login
  • go to the workspace created above as Administrator
  • check the box in front of the Note created above as Administrator => the Delete button is enabled so the user John Do can remove the document

Question: Is it normal that the Delete button is enabled even if there is a Deny - Remove permission on the workspace for the user ?

I would have expected that the user won't be able to delete any document.

Thanks in advance for your answer

Best regards, Christophe

1 ACCEPTED ANSWER

Go to answer
Solen_Guitter
Confirmed Champ
Confirmed Champ

‎02-16-2012 10:03 AM

Hello,

This is due to the access rights priorization, as explained on this page: http://doc.nuxeo.com/x/UYEk.

In this case, the user still has the right to remove documents because at the same level (in the same workspace) he's denied the right to delete documents, but he's also granted the Write permission. Since Write includes the Remove permission and granted rights win over denied rights, in the end the user is granted the right to remove.

View answer in original post

9 REPLIES 9

Go to answer
Solen_Guitter
Confirmed Champ
Confirmed Champ

‎02-16-2012 10:03 AM

Hello,

This is due to the access rights priorization, as explained on this page: http://doc.nuxeo.com/x/UYEk.

In this case, the user still has the right to remove documents because at the same level (in the same workspace) he's denied the right to delete documents, but he's also granted the Write permission. Since Write includes the Remove permission and granted rights win over denied rights, in the end the user is granted the right to remove.

Go to answer
ChristopheL_
Champ in-the-making
Champ in-the-making
In response to Solen_Guitter

‎02-16-2012 10:48 AM

Hello,

0 Kudos

Go to answer
Anahide_Tchertc
Elite Collaborator
Elite Collaborator
In response to Solen_Guitter

‎02-23-2012 09:32 AM

I'm wondering why the Write permission needs to include Remove, it could be a good test to check if this is a problem for other features. I think it could be considered a bug, maybe to handle at the same time than https

0 Kudos

Go to answer
bruce_Grant
Elite Collaborator
Elite Collaborator

‎02-21-2012 11:48 AM

If you want to override the default rights hierarchy then you can create a custom security policy by extending SecurityPolicy. See http://doc.nuxeo.com/display/NXDOC/Security+Policy+Service for more details.

Be careful with this because there can be negative performance side-effects if the custom policy is too complex!

0 Kudos

Go to answer
tomi1123_
Champ on-the-rise
Champ on-the-rise

‎09-26-2012 10:50 PM

I think the original question is an important one: how to grant permission to create new objects but not remove old ones.

The comments above (directing to the doc) seem to be in conflict with the doc, which states:

The "Remove" permission is intended to be denied, so as to restrict the actions available to users with "Write" permission.

If "Remove" permission is intended to be denied, but granting Write takes precedence, how is it possible to ever deny remove? To me this smells like a defect.

Tom

0 Kudos

Go to answer
bruce_Grant
Elite Collaborator
Elite Collaborator
In response to tomi1123_

‎09-26-2012 11:04 PM

The answer is to redefine the aggregate permission Write to work the way you want it to. Or create a new permission (e.g., Write Only) which maps to a subset of the existing Write permission.

0 Kudos

Go to answer
tomi1123_
Champ on-the-rise
Champ on-the-rise
In response to tomi1123_

‎09-30-2012 08:23 PM

Is <require> tag needed for override to take effect and if so what does need to refer to?

0 Kudos

Go to answer
tomi1123_
Champ on-the-rise
Champ on-the-rise

‎10-01-2012 12:49 AM

I got it to work. You will need a standard component wrapper around this but otherwise it works. Nuxeo is wonderful but does not make a good first date...

<require>org.nuxeo.ecm.core.security.SecurityService</require>
<require>org.nuxeo.ecm.core.security.defaultPermissions</require>
 
<extension target="org.nuxeo.ecm.core.security.SecurityService" point="permissions">
<!-- Removed 'Remove' from Write permission -->
    <permission name="Write">
        <remove>Remove</remove>
    </permission>
</extension>

Go to answer
a_c
Confirmed Champ
Confirmed Champ
In response to tomi1123_

‎11-04-2019 06:12 PM

Is there some way to apply this extension to specific document types?

0 Kudos
Getting started

Find what you came for

We want to make your experience in Hyland Connect as valuable as possible, so we put together some helpful links.

Copyright © 2024 Khoros, LLC