Now that i've taken some time to investigate how to achieve custom permissions, i'll write down my findings.
My goal is to setup two custom permissions, one called "WriteOnly" which allows a user to write new content without being able to see other files, and a site role called "Commentator" that basically has the same rights than a Contributor, except that he can't accept or approve simple workflows.
So here's my full setup:
Extract (using unzip) the file <zip_path>/alfresco/model/permissionDefinitions.xml from <alfresco_path>/tomcat/webapps/alfresco/WEB-INF/lib/alfresco-repository-5.0.d.jar
Copy it to <alfresco_path>/tomcat/shared/classes/alfresco/extensions/model/permissionDefinitions.xml (if model directory doesn't exist, create it).
We'll add some dummy low level permission "WorkFlowPermissions" to the file which should then look like
We'll also add this permission to the following bloc:
Now we have to add this dummy permission to every role we want to allow to approve / reject workflows.
Note that i also added two new roles, which are "Commentator" and "WriteOnly".
Role "Commentator" has basically the same rights as "Contributor", except for the WorkFlowPermissions we created.
Role "WriteOnly" has only write permissions based on low level perms.
Finally, we need to expose these roles to the GUI so they can be used.
Now that we've setup new permissions, we need to allow them to be exposed to the site UI.
In the extracted zip file, you'll find file <zip_path>/alfresco/models/sitePermissionDefinitions.xml which you must copy to <alfresco_path>/tomcat/shared/classes/alfresco/extensions/model
Modify it and add the two new created roles like:
We'll need to create a ressource file called <alfresco_path>/tomcat/shared/classes/alfresco/web-extension/messages/invitation-service.properties containing the following:
The ressource file will be loaded by the following bootstrap file <alfresco_path>/tomcat/shared/classes/alfresco/web-extension/invitation-service-context.xml
Another ressource file <alfresco_path>/tomcat/shared/classes/alfresco/web-extension/messages/slingshot.properties needs to be created containing
Finally, copy the file <alfresco_path>/tomcat/shared/classes/alfresco/web-extension/custom-slingshot-application-context.xml.sample to custom-slingshot-application-context.xml and edit by adding the following bean definition
Both files permissionDefinitions.xml and sitePermissionDefinitions.xml have to be loaded by a bootstrap file <alfresco_path>/tomcat/shared/classes/alfresco/extensions/custom-permissions-context.xml containing
From here, the role WriteOnly exists and works.
Now we need to restrict "approve" and "reject" to roles that have the WorkFlowPermissions permission.
Open file <alfresco_path>/tomcat/shared/classes/alfresco/web-extension/share-config-custom.xml to edit the config bloc that should look like
This will not prevent the menu from showing up, but will restrict it's usage.
Here's a quick list of action indexes you can add permissions to:
Note: if someone has found a better way to also hide the menu, please be my guest and comment
Fix for already existing sites:
Download the file https://issues.alfresco.com/jira/secure/attachment/54733/fixsiteauthorities.zip and extract it to <alfresco_path>/tomcat/webapps/alfresco/WEB-INF/classes/alfresco/templates/webscripts/fixsiteauthorities (create the path [..]/templates/webscripts/fixsiteauthorities)
Restart Alfresco and go to the following URI
http://your_alfresco_url
ort/alfresco/s/index/package/fixsiteauthorities
You can then fix a site like "testsite" to add both groups we created earlier by going to the following URIs
http://your_alfresco_urlort/alfresco/s/fixsiteauthorities?customgroup=SiteWriteOnly&sitename=testsit...
http://your_alfresco_urlort/alfresco/s/fixsiteauthorities?customgroup=SiteCommentator&sitename=tests...
Note: I guess this howto could be improved for multilanguage support too, please feel free to help it become better.
Regards,
Ozy.
My goal is to setup two custom permissions, one called "WriteOnly" which allows a user to write new content without being able to see other files, and a site role called "Commentator" that basically has the same rights than a Contributor, except that he can't accept or approve simple workflows.
So here's my full setup:
Extract (using unzip) the file <zip_path>/alfresco/model/permissionDefinitions.xml from <alfresco_path>/tomcat/webapps/alfresco/WEB-INF/lib/alfresco-repository-5.0.d.jar
Copy it to <alfresco_path>/tomcat/shared/classes/alfresco/extensions/model/permissionDefinitions.xml (if model directory doesn't exist, create it).
We'll add some dummy low level permission "WorkFlowPermissions" to the file which should then look like
<!– Groups for low level permissions –>
<permissionGroup name="ReadProperties" expose="true" allowFullControl="false" />
<permissionGroup name="ReadChildren" expose="true" allowFullControl="false" />
<permissionGroup name="WriteProperties" expose="true" allowFullControl="false" />
<permissionGroup name="ReadContent" expose="false" allowFullControl="false" />
<permissionGroup name="WriteContent" expose="false" allowFullControl="false" />
<permissionGroup name="ExecuteContent" expose="false" allowFullControl="false" />
<permissionGroup name="DeleteNode" expose="true" allowFullControl="false" />
<permissionGroup name="DeleteChildren" expose="true" allowFullControl="false" />
<permissionGroup name="CreateChildren" expose="true" allowFullControl="false" />
<permissionGroup name="LinkChildren" expose="true" allowFullControl="false" />
<permissionGroup name="DeleteAssociations" expose="true" allowFullControl="false" />
<permissionGroup name="ReadAssociations" expose="true" allowFullControl="false" />
<permissionGroup name="CreateAssociations" expose="true" allowFullControl="false" />
<permissionGroup name="ReadPermissions" expose="true" allowFullControl="false" />
<permissionGroup name="ChangePermissions" expose="true" allowFullControl="false" />
<!– MOD OZY: Permission to start a Workflow –>
<permissionGroup name="WorkFlowPermissions" expose="true" allowFullControl="false" />
We'll also add this permission to the following bloc:
<!– ==================================================== –>
<!– Permissions related to the management of permissions –>
<!– ==================================================== –>
<!– The permission to read the permissions on a node –>
<permission name="_ReadPermissions" expose="false" >
<grantedToGroup permissionGroup="ReadPermissions" />
<!– Commented out parent permission check …
<requiredPermission on="parent" name="_ReadChildren" implies="false"/>
–>
</permission>
<!– The permission to the change the permissions associated with a node –>
<permission name="_ChangePermissions" expose="false" >
<grantedToGroup permissionGroup="ChangePermissions" />
<!– Commented out parent permission check …
<requiredPermission on="parent" name="_ReadChildren" implies="false"/>
–>
</permission>
<!– ======================================= –>
<!– MOD OZY: Permission to start a WorkFlow –>
<!– ======================================= –>
<permission name="_WorkFlowPermissions" expose="false" >
<grantedToGroup permissionGroup="WorkFlowPermissions" />
</permission>
Now we have to add this dummy permission to every role we want to allow to approve / reject workflows.
Note that i also added two new roles, which are "Commentator" and "WriteOnly".
Role "Commentator" has basically the same rights as "Contributor", except for the WorkFlowPermissions we created.
Role "WriteOnly" has only write permissions based on low level perms.
<!– ================================================ –>
<!– Permissions available to all content and folders –>
<!– ================================================ –>
<permissionSet type="cm:cmobject" expose="selected">
<!– Kept for backward compatibility - the administrator permission has –>
<!– been removed to avoid confusion –>
<permissionGroup name="Administrator" allowFullControl="true" expose="false">
<!– MOD OZY: Add WorkFlow permission because it's needed to allow action id –>
<includePermissionGroup permissionGroup="WorkFlowPermissions" type="sys:base" />
</permissionGroup>
<!– A coordinator can do anything to the object or its children unless the –>
<!– permissions are set not to inherit or permission is denied. –>
<permissionGroup name="Coordinator" allowFullControl="true" expose="true">
<!– MOD OZY: Add WorkFlow permission because it's needed to allow action id –>
<includePermissionGroup permissionGroup="WorkFlowPermissions" type="sys:base" />
</permissionGroup>
<!– A collaborator can do anything that an editor and a contributor can do –>
<permissionGroup name="Collaborator" allowFullControl="false" expose="true">
<includePermissionGroup permissionGroup="Editor" type="cm:cmobject" />
<includePermissionGroup permissionGroup="Contributor" type="cm:cmobject" />
<!– MOD OZY: Add WorkFlow permission because it's needed to allow action id –>
<includePermissionGroup permissionGroup="WorkFlowPermissions" type="sys:base" />
</permissionGroup>
<!– A contributor can create content and then they have full permission on what –>
<!– they have created - via the permissions assigned to the owner. –>
<permissionGroup name="Contributor" allowFullControl="false" expose="true" >
<!– Contributor is a consumer who can add content, and then can modify via the –>
<!– owner permissions. –>
<includePermissionGroup permissionGroup="Consumer" type="cm:cmobject"/>
<includePermissionGroup permissionGroup="AddChildren" type="sys:base"/>
<includePermissionGroup permissionGroup="ReadPermissions" type="sys:base" />
<!– MOD OZY: Add WorkFlow permission because it's needed to allow action id –>
<includePermissionGroup permissionGroup="WorkFlowPermissions" type="sys:base" />
</permissionGroup>
<!– An editor can read and write to the object; they can not create –>
<!– new nodes. They can check out content into a space to which they have –>
<!– create permission. –>
<permissionGroup name="Editor" expose="true" allowFullControl="false" >
<includePermissionGroup type="cm:cmobject" permissionGroup="Consumer"/>
<includePermissionGroup type="sys:base" permissionGroup="Write"/>
<includePermissionGroup type="cm:lockable" permissionGroup="CheckOut"/>
<includePermissionGroup type="sys:base" permissionGroup="ReadPermissions"/>
</permissionGroup>
<!– The Consumer permission allows read to everything by default. –>
<permissionGroup name="Consumer" allowFullControl="false" expose="true" >
<includePermissionGroup permissionGroup="Read" type="sys:base" />
</permissionGroup>
<!– MOD OZY: Commentator permission is same as Contributor except i didn't add workflow permissions –>
<permissionGroup name="Commentator" allowFullControl="false" expose="true" >
<includePermissionGroup permissionGroup="Consumer" type="cm:cmobject"/>
<includePermissionGroup permissionGroup="AddChildren" type="sys:base"/>
<includePermissionGroup permissionGroup="ReadPermissions" type="sys:base" />
</permissionGroup>
<!– MOD OZY: Document Library permission for uploads only –>
<permissionGroup name="WriteOnly" allowFullControl="false" expose="true" >
<includePermissionGroup permissionGroup="Write" type="sys:base" />
<includePermissionGroup permissionGroup="AddChildren" type="sys:base" />
</permissionGroup>
<!– records permission –>
<!– Should be tied to the aspect –>
<!– ownership should be removed when using this permission –>
<permissionGroup name="RecordAdministrator" allowFullControl="false" expose="false">
<includePermissionGroup type="sys:base" permissionGroup="ReadProperties"/>
<includePermissionGroup type="sys:base" permissionGroup="ReadChildren"/>
<includePermissionGroup type="sys:base" permissionGroup="WriteProperties"/>
<includePermissionGroup type="sys:base" permissionGroup="ReadContent"/>
<includePermissionGroup type="sys:base" permissionGroup="DeleteChildren"/>
<includePermissionGroup type="sys:base" permissionGroup="CreateChildren"/>
<includePermissionGroup type="sys:base" permissionGroup="LinkChildren"/>
<includePermissionGroup type="sys:base" permissionGroup="DeleteAssociations"/>
<includePermissionGroup type="sys:base" permissionGroup="CreateAssociations"/>
<!– MOD OZY: Add WorkFlow permission because it's needed to allow action id –>
<includePermissionGroup permissionGroup="WorkFlowPermissions" type="sys:base" />
</permissionGroup>
</permissionSet>
Finally, we need to expose these roles to the GUI so they can be used.
<!– =============================== –>
<!– Permissions specific to content –>
<!– =============================== –>
<permissionSet type="cm:content" expose="selected">
<!– Content specific roles. –>
<permissionGroup name="Coordinator" extends="true" expose="true"/>
<permissionGroup name="Collaborator" extends="true" expose="true"/>
<permissionGroup name="Contributor" extends="true" expose="true"/>
<permissionGroup name="Editor" extends="true" expose="true"/>
<permissionGroup name="Consumer" extends="true" expose="true"/>
<permissionGroup name="RecordAdministrator" extends="true" expose="false"/>
<!– MOD OZY: Expose Commentator Permission on content –>
<permissionGroup name="Commentator" extends="true" expose="true"/>
<!– MOD OZY: Expose WriteOnly Permission on content –>
<permissionGroup name="WriteOnly" extends="true" expose="true"/>
</permissionSet>
<permissionSet type="cm:folder" expose="selected">
<!– Content folder specific roles. –>
<permissionGroup name="Coordinator" extends="true" expose="true"/>
<permissionGroup name="Collaborator" extends="true" expose="true"/>
<permissionGroup name="Contributor" extends="true" expose="true"/>
<permissionGroup name="Editor" extends="true" expose="true"/>
<permissionGroup name="Consumer" extends="true" expose="true"/>
<permissionGroup name="RecordAdministrator" extends="true" expose="false"/>
<!– MOD OZY: Expose Commentator Permission on folders –>
<permissionGroup name="Commentator" extends="true" expose="true"/>
<!– MOD OZY: Expose WriteOnly Permission on folders –>
<permissionGroup name="WriteOnly" extends="true" expose="true"/>
</permissionSet>
Now that we've setup new permissions, we need to allow them to be exposed to the site UI.
In the extracted zip file, you'll find file <zip_path>/alfresco/models/sitePermissionDefinitions.xml which you must copy to <alfresco_path>/tomcat/shared/classes/alfresco/extensions/model
Modify it and add the two new created roles like:
<!– ============================================ –>
<!– Permissions specific to the wiki integration –>
<!– ============================================ –>
<permissionSet type="st:site" expose="selected">
<permissionGroup name="SiteManager" allowFullControl="true" expose="true" />
<permissionGroup name="SiteCollaborator" allowFullControl="false" expose="true">
<includePermissionGroup permissionGroup="Collaborator" type="cm:cmobject" />
</permissionGroup>
<permissionGroup name="SiteContributor" allowFullControl="false" expose="true">
<includePermissionGroup permissionGroup="Contributor" type="cm:cmobject" />
</permissionGroup>
<permissionGroup name="SiteConsumer" allowFullControl="false" expose="true">
<includePermissionGroup permissionGroup="Consumer" type="cm:cmobject" />
<includePermissionGroup permissionGroup="ReadPermissions" type="sys:base" />
</permissionGroup>
<!– MOD OZY: Expose SiteCommentator –>
<permissionGroup name="SiteCommentator" allowFullControl="false" expose="true">
<includePermissionGroup permissionGroup="Commentator" type="cm:cmobject" />
</permissionGroup>
<!– MOD OZY: Expose SiteWriteOnly –>
<permissionGroup name="SiteWriteOnly" allowFullControl="false" expose="true">
<includePermissionGroup permissionGroup="Write" type="sys:base" />
<includePermissionGroup permissionGroup="AddChildren" type="sys:base" />
</permissionGroup>
</permissionSet>
We'll need to create a ressource file called <alfresco_path>/tomcat/shared/classes/alfresco/web-extension/messages/invitation-service.properties containing the following:
invitation.invitesender.email.role.SiteWriteOnly=Write Only
invitation.invitesender.email.role.SiteCommentator=Commentator
The ressource file will be loaded by the following bootstrap file <alfresco_path>/tomcat/shared/classes/alfresco/web-extension/invitation-service-context.xml
<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE beans PUBLIC '-//SPRING//DTD BEAN//EN' 'http://www.springframework.org/dtd/spring-beans.dtd'>
<beans>
<bean id="invitationResourceBundles" class="org.alfresco.i18n.ResourceBundleBootstrapComponent">
<property name="resourceBundles">
<list>
<value>alfresco.web-extension.messages.invitation-service</value>
</list>
</property>
</bean>
</beans>
Another ressource file <alfresco_path>/tomcat/shared/classes/alfresco/web-extension/messages/slingshot.properties needs to be created containing
## Custom roles
role.SiteWriteOnly=Write Only
role.SiteCommentator=Commentator
Finally, copy the file <alfresco_path>/tomcat/shared/classes/alfresco/web-extension/custom-slingshot-application-context.xml.sample to custom-slingshot-application-context.xml and edit by adding the following bean definition
<bean id="webscripts.resources" class="org.springframework.extensions.surf.util.ResourceBundleBootstrapComponent">
<property name="resourceBundles">
<list>
<value>alfresco.messages.common</value>
<value>alfresco.messages.slingshot</value>
<value>alfresco.web-extension.messages.slingshot</value>
</list>
</property>
</bean>
Both files permissionDefinitions.xml and sitePermissionDefinitions.xml have to be loaded by a bootstrap file <alfresco_path>/tomcat/shared/classes/alfresco/extensions/custom-permissions-context.xml containing
<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE beans PUBLIC '-//SPRING//DTD BEAN//EN' 'http://www.springframework.org/dtd/spring-beans.dtd'>
<beans>
<bean id="CustomPerm_permissionBootstrap" parent="permissionModelBootstrap">
<property name="model" value="alfresco/extension/model/permissionDefinitions.xml"/>
</bean>
<bean id="CustomSitePerm_permissionBootstrap" parent="permissionModelBootstrap">
<property name="model" value="alfresco/extension/model/sitePermissionDefinitions.xml"/>
</bean>
</beans>
From here, the role WriteOnly exists and works.
Now we need to restrict "approve" and "reject" to roles that have the WorkFlowPermissions permission.
Open file <alfresco_path>/tomcat/shared/classes/alfresco/web-extension/share-config-custom.xml to edit the config bloc that should look like
<!– Custom DocLibActions config section –>
<config evaluator="string-compare" condition="DocLibActions">
<actionGroups>
<actionGroup id="document-browse">
<!– Simple Repo Actions –>
<!–
<action index="340" id="document-extract-metadata" />
<action index="350" id="document-increment-counter" />
–>
<!– Dialog Repo Actions –>
<!–
<action index="360" id="document-transform" />
<action index="370" id="document-transform-image" />
<action index="380" id="document-execute-script" />
–>
<action index="160" id="document-approve">
<permissions>
<permission allow="true">WorkFlowPermissions</permission>
</permissions>
</action>
<action index="170" id="document-reject">
<permissions>
<permission allow="true">WorkFlowPermissions</permission>
</permissions>
</action>
</actionGroup>
</actionGroups>
</config>
This will not prevent the menu from showing up, but will restrict it's usage.
Here's a quick list of action indexes you can add permissions to:
<actionGroup id="document-details">
<action index="100" id="document-download" />
<action index="110" id="document-view-content" />
<action index="120" id="document-edit-metadata" /
<action index="130" id="document-upload-new-version" />
<action index="140" id="document-view-original" />
<action index="150" id="document-view-working-copy" />
<action index="160" id="document-approve" />
<action index="170" id="document-reject" />
<action index="180" id="document-inline-edit" />
<action index="190" id="document-edit-online" />
<action index="200" id="document-edit-offline" />
<action index="210" id="document-view-googledoc" />
<action index="220" id="document-checkout-to-googledocs" />
<action index="230" id="document-checkin-from-googledocs" />
<action index="240" id="document-copy-to" />
<action index="250" id="document-move-to" />
<action index="260" id="document-delete" />
<action index="270" id="document-assign-workflow" />
<action index="280" id="document-cancel-editing" />
<action index="290" id="document-manage-site-permissions" />
<action index="300" id="document-manage-repo-permissions" />
<action index="310" id="document-manage-aspects" />
<action index="320" id="document-change-type" />
<action index="330" id="document-view-in-source-repository" />
<action index="340" id="document-publish" />
<action index="350" id="document-view-googlemaps" />
</actionGroup>
Note: if someone has found a better way to also hide the menu, please be my guest and comment
Fix for already existing sites:
Download the file https://issues.alfresco.com/jira/secure/attachment/54733/fixsiteauthorities.zip and extract it to <alfresco_path>/tomcat/webapps/alfresco/WEB-INF/classes/alfresco/templates/webscripts/fixsiteauthorities (create the path [..]/templates/webscripts/fixsiteauthorities)
Restart Alfresco and go to the following URI
http://your_alfresco_url
ort/alfresco/s/index/package/fixsiteauthoritiesYou can then fix a site like "testsite" to add both groups we created earlier by going to the following URIs
http://your_alfresco_url
ort/alfresco/s/fixsiteauthorities?customgroup=SiteWriteOnly&sitename=testsit...http://your_alfresco_url
ort/alfresco/s/fixsiteauthorities?customgroup=SiteCommentator&sitename=tests...Note: I guess this howto could be improved for multilanguage support too, please feel free to help it become better.
Regards,
Ozy.
