cancel
Showing results for 
Search instead for 
Did you mean: 

Creating Custom Roles and Permission for certain Scenario

piyush48
Star Contributor
Star Contributor

Hi All,

I want to make Custom Roles and Permissions for the Following Scenario:-

1.

Users should be able to Search, View metadata, content but not Comment.

2.

Users should be able to Search, View metadata only but not Content.

Since i am using SDK 3.0 and new to topic please do provide me with the path of permissions definition.xml file where i should be able to make changes and what changes i should do to completely work my aboveSceenario.

Thanks and Regards,

Piyush Patel.

6 REPLIES 6

EddieMay
World-Class Innovator
World-Class Innovator

Hi @piyush48,

Permissions and roles documentation is here. There is also a reminder of good practice for adding custom permissions and roles from @jpotts here.

That said, there is an important caveat about the limitations inherent in Share outlined by @afaust here. The requirement this user had looks similar to what you are trying to achieve.

HTH,

Digital Community Manager, Alfresco Software.
Problem solved? Click Accept as Solution!

Hi @EddieMay ,

Thanks for providing me correct approach but how can i disable comment which i described in first scenario.

My custom Permission file is like this:--

<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE permissions >
<permissions>
    <namespaces>
        <namespace uri="http://www.alfresco.org/model/system/1.0" prefix="sys"/>
        <namespace uri="http://www.alfresco.org/model/content/1.0" prefix="cm"/>
        <namespace uri="http://www.alfresco.org/model/content/1.0" prefix="acme"/>
    </namespaces>

    <permissionSet type="sys:base" expose="selected">
        <permissionGroup name="DisableComments" requiresType="false" expose="true">
            <includePermissionGroup permissionGroup="DeleteChildren" type="sys:base" />
        </permissionGroup>

        <permission name="_DisableComments" expose="false" >
            <grantedToGroup permissionGroup="DisableComments" />
        </permission>
    </permissionSet>

    <permissionSet type="sys:base" expose="selected">
        <permissionGroup name="newcustomer" allowFullControl="false" expose="true" extends="true" >
            <includePermissionGroup type="sys:base" permissionGroup="Read"/>
            <includePermissionGroup type="sys:base" permissionGroup="ReadProperties"/>
            <includePermissionGroup type="sys:base" permissionGroup="ReadContent"/>
            <includePermissionGroup type="sys:base" permissionGroup="DisableComments"/>
        </permissionGroup>
    </permissionSet>
</permissions>

 and my bean file that is context file is like:-

<?xml version='1.0' encoding='UTF-8'?>
<beans xmlns="http://www.springframework.org/schema/beans"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xsi:schemaLocation="http://www.springframework.org/schema/beans
          http://www.springframework.org/schema/beans/spring-beans-3.0.xsd">

    <!-- The bootstrap-context.xml file is used for patch definitions, importers, 
		 workflow, and loading custom content models.  -->

    <!-- Registration of new models -->
    <bean id="custom_permissionDefinition" parent="permissionModelBootstrap">
        <property name="model"
                value="alfresco/module/${project.artifactId}/model/customPermissionDefinitions.xml"/>        
        
    </bean>
</beans>



After Executing all and running my SDK 3.0:--

2020-04-21 20:31:30,385 ERROR [org.springframework.web.context.ContextLoader] [localhost-startStop-1] Context initialization failed
org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'custom_permissionDefinition' defined in class path resource [alfresco/module/customrole-platform-jar/context/custom-context.xml]: Invocation of init method failed; nested exception is org.alfresco.repo.security.permissions.impl.model.PermissionModelException: 03210000 There is no parent for permission group :{http://www.alfresco.org/model/system/1.0}base newcustomer

and other error is like:-

2020-04-22 11:57:27,736 ERROR [org.springframework.web.context.ContextLoader] [localhost-startStop-1] Context initialization failed
java.lang.StackOverflowError

Thanks and Regards,

Piyush

Please could any one help me out as for disabling comment through permission for new group of users.

I have posted my permission definition file above, as per my understanding.

Thanks,

Piyush

afaust
Legendary Innovator
Legendary Innovator

You will not be able to (properly / 100%) disable commenting by using custom permissions. From an API and ACL / permission check perspective, there is nothing inherently different between adding a comment and adding a new file. The underlying operation only checks for the "AddChildren" / "CreateChildren" default permissions. Even if you were to implement a custom permission for "CreateComment", the underlying operation would not be granular enough to differentiate between different "CreateXY" use cases.

Furthermore, a permission called "DisableComments" does not make sense from a semantical point of view. Permissions are always allowances to perform something, so a permission should never be named in the negative. There should be a permission "CreateComment" which all users may have by default, but could be explicitly denied to others, to "disable" that functionality. Unfortunately, Alfresco Share (and I believe ADF / ACA / ADW as well) does not support negative permissions (which Alfresco core does support), so you could not really assign / revoke the permission in any meaningful way.

You could certainly hack something together which works using the negatively framed permission "DisableComments" and some behaviours, but it would not be a very "clean" solution. And you'd still need to customise the UI to actually disable / remove the default commenting controls in some way, since these will not check your negative permission, only the "CreateChildren" / "AddChildren" ones.

With regards to your custom permission model: You are defining a custom permission model for default Alfresco namespaces. Alfresco itself already provides a permission model for those, and I assume your configuration runs into conflict with this, causing weird side effects (the StackOverflowError), since I doubt Alfresco has put in place any special guards to avoid developers overriding their core permissions, which they clearly did not expect anyone to do that way. Typically, custom permission models can only be defined for custom content models / namespaces, and thus custom types and aspects.

piyush48
Star Contributor
Star Contributor

Thanks @afaust it was a great help and I understand the concept.

Since I give user a customer permission that is "Read". So User will not able to comment but how can I hide comment of other Users from him(hiding view of comments).

Thanks,

Piyush

afaust
Legendary Innovator
Legendary Innovator

The only reliable and supported way to deal with this would be to have some kind of automated custom logic (behaviour / rule) ensure that you disable permission inheritance on the comment "forum" (each document contains a child element of a "forum" node type which aggregates all comments) of the document, and only carry over those roles from the document which you want to provide access to the comments. Unfortunately, that can become quite complex when permissions are changed on the document or any of the parents from which it inherits documents afterwards, as there is no offical Alfresco-supported policy to react to permission changes (there technically is a policy, but it is not marked as part of official / supported APIs).

There is another potential approach using dynamic authorities which would not require to change anything with the default permissions or permission inheritance, but since it affects the Read permission, adding a custom dynamic authority to control that would implicitly disable permission check optimisiations for ACL checks, especially for SOLR queries. And dynamic authorities are also not marked as part of official / supported APIs, and there is no good API to register custom ones without overriding default Alfresco Spring XML config.

In general, messing with the very basic Read permission, especially with some kind of conditionals based on type, is one of the hardest things to get "right" - you are typically torn between "using only supported API", "not interfering with system performance" and "as simple as possible (to develop / to use)", and you can only achieve one or two out of the three..