cancel
Showing results for 
Search instead for 
Did you mean: 

Disable site deletion for all non admin users

bip1989
Star Contributor
Star Contributor

Hello there

I want to disable site delete option for all non admin users. Only admin users can delete the site. Even a non admin user who originally created the site should not be allowed to delete the site. 
By following some of the similar questions in this forum, i am able to hide delete option from dashlet and header menu. But non admin user is able to delete the site via API call.

Which means it is still allowed to delete site at repo level. 
How can i disable the site deletion at repo level as well? Please provide some guidance 

Appreciate your kind guidance. Thanks in advance

1 ACCEPTED ANSWER

abhinavmishra14
World-Class Innovator
World-Class Innovator

Follow these steps:

1- Create site-security-model-context.xml (you can choose any meaningful name) under <ALFRESCO_HOME>/tomcat/shared/classes/alfresco/extension or at module level if you are using custom modules and applying it to the alfresco.war.

At module level it could be like;

<YOUR_CUSTOM_REPO_MODULE>/src/main/resources/alfresco/module/YOUR_CUSTOM_REPO_MODULE/context/site-security-model-context.xml

2- Add following bean definition:

<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE beans PUBLIC '-//SPRING//DTD BEAN//EN' 'http://www.springframework.org/dtd/spring-beans.dtd'>
<beans>
	<bean id="SiteService_security"
		class="org.alfresco.repo.security.permissions.impl.acegi.MethodSecurityInterceptor">
		<property name="authenticationManager">
			<ref bean="authenticationManager" />
		</property>
		<property name="accessDecisionManager">
			<ref bean="accessDecisionManager" />
		</property>
		<property name="afterInvocationManager">
			<ref bean="afterInvocationManager" />
		</property>
		<property name="objectDefinitionSource">
			<value>
				org.alfresco.service.cmr.site.SiteService.cleanSitePermissions=ACL_NODE.0.sys:base.ReadProperties
				org.alfresco.service.cmr.site.SiteService.createContainer=ACL_ALLOW,AFTER_ACL_NODE.sys:base.ReadProperties
				org.alfresco.service.cmr.site.SiteService.createSite=ACL_METHOD.GROUP_SITE_CREATORS
				org.alfresco.service.cmr.site.SiteService.deleteSite=ACL_METHOD.ALFRESCO_ADMINISTRATORS
				org.alfresco.service.cmr.site.SiteService.findSites=ACL_ALLOW,AFTER_ACL_NODE.sys:base.ReadProperties
				org.alfresco.service.cmr.site.SiteService.getContainer=ACL_ALLOW,AFTER_ACL_NODE.sys:base.ReadProperties
				org.alfresco.service.cmr.site.SiteService.listContainers=ACL_ALLOW,AFTER_ACL_NODE.sys:base.ReadProperties
				org.alfresco.service.cmr.site.SiteService.getMembersRole=ACL_ALLOW
				org.alfresco.service.cmr.site.SiteService.getMembersRoleInfo=ACL_ALLOW
				org.alfresco.service.cmr.site.SiteService.resolveSite=ACL_ALLOW
				org.alfresco.service.cmr.site.SiteService.getSite=ACL_ALLOW,AFTER_ACL_NODE.sys:base.ReadProperties
				org.alfresco.service.cmr.site.SiteService.getSiteShortName=ACL_ALLOW,AFTER_ACL_NODE.sys:base.ReadProperties
				org.alfresco.service.cmr.site.SiteService.getSiteGroup=ACL_ALLOW
				org.alfresco.service.cmr.site.SiteService.getSiteRoleGroup=ACL_ALLOW
				org.alfresco.service.cmr.site.SiteService.getSiteRoles=ACL_ALLOW
				org.alfresco.service.cmr.site.SiteService.getSiteRoot=ACL_ALLOW,AFTER_ACL_NODE.sys:base.ReadProperties
				org.alfresco.service.cmr.site.SiteService.hasContainer=ACL_ALLOW
				org.alfresco.service.cmr.site.SiteService.hasCreateSitePermissions=ACL_ALLOW
				org.alfresco.service.cmr.site.SiteService.hasSite=ACL_ALLOW
				org.alfresco.service.cmr.site.SiteService.isMember=ACL_ALLOW
				org.alfresco.service.cmr.site.SiteService.listMembers=ACL_ALLOW
				org.alfresco.service.cmr.site.SiteService.listMembersInfo=ACL_ALLOW
				org.alfresco.service.cmr.site.SiteService.listMembersPaged=ACL_ALLOW
				org.alfresco.service.cmr.site.SiteService.listSiteMemberships=ACL_ALLOW
				org.alfresco.service.cmr.site.SiteService.listSites=ACL_ALLOW,AFTER_ACL_NODE.sys:base.ReadProperties
				org.alfresco.service.cmr.site.SiteService.listSitesPaged=ACL_ALLOW,AFTER_ACL_NODE.sys:base.ReadProperties
				org.alfresco.service.cmr.site.SiteService.removeMembership=ACL_ALLOW
				org.alfresco.service.cmr.site.SiteService.canAddMember=ACL_ALLOW
				org.alfresco.service.cmr.site.SiteService.setMembership=ACL_ALLOW
				org.alfresco.service.cmr.site.SiteService.updateSite=ACL_ALLOW
				org.alfresco.service.cmr.site.SiteService.countAuthoritiesWithRole=ACL_ALLOW
				org.alfresco.service.cmr.site.SiteService.isSiteAdmin=ACL_ALLOW
				org.alfresco.service.cmr.site.SiteService.*=ACL_DENY
			</value>
		</property>
	</bean>

</beans>

Notice the following line, this will allow only admin users to delete the sites.

org.alfresco.service.cmr.site.SiteService.deleteSite=ACL_METHOD.ALFRESCO_ADMINISTRATORS

You can find documentation on topic here:

https://docs.alfresco.com/5.2/tasks/site-creation-permission.html

~Abhinav
(ACSCE, AWS SAA, Azure Admin)

View answer in original post

3 REPLIES 3

abhinavmishra14
World-Class Innovator
World-Class Innovator

Follow these steps:

1- Create site-security-model-context.xml (you can choose any meaningful name) under <ALFRESCO_HOME>/tomcat/shared/classes/alfresco/extension or at module level if you are using custom modules and applying it to the alfresco.war.

At module level it could be like;

<YOUR_CUSTOM_REPO_MODULE>/src/main/resources/alfresco/module/YOUR_CUSTOM_REPO_MODULE/context/site-security-model-context.xml

2- Add following bean definition:

<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE beans PUBLIC '-//SPRING//DTD BEAN//EN' 'http://www.springframework.org/dtd/spring-beans.dtd'>
<beans>
	<bean id="SiteService_security"
		class="org.alfresco.repo.security.permissions.impl.acegi.MethodSecurityInterceptor">
		<property name="authenticationManager">
			<ref bean="authenticationManager" />
		</property>
		<property name="accessDecisionManager">
			<ref bean="accessDecisionManager" />
		</property>
		<property name="afterInvocationManager">
			<ref bean="afterInvocationManager" />
		</property>
		<property name="objectDefinitionSource">
			<value>
				org.alfresco.service.cmr.site.SiteService.cleanSitePermissions=ACL_NODE.0.sys:base.ReadProperties
				org.alfresco.service.cmr.site.SiteService.createContainer=ACL_ALLOW,AFTER_ACL_NODE.sys:base.ReadProperties
				org.alfresco.service.cmr.site.SiteService.createSite=ACL_METHOD.GROUP_SITE_CREATORS
				org.alfresco.service.cmr.site.SiteService.deleteSite=ACL_METHOD.ALFRESCO_ADMINISTRATORS
				org.alfresco.service.cmr.site.SiteService.findSites=ACL_ALLOW,AFTER_ACL_NODE.sys:base.ReadProperties
				org.alfresco.service.cmr.site.SiteService.getContainer=ACL_ALLOW,AFTER_ACL_NODE.sys:base.ReadProperties
				org.alfresco.service.cmr.site.SiteService.listContainers=ACL_ALLOW,AFTER_ACL_NODE.sys:base.ReadProperties
				org.alfresco.service.cmr.site.SiteService.getMembersRole=ACL_ALLOW
				org.alfresco.service.cmr.site.SiteService.getMembersRoleInfo=ACL_ALLOW
				org.alfresco.service.cmr.site.SiteService.resolveSite=ACL_ALLOW
				org.alfresco.service.cmr.site.SiteService.getSite=ACL_ALLOW,AFTER_ACL_NODE.sys:base.ReadProperties
				org.alfresco.service.cmr.site.SiteService.getSiteShortName=ACL_ALLOW,AFTER_ACL_NODE.sys:base.ReadProperties
				org.alfresco.service.cmr.site.SiteService.getSiteGroup=ACL_ALLOW
				org.alfresco.service.cmr.site.SiteService.getSiteRoleGroup=ACL_ALLOW
				org.alfresco.service.cmr.site.SiteService.getSiteRoles=ACL_ALLOW
				org.alfresco.service.cmr.site.SiteService.getSiteRoot=ACL_ALLOW,AFTER_ACL_NODE.sys:base.ReadProperties
				org.alfresco.service.cmr.site.SiteService.hasContainer=ACL_ALLOW
				org.alfresco.service.cmr.site.SiteService.hasCreateSitePermissions=ACL_ALLOW
				org.alfresco.service.cmr.site.SiteService.hasSite=ACL_ALLOW
				org.alfresco.service.cmr.site.SiteService.isMember=ACL_ALLOW
				org.alfresco.service.cmr.site.SiteService.listMembers=ACL_ALLOW
				org.alfresco.service.cmr.site.SiteService.listMembersInfo=ACL_ALLOW
				org.alfresco.service.cmr.site.SiteService.listMembersPaged=ACL_ALLOW
				org.alfresco.service.cmr.site.SiteService.listSiteMemberships=ACL_ALLOW
				org.alfresco.service.cmr.site.SiteService.listSites=ACL_ALLOW,AFTER_ACL_NODE.sys:base.ReadProperties
				org.alfresco.service.cmr.site.SiteService.listSitesPaged=ACL_ALLOW,AFTER_ACL_NODE.sys:base.ReadProperties
				org.alfresco.service.cmr.site.SiteService.removeMembership=ACL_ALLOW
				org.alfresco.service.cmr.site.SiteService.canAddMember=ACL_ALLOW
				org.alfresco.service.cmr.site.SiteService.setMembership=ACL_ALLOW
				org.alfresco.service.cmr.site.SiteService.updateSite=ACL_ALLOW
				org.alfresco.service.cmr.site.SiteService.countAuthoritiesWithRole=ACL_ALLOW
				org.alfresco.service.cmr.site.SiteService.isSiteAdmin=ACL_ALLOW
				org.alfresco.service.cmr.site.SiteService.*=ACL_DENY
			</value>
		</property>
	</bean>

</beans>

Notice the following line, this will allow only admin users to delete the sites.

org.alfresco.service.cmr.site.SiteService.deleteSite=ACL_METHOD.ALFRESCO_ADMINISTRATORS

You can find documentation on topic here:

https://docs.alfresco.com/5.2/tasks/site-creation-permission.html

~Abhinav
(ACSCE, AWS SAA, Azure Admin)

Thanks for this, it works for me.

I have one small question, can i do the same for securing create site option as well on the repository side?

i see the config present for create site as well

abhinavmishra14
World-Class Innovator
World-Class Innovator

Yes, you can do that as well. 

Suppose you want sites to be created by only admins then this would be the config:

org.alfresco.service.cmr.site.SiteService.createSite=ACL_METHOD.ALFRESCO_ADMINISTRATORS

~Abhinav
(ACSCE, AWS SAA, Azure Admin)