11-13-2019 05:45 AM
Hello there
I want to disable site delete option for all non admin users. Only admin users can delete the site. Even a non admin user who originally created the site should not be allowed to delete the site.
By following some of the similar questions in this forum, i am able to hide delete option from dashlet and header menu. But non admin user is able to delete the site via API call.
Which means it is still allowed to delete site at repo level.
How can i disable the site deletion at repo level as well? Please provide some guidance
Appreciate your kind guidance. Thanks in advance
11-13-2019 06:46 AM
Follow these steps:
1- Create site-security-model-context.xml (you can choose any meaningful name) under <ALFRESCO_HOME>/tomcat/shared/classes/alfresco/extension or at module level if you are using custom modules and applying it to the alfresco.war.
At module level it could be like;
<YOUR_CUSTOM_REPO_MODULE>/src/main/resources/alfresco/module/YOUR_CUSTOM_REPO_MODULE/context/site-security-model-context.xml
2- Add following bean definition:
<?xml version='1.0' encoding='UTF-8'?> <!DOCTYPE beans PUBLIC '-//SPRING//DTD BEAN//EN' 'http://www.springframework.org/dtd/spring-beans.dtd'> <beans> <bean id="SiteService_security" class="org.alfresco.repo.security.permissions.impl.acegi.MethodSecurityInterceptor"> <property name="authenticationManager"> <ref bean="authenticationManager" /> </property> <property name="accessDecisionManager"> <ref bean="accessDecisionManager" /> </property> <property name="afterInvocationManager"> <ref bean="afterInvocationManager" /> </property> <property name="objectDefinitionSource"> <value> org.alfresco.service.cmr.site.SiteService.cleanSitePermissions=ACL_NODE.0.sys:base.ReadProperties org.alfresco.service.cmr.site.SiteService.createContainer=ACL_ALLOW,AFTER_ACL_NODE.sys:base.ReadProperties org.alfresco.service.cmr.site.SiteService.createSite=ACL_METHOD.GROUP_SITE_CREATORS org.alfresco.service.cmr.site.SiteService.deleteSite=ACL_METHOD.ALFRESCO_ADMINISTRATORS org.alfresco.service.cmr.site.SiteService.findSites=ACL_ALLOW,AFTER_ACL_NODE.sys:base.ReadProperties org.alfresco.service.cmr.site.SiteService.getContainer=ACL_ALLOW,AFTER_ACL_NODE.sys:base.ReadProperties org.alfresco.service.cmr.site.SiteService.listContainers=ACL_ALLOW,AFTER_ACL_NODE.sys:base.ReadProperties org.alfresco.service.cmr.site.SiteService.getMembersRole=ACL_ALLOW org.alfresco.service.cmr.site.SiteService.getMembersRoleInfo=ACL_ALLOW org.alfresco.service.cmr.site.SiteService.resolveSite=ACL_ALLOW org.alfresco.service.cmr.site.SiteService.getSite=ACL_ALLOW,AFTER_ACL_NODE.sys:base.ReadProperties org.alfresco.service.cmr.site.SiteService.getSiteShortName=ACL_ALLOW,AFTER_ACL_NODE.sys:base.ReadProperties org.alfresco.service.cmr.site.SiteService.getSiteGroup=ACL_ALLOW org.alfresco.service.cmr.site.SiteService.getSiteRoleGroup=ACL_ALLOW org.alfresco.service.cmr.site.SiteService.getSiteRoles=ACL_ALLOW org.alfresco.service.cmr.site.SiteService.getSiteRoot=ACL_ALLOW,AFTER_ACL_NODE.sys:base.ReadProperties org.alfresco.service.cmr.site.SiteService.hasContainer=ACL_ALLOW org.alfresco.service.cmr.site.SiteService.hasCreateSitePermissions=ACL_ALLOW org.alfresco.service.cmr.site.SiteService.hasSite=ACL_ALLOW org.alfresco.service.cmr.site.SiteService.isMember=ACL_ALLOW org.alfresco.service.cmr.site.SiteService.listMembers=ACL_ALLOW org.alfresco.service.cmr.site.SiteService.listMembersInfo=ACL_ALLOW org.alfresco.service.cmr.site.SiteService.listMembersPaged=ACL_ALLOW org.alfresco.service.cmr.site.SiteService.listSiteMemberships=ACL_ALLOW org.alfresco.service.cmr.site.SiteService.listSites=ACL_ALLOW,AFTER_ACL_NODE.sys:base.ReadProperties org.alfresco.service.cmr.site.SiteService.listSitesPaged=ACL_ALLOW,AFTER_ACL_NODE.sys:base.ReadProperties org.alfresco.service.cmr.site.SiteService.removeMembership=ACL_ALLOW org.alfresco.service.cmr.site.SiteService.canAddMember=ACL_ALLOW org.alfresco.service.cmr.site.SiteService.setMembership=ACL_ALLOW org.alfresco.service.cmr.site.SiteService.updateSite=ACL_ALLOW org.alfresco.service.cmr.site.SiteService.countAuthoritiesWithRole=ACL_ALLOW org.alfresco.service.cmr.site.SiteService.isSiteAdmin=ACL_ALLOW org.alfresco.service.cmr.site.SiteService.*=ACL_DENY </value> </property> </bean> </beans>
Notice the following line, this will allow only admin users to delete the sites.
org.alfresco.service.cmr.site.SiteService.deleteSite=ACL_METHOD.ALFRESCO_ADMINISTRATORS
You can find documentation on topic here:
https://docs.alfresco.com/5.2/tasks/site-creation-permission.html
11-13-2019 06:46 AM
Follow these steps:
1- Create site-security-model-context.xml (you can choose any meaningful name) under <ALFRESCO_HOME>/tomcat/shared/classes/alfresco/extension or at module level if you are using custom modules and applying it to the alfresco.war.
At module level it could be like;
<YOUR_CUSTOM_REPO_MODULE>/src/main/resources/alfresco/module/YOUR_CUSTOM_REPO_MODULE/context/site-security-model-context.xml
2- Add following bean definition:
<?xml version='1.0' encoding='UTF-8'?> <!DOCTYPE beans PUBLIC '-//SPRING//DTD BEAN//EN' 'http://www.springframework.org/dtd/spring-beans.dtd'> <beans> <bean id="SiteService_security" class="org.alfresco.repo.security.permissions.impl.acegi.MethodSecurityInterceptor"> <property name="authenticationManager"> <ref bean="authenticationManager" /> </property> <property name="accessDecisionManager"> <ref bean="accessDecisionManager" /> </property> <property name="afterInvocationManager"> <ref bean="afterInvocationManager" /> </property> <property name="objectDefinitionSource"> <value> org.alfresco.service.cmr.site.SiteService.cleanSitePermissions=ACL_NODE.0.sys:base.ReadProperties org.alfresco.service.cmr.site.SiteService.createContainer=ACL_ALLOW,AFTER_ACL_NODE.sys:base.ReadProperties org.alfresco.service.cmr.site.SiteService.createSite=ACL_METHOD.GROUP_SITE_CREATORS org.alfresco.service.cmr.site.SiteService.deleteSite=ACL_METHOD.ALFRESCO_ADMINISTRATORS org.alfresco.service.cmr.site.SiteService.findSites=ACL_ALLOW,AFTER_ACL_NODE.sys:base.ReadProperties org.alfresco.service.cmr.site.SiteService.getContainer=ACL_ALLOW,AFTER_ACL_NODE.sys:base.ReadProperties org.alfresco.service.cmr.site.SiteService.listContainers=ACL_ALLOW,AFTER_ACL_NODE.sys:base.ReadProperties org.alfresco.service.cmr.site.SiteService.getMembersRole=ACL_ALLOW org.alfresco.service.cmr.site.SiteService.getMembersRoleInfo=ACL_ALLOW org.alfresco.service.cmr.site.SiteService.resolveSite=ACL_ALLOW org.alfresco.service.cmr.site.SiteService.getSite=ACL_ALLOW,AFTER_ACL_NODE.sys:base.ReadProperties org.alfresco.service.cmr.site.SiteService.getSiteShortName=ACL_ALLOW,AFTER_ACL_NODE.sys:base.ReadProperties org.alfresco.service.cmr.site.SiteService.getSiteGroup=ACL_ALLOW org.alfresco.service.cmr.site.SiteService.getSiteRoleGroup=ACL_ALLOW org.alfresco.service.cmr.site.SiteService.getSiteRoles=ACL_ALLOW org.alfresco.service.cmr.site.SiteService.getSiteRoot=ACL_ALLOW,AFTER_ACL_NODE.sys:base.ReadProperties org.alfresco.service.cmr.site.SiteService.hasContainer=ACL_ALLOW org.alfresco.service.cmr.site.SiteService.hasCreateSitePermissions=ACL_ALLOW org.alfresco.service.cmr.site.SiteService.hasSite=ACL_ALLOW org.alfresco.service.cmr.site.SiteService.isMember=ACL_ALLOW org.alfresco.service.cmr.site.SiteService.listMembers=ACL_ALLOW org.alfresco.service.cmr.site.SiteService.listMembersInfo=ACL_ALLOW org.alfresco.service.cmr.site.SiteService.listMembersPaged=ACL_ALLOW org.alfresco.service.cmr.site.SiteService.listSiteMemberships=ACL_ALLOW org.alfresco.service.cmr.site.SiteService.listSites=ACL_ALLOW,AFTER_ACL_NODE.sys:base.ReadProperties org.alfresco.service.cmr.site.SiteService.listSitesPaged=ACL_ALLOW,AFTER_ACL_NODE.sys:base.ReadProperties org.alfresco.service.cmr.site.SiteService.removeMembership=ACL_ALLOW org.alfresco.service.cmr.site.SiteService.canAddMember=ACL_ALLOW org.alfresco.service.cmr.site.SiteService.setMembership=ACL_ALLOW org.alfresco.service.cmr.site.SiteService.updateSite=ACL_ALLOW org.alfresco.service.cmr.site.SiteService.countAuthoritiesWithRole=ACL_ALLOW org.alfresco.service.cmr.site.SiteService.isSiteAdmin=ACL_ALLOW org.alfresco.service.cmr.site.SiteService.*=ACL_DENY </value> </property> </bean> </beans>
Notice the following line, this will allow only admin users to delete the sites.
org.alfresco.service.cmr.site.SiteService.deleteSite=ACL_METHOD.ALFRESCO_ADMINISTRATORS
You can find documentation on topic here:
https://docs.alfresco.com/5.2/tasks/site-creation-permission.html
11-14-2019 06:38 AM
Thanks for this, it works for me.
I have one small question, can i do the same for securing create site option as well on the repository side?
i see the config present for create site as well
11-14-2019 12:38 PM
Yes, you can do that as well.
Suppose you want sites to be created by only admins then this would be the config:
org.alfresco.service.cmr.site.SiteService.createSite=ACL_METHOD.ALFRESCO_ADMINISTRATORS
Explore our Alfresco products with the links below. Use labels to filter content by product module.