Another Stranger Me

my comments, my projects, my resources…

Deny delete permission to space owner in Alfresco

If you are the guy/girl responsible for implementing permissions model for your business case you might find yourself in trouble. Let us imagine a scenario where business case states that certain users should be able to create new content but not be able to delete anything. That’s the easy one, you’ll likely say, and assign Contributor role to those users.

Lets check Contributor role definition from the Alfresco wiki:

Contributor
Includes the Consumer permission group and adds AddChildren and CheckOut.
They will, by default own anything they create and have the ROLE_OWNER authority.

Hm, ROLE_OWNER looks suspicious:

“FullControl” granted to “ROLE_OWNER”
The owner (as defined by the ownable aspect, or, if the aspect is not present the node creator) is allowed all rights. This interacts with contributor for cm:content. They only need the right to create content in the default set up; all other rights come from the fact that they own the nodes they create.

To sum up the above, users that are just contributors can delete everything they create and you likely don’t want that.

So what can we do to fix this. There are two options and both have certain drawbacks.

Method 1: Edit permissionDefinitions.xml

Add somewhere near the top of the model/permissionDefinitions.xml file new permissionGroup definition and assign permissions by your needs:

<permissionGroup name=”FullWithoutDelete” allowFullControl=”false” expose=”false”>
<includePermissionGroup type=”sys:base” permissionGroup=”Read”/>
<includePermissionGroup type=”sys:base” permissionGroup=”Write”/>
<includePermissionGroup type=”sys:base” permissionGroup=”AddChildren”/>
<includePermissionGroup type=”sys:base” permissionGroup=”Execute”/>
</permissionGroup>

then find:

<globalPermission permission=”FullControl” authority=”ROLE_OWNER”/>

and change it to:

<globalPermission permission=”FullWithoutDelete” authority=”ROLE_OWNER”/>

Notice that this will take away delete permissions from owners on ALL content in repository unless he is assigned proper permissions on space. Drawback: you mess with the core Alfresco configuration which may have unexpected consequences although I haven’t seen any with the above in a production setup at one of the clients.

Method 2: Ownable aspect

There is one other option the I think is better than messing with core alfresco configs. You can create a rule on top space that adds cm:ownable aspect to whatever you want. By default if ownable aspect i.e. cm:owner property is not present (which is the case when adding new content on clean config) then cm:creator property is used as owner.

So when you add content and rule gets triggered document receives ownable aspect with cm:owner property empty. This in effect removes delete permissions from cm:creator as he is no longer the owner and cm:owner is empty!

Note that adding aspects is exposed in rules wizard though you might need to modify web-client-config-custom.xml to expose cm:ownable aspect in it.

Drawback: it is inconvenient if you already have a huge repository – you likely won’t be able to apply this action to entire repository. However, I recommend it if you start with clean repository and you did proper planning.

7 Comments

  1. I’ve been trying to apply the second approach on my 3.2, but i can’t seem to find the proper way to expose cm:ownable through web-client-config-custom.xml so that it shows on the Action Wizard. Could you show me how u did it?

  2. Hi,

    you need a piece of code like:

    <config evaluator=”string-compare” condition=”Action Wizards”>
    <aspects>
    <aspect name=”cm:ownable” />
    </aspects>
    </config>

  3. Hi,

    I used the Method 1 which you have explained. But this settings is not working inside the home space of the user. Inside the home folder, the owner still has the delete permission. Could you please help me. I am using Alfresco ECM 3.2

    Thanks in advance..

  4. How can I set permissions on the space such that a user can not move a directory into another directory? For example, I have user matt as an Editor on space Company\Dept1 and on Company\Dept2 — when viewing the space as a CIFS drive, user matt can still “drag and drop” space Dept1 into Dept2, or vice-versa. All this, and yet user matt is not able to upload content or delete content from either space. This doesn’t make sense. Any info would be greatly appreciated!!

  5. This looks like a bug to me.

  6. I’ve created an issue for this on Alfresco JIRA. Thanks.

  7. Thanks for your good topic.

    The problem is that Alfresco throws error once an owner tries to delete the space but still the space is deleted! Did anyone fixed it succesfully? am using 3.4.d

Leave a Reply

Your email address will not be published.

*

© 2017 Another Stranger Me

Theme by Anders NorenUp ↑