Alfresco 4 Enterprise Content Management Implementation
上QQ阅读APP看书,第一时间看更新
上一章目录下一章

Extending security permissions and roles

Out-of-the-box Alfresco supports an extensive set of permissions to provide security controls. Alfresco supports a set of roles by grouping these permissions. The security permissions and roles can be extended. However, before extending the permissions and roles, you need to evaluate and understand existing permissions and roles and justify the decision for extending them.

Default permissions

Alfresco supports a number of permissions to access the spaces, content, their properties, and so on. The following are some of the permissions for spaces:

  • ReadProperties: Read space properties
  • ReadChildren: Read the content within a space
  • WriteProperties: Update properties such as title, description
  • DeleteNode: Delete space
  • DeleteChildren: Delete content and subspaces within a space
  • CreateChildren: Create content within a space

The following are some of the permissions for content items:

  • ReadContent: Read file
  • WriteContent: Update file
  • ReadProperties: Read file properties
  • WriteProperties: Update file properties such as title, description etc
  • DeleteNode: Delete file
  • ExecuteContent: Execute file
  • SetOwner: Set ownership on a content item

A complete list of default permissions and roles is provided in Alfresco configuration <config>\model\permissionDefinitions.xml file.

Default roles

Roles are collections of permissions assigned to users. Roles can be applied to any space or individual content items. Subspaces can inherit permissions from parent space. The following table lists the default roles supported out-of-the-box by Alfresco:

Creating a custom role

You can add a new custom role as per your security requirements. You will have to include custom role details in permissionDefinitions.xml, which is located at <config>\model\. For a Tomcat installation, you can find this file at tomcat\webapps\alfresco\WEB-INF\classes\alfresco\model\ permissionDefinitions.xml.

You need to define your own permissions group (say ReviewerRole) and assign permissions as shown below:

<permissionGroup name="ReviewerRole" allowFullControl="false"
                                                      expose="true" >
  <includePermissionGroup permissionGroup="Read" type="sys:base" />
  <includePermissionGroup permissionGroup="AddChildren"
                                                    type="sys:base"/>
  <includePermissionGroup type="cm:lockable"
                                         permissionGroup="CheckOut"/>
</permissionGroup>

Once you make the changes to XML file, you need to restart Alfresco to see the new role added to the system.

上一章目录下一章