I had created folder1 in Plone site root and add local role "manager" for user adam to folder1,next I had created document1 in folder1. I want to know if user adam has a local "manager" role for document1.
Yes, by default, permissions from the container of a document are inherited, except if you manually disable this behavior in the document's sharing tab.
Related
I'm trying to use Sonatype Nexus 3 and content selectors for a Maven 2 repository.
I created a Maven 2 repository called "custom-snapshots" and a content selector with the query
coordinate.groupId =^ "net"
(My original query was more precise, but I'm trying to narrow down the problem. I don't think the problem is the content selector though as when I click preview and run it against custom-snapshots, I do get matches.)
Then I created a privilege called "sea-lion-snapshot-priv" with content selector "
sea-lion-selector", repository "custom-snapshots" and actions "read,edit,browse".
Next I created a role called "sea-lion-role" with "sea-lion-snapshot-priv". Finally, I created a user "sam" with roles "sea-lion-role" and "nx-anonymous". I did not change any of the permissions on nx-anonynmous.
When testing:
If I browse the custom-snapshots repo without being logged in, I see all the artifacts.
If I browse the custom-snapshots repo logged in as Sam, I see all the artifacts.
If I browse the custom-snapshots repo logged in as another user, I see all the artifacts.
I was expecting to see the artifacts as Sam, but not anonymous/the other user.
Any ideas on what I could have set up wrong or techniques to troubleshoot it?
#rseddon's comment was the missing step. In the sprit of documentation, here are the exact settings I used when it was working:
Create a new role "limited-anon" with "nx-repository-view-maven2--*-read" and "nx-search-read"
Under users, go to "Anonymous". Remove the built in role and add "limited-anon"
Create a content selector with search expression "coordinate.groupId =^ "my.package.name"
Create a privilege of type "Repository Content Selector" going against this content selector, the snapshot repository and actions "read,edit,browse"
Create a similar privilege for the releases repo
Create a new role with both of these privileges
Assign both that new role and "limited-anon" to Sam (the user who can see the artifacts)
Assign just "limited-anon" to the other test user
This configuration works for:
anonymous user - can not see this artifact
Sam - can see this artifact
other user - cannot see this artifact
With this setup, it looks like items in the repository without content selectors cannot be seen unless you are an admin. Which is fine for my use case.
I am using Alfresco Community Edition.
I have 4 Folders.
1. Sales 2. Controller 3. Purchase 4. Accounts.
I have Multiple Users as per their teams.
The Sales Team will create a folder and send the folder to Controller, Controller sends the same folder to Purchase and Purchase to Accounts.
Here, what I want is, when a User from Sales team creates his/her folder, it should be only visible to him/her in Sales Folder and no other Sales user should be able to view it. (Only folder owner should be able to view his own content)
But when the folder is sent to other folders, there too only the Folder Owner and the other users should be able to access and view the folder.
I tried the workflow and I have successfully given the permissions to the other users, but unable to assign proper permissions to the Sales Team.
Short Explanation : Sales Member who creates a folder should be able to access his own folder and not any other members contents/folders in all 4 main folders.
Please help me on this.
Remove permission inheritance on the root folder of the site.
Set the proper permission to each folder through Manage permissions (Sales, Controller, Purchase, Account)
Setup a rule to act upon some action or manage the permissions through your workflow.
You can read up on folder permissions here.
Cheers!
There is no embedded function for your expected behavior but it is possible to archive what you expect by defining rules on the 4 main folders which call JavaScripts to run your business logic:
remove inheritance flag on new / moved objects (only on direct childs
/ folders)
remove all direct permissions and add only permissions you
want to add for this folder
The user who created the new folder will always have all permissions because Alfresco has a special role "Owner" which has similar permissions (ALL) like a Coordinator which will be still active when the folder will be moved to another main folder. If the user creating the folder should still have navigation access to the folder when it is moved you need to give Consumer permission on the all 4 folders for the sales team. This will allow to walk into the folders but only to see subfolders if the user has access.
Is there any way by which I can show particular documents to particular users only ? In alfresco, all users from a site can see all the documents. I want to show the particular document to some users only. I am using alfresco community edition. Can somebody help me ??
Thanks
A site is just a folder. The site folder contains "container" folders for things like the document library, wiki, data lists, etc. You can set permissions on these folders just like you can any folder in Alfresco. Similarly, documents can have their permissions set individually.
The confusion arises because when you are using Share in the context of a particular site, the permissions settings don't offer granular settings. But if you navigate to your site through the "Repository" view (see the link at the top of the page), you can have full control over the permissions.
Suppose we have a site called test-site and a folder called test in that site's document library that contains a document, testdoc.pdf. You should be able to:
Click the "Repository" link at the top of the page.
Click the "Sites" folder.
Click the "test-site" folder.
Click the "documentLibrary" folder.
Click the "test" folder.
Click testdoc.pdf to open its details page.
Click "Manage Permissions".
By default, objects inherit the permissions of their parent. So testdoc.pdf has the permissions of its parent folder. If you want to remove all permissions and set explicit, "local" permissions on testdoc.pdf...
Click "Inherit Permissions" to turn off inheritance.
Click "Add User or Group" to add specific users or groups with the access level you want them to have.
In Plone, I created a new folder called "Admin" that appears at the top navigation bar. How do I restrict access to this folder so only site administrators will have access to this folder? (and, preferably, only those admins would see that link appear)?
Create a folder at the root level and keep it private and don't share it with any other groups. Administrators (by default) can view all content. Items for which a user does not have permission are not visible in the Global Nav, Nav portlets, search, etc.
Use the sharing tab and add the users/groups needed.
Is there a Drupal module to specify access rules for specific nodes ?
I don't need to specify them for a generic content type, but for a specific node (nid).
Also I would like to specify permissions on a specific page (let's say a view).
thanks
The Content Access module allows you to specify access control per node by role, breaking it down to a granular edit, view or delete permission by role.
Views allows a permission to be set by role under the 'access' option in basic settings. You can therefore set by display giving you quite rich control over what visitors have access to by role.
I've also used Nodeaccess which may be worth looking at. I believe this allows delegation of deciding which roles may edit, delete or update a node to the node author rather than the administrator.
Views has access control built in, you can set permissions for a view from inside the Views UI. When you edit a view there is a setting "Access" where you can set a role or permission that is required to access the view.
"Content Access" has an option for node-specific access, but I never used that part of the module myself (I previously wrote Module Grants, but that functionality came from Content Access).
Other options are Taxonomy Access or TAC lite that apply permissions based on taxonomy.