I am trying to create an application that is based on module level security. The idea is we would have a user login, grab there roles, grab the pages those roles have access to then in those pages grab the modules they have access to then the functions inside the modules they have access to (list, create, edit, delete). That way in an admin screen someon could allow or deny modules and module functions to groups.
Has anyone seen any sample projects like this or have ANY clue on how to implement this? I would really like to try this on a n-layer architecture.
Create your site with a basic membership system. Group your pages into folders and have Web.Config files in each to control access. This is all out-of-the-box functionality for the most part. The only custom code you would have to write is when creating an admin form.
As for the fine grain access, if they can't access the pages, they can't access their methods...
http://msdn.microsoft.com/en-us/library/yh26yfzy.aspx
UPDATE:
if User.IsInRole("Administrator")...
https://web.archive.org/web/20181010194753/http://www.4guysfromrolla.com:80/articles/082703-1.2.aspx
On the same page, in the code-behind, you can check their roles programmatically and display/enable panels/modules accordingly :-)
I would use a base class for your pages to accomplish the effect you describe. In your base class you can add all of the available methods you will need, but provide an authorization method within the base class that allows methods to identify themselves based on the roles they're allowed to have. All of this could be configured with the web.config if you plan it down. A lot of times the "folder" based method for SQL membership just isn't robust enough.
I suppose as an example, you could build your own (or find one in the System.Security namespace) security enumeration to define access levels and then map access levels from your groups in AD (or wherever) to the enumerations. The methods could then use the security enumeration against your user object to determine if the user's access allows the function.
Related
Hello Everyone thank's in advance for your help.
I am trying to configure access permission in alfresco and now stuck in a scenario
It would be great help if someone defines proper way to achieve this functionality
now my problem is
I want to create a site (which will be accessible by all user)
then will create folder and sub folder in that site (i am ready to customize content type of those folder if required)
now i want to configure alfresco in such a way that specific set of user can access specific folder and it's content
for example
This is list of user
user1,user2,user3,user4,user5
And this is folder structure
Project
Data
Test
Exam
Design
art
practice
Work
W1
W2
Now how to configure it in such a way that
user1 can access Data->Exam
user2 can access work and all it's child folder
user3 can access Data and all it's child folder
user4 can access Design and all it's child folder and
user5 can access Data->Work, Design->art,Work->W1 folder
Note that i am using CMIS api to generate this folder structure
so is there any way to achieve this by java code only ?
i have read about managing permission but not sure about using it just because when i have tried to provide permission to folder it allow to add only single user
but in my case i want to make group of user and want to make the folder accessible by that particulate group.
Thank you so much for you time :)
If you want to use a group, you'll need to create the group in Alfresco using either the admin console or the Alfresco API. CMIS cannot manage users or groups.
Once your users and groups are in place, you can use CMIS to assign them to ACLs. However, the challenge is that you may need to disable or "break" ACL inheritance to do exactly what you want. You cannot disable ACL inheritance with the CMIS API. You'll have to do it in the UI or through the Alfresco API.
With your users and groups in place and with your folders configured to inherit or not inherit parent permissions as needed, you can now add users and groups to your folders. With CMIS, you can add as many users or groups as you need to a given folder. It is not limited to a single user or group. This page has some examples on using Access Control Entries (ACEs) which make up Access Control Lists (ACLs).
I think that Jeff Potts answer is great i will only add few thing's you can look to this post it will give you an answer how to work with ACL How to get Acls of a document.
You can also use the allowable action in any Folder (or document) it will look like this :
Action a = Action.CAN_DELETE_OBJECT;
object = session.getObjectByPath(idObject); // In case it's a folder
if (object.getAllowableActions().getAllowableActions().contains(a)) {
return Boolean.TRUE;// You can do it
}
Only remember that you can get the allowable action from String (In case you want work with few of them)
String canCreateFolder= Action.CAN_CREATE_FOLDER.value();
the most importante Action that you have to use :
can_create_folder = Action.CAN_CREATE_FOLDER.value();
can_create_document = Action.CAN_CREATE_DOCUMENT.value();
can_update_folder = Action.CAN_UPDATE_PROPERTIES.value();
can_update_document = Action.CAN_UPDATE_PROPERTIES.value();
can_delete_folder = Action.CAN_DELETE_OBJECT.value();
can_delete_document = Action.CAN_DELETE_OBJECT.value();
Hope that helped you.
I am new to Alfresco. Using version 5.0.d.
I am developing CMIS based application code to index and access documents into Alfresco repository.
All these documents that our application would be storing is mainly by/for our application.
So probably a limited set of users of our clients might want to manage them through Share UI.
When I go into Alfresco Share interface, I see the concept of sites.
I decided to create a site for our application.
Then inside the site, I am able to create folders
Underneath the site, I also see a document library location, inside which as well I can create folders
I am having a hard time choosing or deciding on an approach.
In order to access the 'Sample' folder that is created directly under the 'testSite' site, CMIS (Java) code looks like this:
Folder folder = (Folder) cmisSession.getObjectByPath("/Sites/testSite/Sample");
In order to access the 'TestFolder' folder that is created under the document library of the site:'testSite', CMIS (Java) code looks like this:
Folder folder = (Folder) cmisSession.getObjectByPath("/Sites/testSite/documentLibrary/TestFolder");
Code does not look any different other than the path...
Can you tell me, why would anyone would prefer to organize their folders, one way or the other?
I also do not know if this is the best way, or if there is any other way, in CMIS API to access the folders underneath a site...
You do not necessarily need to use sites to store your contents.
Sites are designed as collaboration spaces. When you use a site you get "for free":
Simplified (but sometimes not flexible enough) role based access permissions. The idea is that a site manager decides, at the site level, the role of each user. Permissions can be applied to roles instead of groups or users. This helps to simplify the administration of permissions, but sometimes is not flexible enough. Using the API or accessing the folders of the sites in the "repository view" (see for example http://docs.alfresco.com/4.2/concepts/share-repodoclib.html), you can set more granular permissions, but doing it somehow breaks the "simplified" role based permissions.
Collaboration pages: document library, blog, calendar, data lists, etc...
A site dashboard that can have a different configuration for each site and site specific dashlets
Site visibility: public, moderate, private; and the function to invite users and manage users at site level
Probably other functionality that do not come to my mind right now
As I mentioned, the "document library" is one of the pages in a site. It is designed to collaborate on contents. If you are using sites, use the document library for contents on which users will collaborate. These contents are stored in the path:
/Sites/site-name/documentLibrary/
You can definitely create contents directly in /Sites/site-name/ but it won't be visible in the "document library" page of the site. This is what Alfresco does to store other type of contents associated with a site such as: data lists, calendar events, discussions, etc...
If your repository is accessed only with a custom application by CMIS, I am not sure that you will get any benefit using sites.
I wouldn't use it if you would end up with a single site.
I would suggest to use it, if you think that it can be useful to "invite" users to sites and assign permissions based on roles.
I´m using Alfresco-LDAP to migrate all my ldap users to Alfresco service.
So far I achieve transfer all users but for every user the home folder created in Alfresco for them is his name, and what I would like, is to share a folder for all members of the ldap group, since I have multiple groups and every user of that group only can get files from that group.
This is the property
ldap.synchronization.defaultHomeFolderProvider
I read in the Alfresco documentation http://wiki.alfresco.com/wiki/Security_and_Authentication#Creating_home_spaces_-_from_1.4_onwards
But seems like what I´m trying to do is not contemplated.
Any suggestion please?
unfortunately there is no configurable HomeFolderProvider for groups supporting specific spaces. You need to crate your own HomeFolderProvider in Java for that. Out of the box you could use the companyHomeFolderProvider which is normally used if you want to disable the homefolder feature. The user object requires a userhome to be able to log in and the work around is to set the root (company_home) for that.
s.
[1] https://wiki.alfresco.com/wiki/Security_and_Authentication#Creating_home_spaces_-_from_1.4_onwards
[2] Disable the user home folder creation
Is it possible to search files, folders in Alfresco in all existing tenants? For example: I am admin user in the tenantA and would like find files in all other tenants.
I don't think its possible to search files or folders in all existing alfresco tenants.As far as I know tenants are designed for hiding visibility of document from one to another tenants.That is the main purpose for which tenant were introduced.
So that single alfresco instance can be used for more than one organization,without knowing that another user is also using same instance for document management.
You can find more about tenant on below link.
https://wiki.alfresco.com/wiki/Multi-Tenancy
Is there a Drupal module to specify access rules for specific nodes ?
I don't need to specify them for a generic content type, but for a specific node (nid).
Also I would like to specify permissions on a specific page (let's say a view).
thanks
The Content Access module allows you to specify access control per node by role, breaking it down to a granular edit, view or delete permission by role.
Views allows a permission to be set by role under the 'access' option in basic settings. You can therefore set by display giving you quite rich control over what visitors have access to by role.
I've also used Nodeaccess which may be worth looking at. I believe this allows delegation of deciding which roles may edit, delete or update a node to the node author rather than the administrator.
Views has access control built in, you can set permissions for a view from inside the Views UI. When you edit a view there is a setting "Access" where you can set a role or permission that is required to access the view.
"Content Access" has an option for node-specific access, but I never used that part of the module myself (I previously wrote Module Grants, but that functionality came from Content Access).
Other options are Taxonomy Access or TAC lite that apply permissions based on taxonomy.