In this chapter, we will discuss the permission and security model in Alfresco. The security model in Alfresco is flexible and allows you to choose the internal or external security model based on your organization setup via LDAP or the Active Directory system. You will also learn how to gain granular access control on content in the repository.
By the end of this chapter, you will have learned about:
- Understanding the security model
- The configuration of external security systems like LDAP and Active Directory
- Understanding permissions and roles
The authorization of content in Alfresco is done by assigning users or groups (set of users) specific roles on folders or content. Roles are groups of permissions. There are a set of default roles available in Alfresco which we will learn about later in this chapter. There is also the flexibility to customize and define your new roles.
Users or groups can have specific permissions on spaces. Subspaces can inherit parent space permission. The Alfresco system is flexible enough that the subspaces and content can have specific permissions set without inheriting any of the parent space permissions.
Access rights on any content or space can be defined in Alfresco by permission. Out of the box, there are multiple permissions. Any content in Alfresco is a node connected to other nodes using associations. By default, a space in Alfresco is a node (parent) that allows you to create instances of child associations for other nodes (children).
Any authority, like users or groups, can be granted any kind of permission on any node. Children of nodes inherit all the permissions from parents unless inheritance is explicitly set to off. When combining the permissions of parents and children, the highest permission takes precedence. The following are a few out of the box permissions:
ReadProperties: This permission provides you control of access rights to read node metadataReadChildren: This permission provides you control of access rights to fetch children of any nodeReadContent: This permission is specific to content control if the user is allowed to read contentWriteProperties: This permission provides you control of updating node metadataWriteContent: This permission provides you control of updating content.DeleteNode: This permission grants you the delete rights of contentDeleteChildren: This permission grants you the delete rights of children of any node
All these permissions are defined in permissionDefinitions.xml, located at <TOMCAT_HOME>/webapps/alfresco/WEB-INF/classes/alfresco/model.
In the latest version since Alfresco v 5.0, these files have been moved inside the JAR file; alfresco-repository-5.0.jar.
Roles are a set of permissions. Out of the box, Alfresco supports five kinds of roles, listed as follows:
Consumer: This role is with minimal permission. As the name suggests, it only grantsreadpermissions to the user. Any user with theConsumerrole on a folder or content can just read content, properties, and children. So, theConsumerrole has three permissions grouped together:ReadChildren,ReadContent, andReadProperties.Editor: This role has all the same rights as theConsumerrole, pluswritepermission. A user with theEditorrole can edit properties of nodes and edit the content of a node.Editorcannot upload new content.Contributor: As the name suggests, this role allows the user to upload content in space.Contributorbecomes owner of the content uploaded by them and get full access rights to that content. So,Contributorcan modify only the content uploaded by them. If you change the ownership of content,Contributorwould not have any rights to edit the content. So, in short, the contributor isConsumerplusAddChildrenpermission.Collaborator: This role is a combination ofEditorandContributor. So, users with theCollaboratorrole can upload content and edit the content uploaded by others in that space.Coordinator: This role is the most powerful one. It grants the user full rights to the space. The user gets all the rights like an admin user on an assigned space. Be very careful when you grant this role to users. Users can modify permissions, delete nodes and children, upload content, create subspace, create rules, and so on.
All these permissions are defined in permissionDefinitions.xml, located at <TOMCAT_HOME>/webapps/alfresco/WEB-INF/classes/alfresco/model
In the latest version since Alfresco v 5.0, these files have been moved inside the JAR file alfresco-repository-5.0.jar.
The following is an extract of the XML configuration for the Contributor role, defined in the permissionDefinitions.xml file
<permissionGroup name="Contributor" allowFullControl="false" expose="true" >
<includePermissionGroup permissionGroup="Consumer" type="cm:cmobject"/>
<includePermissionGroup permissionGroup="AddChildren" type="sys:base"/>
<includePermissionGroup permissionGroup="ReadPermissions" type="sys:base"/>
</permissionGroup>If you want to create your custom role, you need to customize this .xml file. We are not covering this in detail as that is more of a development job.