on Nov 16, 2017Hello.
We have some cases where users would like to be able to add an user as a member of a site, but this user should not be able to see all the documents by default, like the Consumer role.
The idea is to let such user to see only the "published" ones (defined by a property value or an aspect).
So, basically, a special Consumer role.
What I was considering, and this is where I am not sure if it is the best way to achieve it, is to create a new role called PublishedContentConsumer, and the read permission would be granted to the user only if the content has the aspect or the property set to a specific value.
Based on that, I would like to know if a Dynamic Authority would be the right way to implement this, or if I should consider another approach.
Some links I was reading:
- https://community.alfresco.com/thread/212273-howto-custom-permissions-in-alf-community-50d#comment-708911
- Alfresco - Simple Dynamic Authority · GitHub
Please, let me know what you think.
Any idea is welcome.
Why aren't you simply using the regular Consumer permission for that role (they still need to be able to navigate the structure). You can use behaviours that automatically set a Consumer=DENIED permission assignment on content items (documents), and which will react to the property/aspect change to remove the DENIED permission once the document is published.
No need to use a dynamic authority for this. It is important to note that using a dynamic authority for any permission that grants Read permission is potentially a bad for performance. The optimisations for ACL checking via SOLR may be (partially) negated when doing so, and searches become far slower as ACL checks are again performed after retrieving the results from SOLR. For a while now SOLR has also been tracking and using static DENIED permissions to filter results correctly, so there is no such problem when using regular DENIED permission assignments.