AnsweredAssumed Answered

Suggestions for 'role'-based access/permissions

Question asked by tarh33l_bf on Feb 19, 2012
Latest reply on Feb 19, 2012 by tarh33l_bf
Hi everyone,
   Despite doing quite a bit of research on permissions in Alfresco, I have yet to come up with a definitive answer for how to approach this problem:

     In our solution, we're going to have several spaces created at the same level in the repository. These spaces will represent various "clients" that we work with. For each client, we perform a variety of tasks that cover different business units. For example, we may have legal, finance, and governance as three units for a client. In our business, person A will work in legal, but only works on a handful of our clients. Person B works in finance but may work on different clients than person A. Person C works in governance and works on all of our clients. As our clients' data is sensitive, we do not want people at our company to have access to a client if they are not actively working with that client. In addition, someone who is working in "legal" for client A should not see "finance" content for client A.

    So, here's how we're planning on approaching this. Please let me know if we're on the right track:

  • For each client, we'll create a corresponding Alfresco group. Each client space will allow anyone in the corresponding client group to have contributor access (the actual role is up in the air, but shouldn't really matter with our proposed solution as long as they can browse). We will only add specific users to the group when those users have been "assigned" to work on that client

  • Next, we'll create Alfresco groups for each of the business units we have at our company (e.g. "Finance Users", "Legal Users", "Governance Users").

  • Anyone who works in the legal department, for example, will be added to the "Legal" group. Finance people in "Finance" group, and so on

  • For each business unit that services that client, we'll create a sub-space (e.g. "Legal"). We'll give permissions on that sub-space to users in the corresponding group (e.g. "Legal Users")

  • Each of the above mentioned business unit spaces within a client will NOT inherit parent permissions. This will ensure that person A assigned to the client A group will only see the "Legal" sub-space for client A and NOT "finance" or "governance"
Here's the example in tree form, along with permissions for each space:

  • Company Home
  •    
    • Client A (GROUP_CLIENT_A - read)
    •       
      • Legal (GROUP_LEGAL_USERS - full, does not inherit)
      •       
      • Finance (GROUP_FINANCE_USERS - full, does not inherit)
      •       
      • Governance (GROUP_GOVERNANCE_USERS - full, does not inherit)
         
    • Client B (GROUP_CLIENT_B - read)
    •       
      • Legal (GROUP_LEGAL_USERS - full, does not inherit)
      •       
      • Finance (GROUP_FINANCE_USERS - full, does not inherit)
      •       
      • Governance (GROUP_GOVERNANCE_USERS - full, does not inherit)
So far, this seems like a solid plan. The thing that I cannot seem to verify is whether or not a sub-space is accessible outside of the context that the sub-space lives in. For example, in the scenario above, we're saying that only members of the group "client A" will actually be able to see the "client A" space. This works just fine and I've confirmed this. Pretty basic.

In the second part of the scenario, "person A" is able to see the "Legal" folder under the "client A" space since that user is a) a member of the "client A" group AND b) is a member of the "Legal" group. Here's where it gets tricky for me. Let's say that "person D" is also in the "Legal" group, but is NOT a member of the "client A" group. I understand that they cannot see the "client A" space in the repository since they don't have permissions to it, but is there a chance they could still see the "Legal" sub-space for "client A" since we're only limiting access to it based on navigating through the "client A" space? In other words, does Alfresco restrict access to a child node if the user doesn't have permissions to the parent node (even if inheritance is turned off on the child node)? My hunch is that the "Legal" sub-space is not something "person D" could access since the only way to that node is through the parent node which they don't have access to. Site search seems to confirm this. I really need to make sure this is a valid assumption before moving forward with this model. If this is assumption is incorrect, how can I best model our users/groups to handle our requirement? Thank you in advance!

Outcomes