AnsweredAssumed Answered

Customizing Alfresco Permissions

Question asked by pavankk on Mar 13, 2013
Latest reply on Mar 14, 2013 by pavankk
Alfresco is one of the best ECM tool which is built on top of stack of Java technologies. It amazingly uses the Spring to accommodate customizations through bunch of configuration files.

Out of the Box Alfresco comes with 5 default roles defined for cm:content type. like consumer, editor,

collaborator and stuff, we all know each role is a bunch of permissions. Apart from this Standard role authorities , alfresco also supports dynamic authorities like OWNER, LOCKOWNER,

As we know how alfresco evaluates a permission on a document for a user, it first verifies whether the current logged in user is the Creator or Owner of the document , if yes then irrespective of the role he has on the space ( like he may be invited to the space on a consumer role), he will be allowed to perform  action against the document.

To briefly say in one word Dynamic authorities will override the role the user possess on the document.

To understand more about Alfresco Permissions visit the below wiki

Alfresco Permissions Wiki

Business Case

And now here is the one business requirement that If the user has been invited as a read only user ( assigning consumer role) then he should not have the authorization to delete or edit the document even though he is the Owner or creator

Now the question is how can we achieve this customization in Alfresco, no worries we can easily customize your things by customizing the out of the box Alfresco Permission Service.

Alfresco has defined all its public services in the public-services-context.xml. and each of the service bean has been defined with Spring AOP Proxies.

The Design of service API follows the below pattern

1) Service Interface

2) Service Implementation

3) Stack of interceptors

Here is an example

<bean id="PermissionService" class="org.springframework.aop.framework.ProxyFactoryBean">
        <property name="proxyInterfaces">
            <value>org.alfresco.service.cmr.security.PermissionService</value>
        </property>
        <property name="target">
            <ref bean="permissionService"/>
        </property>
        <property name="interceptorNames">
            <list>
                <idref bean="PermissionService_transaction"/>
                <idref bean="AuditMethodInterceptor"/>
                <idref bean="exceptionTranslator"/>
                <idref bean="PermissionService_security"/>
            </list>
        </property>
    </bean>

As we can see the above Permission Service has 4 interceptors like Security , AuditMethodInterceptor

we can define our own Interceptor .

To create an interceptor just create a class which implements org.aopalliance.intercept.MethodInterceptor and provide implementation to the  invoke method

and then include this interceptor as the last interceptor in the Permission Service interceptorNames.

Now each method invokation on PermissionService method will be intercepted by your custom interceptor and you are free to provide implementation for it

This below example configuration shows how to include your custom interceptor within PermissionService bean definition


<bean id="PermissionService" class="org.springframework.aop.framework.ProxyFactoryBean">
        <property name="proxyInterfaces">
            <value>org.alfresco.service.cmr.security.PermissionService</value>
        </property>
        <property name="target">
            <ref bean="permissionService"/>
        </property>
        <property name="interceptorNames">
            <list>
                <idref bean="PermissionService_transaction"/>
                <idref bean="AuditMethodInterceptor"/>
                <idref bean="exceptionTranslator"/>
                <idref bean="PermissionService_security"/>
                <idref bean="CustomPermissionService"/>
            </list>
        </property>
   </bean>


I hope this blog will be helpful for Alfresco developers who wants to customize Out of the Box permissions

If you are still looking for clarification you can post your questions.

Cheers!!!!!!!!!!

Pavan

Outcomes