AnsweredAssumed Answered

RM Readers and Writers roles

Question asked by sammasue on Sep 5, 2014
Hi,

I uploaded a document in myFile and then I clicked on "declare as record" (The user I used does not have rights in RM). The result is I can see the newly created record in myFiles (which is good) however in addition the user got rights in the RM site. For example, after this operation I could see the rm/documentLibrary and the folders: "Holds", "Transfers" and "Unfiled Records". Inside "Unfiled Records" I could see my new record but also the other uncompleted records for which I shouldn't have any rights.

After an investigation I realized that this user was added to some groups:

- GROUP_ExtendedWriters (only for documentLibrary)
- GROUP_ExtendedReaders (only for documentLibrary)
- ROLE_EXTENDED_READER (folders and records level)
- ROLE_EXTENDED_WRITER (folders and records level)

I understood that RM extended the security especially using this class ExtendedSecurityServiceImpl. And the members of theses groups are defined on each nodes using these properties :
- {http://www.alfresco.org/model/recordsmanagement/1.0}extendedWriterRole
- {http://www.alfresco.org/model/recordsmanagement/1.0}readers
- {http://www.alfresco.org/model/recordsmanagement/1.0}extendedReaderRole
- {http://www.alfresco.org/model/recordsmanagement/1.0}writers

I did the same operation from a public collaboration site and I noticed that the site collaborator, contributor, manager and consumer was added in the same groups which increase even more the access to the records in my RM. 

I understand if the user want to see his node in the DM he needs to have an access somehow to the RM. Indeed there is only one node but with multiple paths. But still I am bit surprised about all the rights granted when declaring a simple document as record. I am wondering if this behavior is really expected ?

Thanks in advance for your help.

Best regards,

Sam

<cite>I am using Alfresco community 4.2.e and RM-2.1.a</cite>

Outcomes