Ask Question
« General Questions on Nuxeo

Block access to nuxeo administrator

Hi,

Is it possible to block access to the administrator for a certain workspace/folder in Nuxeo(-dm) 5.5?

We tried set all permissions to “deny” but the folder is still visible to administrator. And we did save “local rights”.

The same behavior happens if administrator in question is defined through “administratorId” in the config of is only a member of administrators.

The desired effect is the following :

We want to have a “nuxeo officer/administrator” who is able to fine tune our Nuxeo instance, and sometime helps user with problems.

But we don't want this user be able to see certain sensitive documents (like salaries). Is there a way to achieve this goal?

Thanks.

Patrick

patrek Turcotte
Member (1.6K)   2   4   5 		02/28/2012 ( History)
0 votes
1 answers
2411 views
ANSWER
patrek Turcotte
I played a little bit with the SecurityPolicy api, but it seems that if a user is in the groups "administrators", the SecurityPolicy extension checkPermission method is not called.
02/28/2012
bruce Grant
What happens if you enable document-level security and remove inherited rights? Same result?
03/01/2012
patrek Turcotte
Can you point me to the right place in the documentation to enable document-level security?
03/01/2012
bruce Grant
Have a look here > http://doc.nuxeo.com/display/KB/How+to+let+user+set+rights+on+non+folderish+documents

Although based on what you describe I don't hold out hope that this will make any difference.

03/01/2012
ANSWERS

This is not possible with the current security model. Note that even if it was, your administrator probably has access to the database and storage and would be able to access the document anyway, albeit not as easily.

You may want to store an encrypted version of the document instead, with the decryption key shared only between people who should be able to access it (encryption/decryption would be done client-side, outside Nuxeo).

Mathieu Guillaume
Member (3.4K)   1   4   3 		03/01/2012 ( History)
1 votes
patrek Turcotte
Not in our case.
03/01/2012
Follow
Tags
Linked Questions
Related Questions
Block permissions inheritance programatically
In Studio, how to create a Drawer Menu which redirect to a document ?
Having a link that points to a tab or a subtab of the current document.
Add relation to documents in sections
I want to change the userWorkspace folder(physical) name with my own name. As per Nuxeo it is coming as a Username now.
Deny Remove permission but Delete button still enabled
Dealing with documents where getPathAsString() == null
Why an user with "Everything" permission cannot download files?
restrict access to users during the task assignment in a workflow