Ask Question
« General Questions on Nuxeo

customizing default permissions in securityService

Hello team,

I'm customizing some permission on the documents level and I have some questions regarding the atomic permissions.

I'm confused about some of the atomic permissions listed here, like what the difference between “browse” and “ReadProperties”, looks like “ReadProperties” include “browse” permission only and in “read” includes both of them, why we just include “ReadProperties” since it already contains “browse”.

Some of them are obvious by their names like (ReadVersion, WriteVersion, AddChildren, ReadChildren, RemoveChildren), but could anyone clarify these permissions purpose (ReadLifeCycle, WriteLifeCycle, ManageWorkflows, ReadSecurity, WriteSecurity).

Also, where can I find what the “Everything” permission includes? as mentioned here, so I can customize it. For example: I want to give a user read-write permission and include (give other users access) privilege without giving him “Everything” permission. is it possible?

I appreciate it if anyone could help me understand this or provide me with documentation.

Thank you

Rawan Alharbi
Member (178)   1   1   3 		10/05/2020 ( History)
0 votes
1 answers
1181 views
ANSWER
ANSWERS

Here is documentation on the differences between the atomic permissions:

https://github.com/nuxeo/nuxeo/blob/2387c0ba417810c3b68fd8d51795b46cdee6f579/modules/core/nuxeo-core/doc/NXCore-Security.txt

Basic permissions and their groupings:

  • Browse: know about a document, but not necessarily get detailed information about it.
  • ReadProperties: read the properties of a document. This gives access to all the document's content, but not its security, and not its children if it's a folder. ReadProperties implies Browse.
  • ReadSecurity: read the security of a document.
  • ReadChildren: read the list of children of a folder.
  • Read: a grouping of ReadProperties and ReadChildren.
  • WriteProperties: write the properties of a document, excluding the security or the manipulation of children.
  • Version: checkin a version of the document.
  • WriteSecurity: write the security of a document.
  • AddChildren: add children to a folder.
  • RemoveChildren: remove children from a folder.
  • Remove: remove a document itself.
  • Write: a grouping of WriteProperties, AddChildren, Remove, RemoveChildren.
  • Everything: a pseudo group of all the permissions in the system. `

I haven't been able to find the code for “Everything”, but you may be able to just make a new permission that includes ReadWrite and WriteSecurity to get what you want (I haven't tested this, but it seems like that would be the permission to allow for giving other users access).

Phil Ludlow
Senior Engineer, Content Services Platforms (1.6K)   2   3   8 		10/06/2020 ( History)
0 votes
Rawan Alharbi
Thank you so much for your reply, I really appreciate your time that's exactly what I needed.
10/07/2020
Follow
Tags
Linked Questions
Related Questions
User with Read permission can export everything to bring home
Adding Unlock permission to a specific group doesn't work
PCLM Share Action
Can't see any documents in permitted additional repository
CMIS behind a reverse-proxy?
ReST API call for blocking inherited rights
Updates - Hotfixes without a Connect account?
Permission AddChildren needed for create document
Custom contribution in Studio UI is not updating