Home

ACL inheritance - am I missing something?

You are here

4 posts / 0 new
Last post
ACL inheritance - am I missing something?

Am sure I must be missing something, but I'm sure what exactly. Here's the scenario ...

I've got a document space which gets created with the GROUP_EVERYONE cmis:read ACE. If any further content I create as a child of that content will inherit the permissions am I right in thinking that any further child will always have the GROUP_EVERYONE cmis:read ACE? How do I apply ACEs so that access is denied to GROUP_EVERYONE if there is some ancester, no matter how far away, that has the ACE added?

MTIA

Re: ACL inheritance - am I missing something?

By default, GROUP_EVERYONE is set to read on the root folder. And, by default, all objects inherit from their parent. So unless GROUP_EVERYONE is removed from the root folder, every descendent of root that doesn't explicitly break ACL inheritance will inherit GROUP_EVERYONE as a reader.

Unfortunately, you cannot use CMIS to break inheritance.

Jeff

Chief Community Officer
Alfresco Software
Blog: ecmarchitect.com | Twitter: jeffpotts01
CMIS APIs: Apache Chemistry | CMIS and Apache Chemistry in Action
Alfresco tutorials: Alfresco Developer Series

Re: ACL inheritance - am I missing something?

Thanks Jeff, I have a follow-up.

I'd like to be able to give two users with different group assignment a different view of a single folder, i.e. in a folder there are 2 files, one which has Group A cmis:read, the other which has Group B cmis:read. Therefore a user from either Group A would only see a single file, the same is true for Group B, except it would be the other file. From what I can tell that's not possible with the current permissions mapping in Alfresco, and perhaps not at all within the bounds of CMIS. Can you advise?

MTIA.

Re: ACL inheritance - am I missing something?

Suppose the folder is called "Some Folder". To implement your example, you'd need to make sure that the EVERYONE group is removed from Some Folder. You would then make sure that file1 has Group A set as a consumer (cmis:read) with inheritance broken (which you cannot do through CMIS). You would add Group B to file2 as a consumer, again with inheritance broken. You can add both Group A and Group B to Some Folder as consumers. Now, when members of each group view the folder, they will each only see one file.

If you use Alfresco (not CMIS) to break the inheritance on the objects, you can use CMIS for the rest.

Jeff

Chief Community Officer
Alfresco Software
Blog: ecmarchitect.com | Twitter: jeffpotts01
CMIS APIs: Apache Chemistry | CMIS and Apache Chemistry in Action
Alfresco tutorials: Alfresco Developer Series