Complex Permission Management Question

Showing results for 
Search instead for 
Did you mean: 
Active Member II

Complex Permission Management Question

Hi All

We have an Alfresco 5.2 Community implementation, where there is a complex hierarchy of folders under sites. Something like the below:

Site A--> Folder 1  ---> Subfolder 1, 2, 3 etc.  

                Folder 2 ---> Subfolder 4, 5, 7 etc.

It gets fairly complex, but the above is an over simplified representation.

Now we want that a user be made a Manager at Sub Folder 1 (but NOT have any access to Subfolder 2 and 3 and NOT to Folder 2 and its children folders). This user should be able to add users to Subfolder 1 as contributor/collaborator etc. She should also be able to add/remove users from sub-sub-folders of subfolder 1.

Now, we can always go to "Manage Permissions" for Subfolder 1 and add this user as manager using locally set permissions. But she would not get any access to "Folder 1" or  "Site A". How would she be able to browse to and find Subfolder 1?

Is there any addon to help manage this? Am I missing some obvious feature of Alfresco Share that would help with this?



1 Reply

Re: Complex Permission Management Question

I am not aware of any addon that covers this specific constellation. Since permission schemes are typically extremely specific to the use cases of individual customers / users, I don't expect any addons to exist that automate such behaviour (granting read access up the folder tree to "reach" a specific folder where a permission has been granted), primarily because such automatisms would risk accidentally exposing critical information, and no developer would accept the risk of warranty / indemnity issues that could come with providing such a security-related addon. Neither does Alfresco really provide the tooling / framework to develop such automatisms. Only since Alfresco 5.2.x does a policy interface actually exist that could support that kind of logic, but it is neither marked as part of the public API nor are its invocations correctly implemented (it's an internal hack by an Alfresco engineer, really).

So, to keep things short: If you allow access on a specific folder for a specific user, you yourself must ensure that the user can actually navigate to that folder. This would mean ensuring that user is a member of the site, and potentially granting read permissions on ancestor folders, as well as disabling / fixing any inherited read permissions on other folders the user should NOT be able to access.