Disable site deletion for all non admin users

cancel
Showing results for 
Search instead for 
Did you mean: 
bip1989
Established Member

Disable site deletion for all non admin users

Jump to solution

Hello there

I want to disable site delete option for all non admin users. Only admin users can delete the site. Even a non admin user who originally created the site should not be allowed to delete the site. 
By following some of the similar questions in this forum, i am able to hide delete option from dashlet and header menu. But non admin user is able to delete the site via API call.

Which means it is still allowed to delete site at repo level. 
How can i disable the site deletion at repo level as well? Please provide some guidance 

Appreciate your kind guidance. Thanks in advance

1 Solution

Accepted Solutions
abhinavmishra14
Advanced

Re: Disable site deletion for all non admin users

Jump to solution

Follow these steps:

1- Create site-security-model-context.xml (you can choose any meaningful name) under <ALFRESCO_HOME>/tomcat/shared/classes/alfresco/extension or at module level if you are using custom modules and applying it to the alfresco.war.

At module level it could be like;

<YOUR_CUSTOM_REPO_MODULE>/src/main/resources/alfresco/module/YOUR_CUSTOM_REPO_MODULE/context/site-security-model-context.xml

 

2- Add following bean definition:

<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE beans PUBLIC '-//SPRING//DTD BEAN//EN' 'http://www.springframework.org/dtd/spring-beans.dtd'>
<beans>
	<bean id="SiteService_security"
		class="org.alfresco.repo.security.permissions.impl.acegi.MethodSecurityInterceptor">
		<property name="authenticationManager">
			<ref bean="authenticationManager" />
		</property>
		<property name="accessDecisionManager">
			<ref bean="accessDecisionManager" />
		</property>
		<property name="afterInvocationManager">
			<ref bean="afterInvocationManager" />
		</property>
		<property name="objectDefinitionSource">
			<value>
				org.alfresco.service.cmr.site.SiteService.cleanSitePermissions=ACL_NODE.0.sys:base.ReadProperties
				org.alfresco.service.cmr.site.SiteService.createContainer=ACL_ALLOW,AFTER_ACL_NODE.sys:base.ReadProperties
				org.alfresco.service.cmr.site.SiteService.createSite=ACL_METHOD.GROUP_SITE_CREATORS
				org.alfresco.service.cmr.site.SiteService.deleteSite=ACL_METHOD.ALFRESCO_ADMINISTRATORS
				org.alfresco.service.cmr.site.SiteService.findSites=ACL_ALLOW,AFTER_ACL_NODE.sys:base.ReadProperties
				org.alfresco.service.cmr.site.SiteService.getContainer=ACL_ALLOW,AFTER_ACL_NODE.sys:base.ReadProperties
				org.alfresco.service.cmr.site.SiteService.listContainers=ACL_ALLOW,AFTER_ACL_NODE.sys:base.ReadProperties
				org.alfresco.service.cmr.site.SiteService.getMembersRole=ACL_ALLOW
				org.alfresco.service.cmr.site.SiteService.getMembersRoleInfo=ACL_ALLOW
				org.alfresco.service.cmr.site.SiteService.resolveSite=ACL_ALLOW
				org.alfresco.service.cmr.site.SiteService.getSite=ACL_ALLOW,AFTER_ACL_NODE.sys:base.ReadProperties
				org.alfresco.service.cmr.site.SiteService.getSiteShortName=ACL_ALLOW,AFTER_ACL_NODE.sys:base.ReadProperties
				org.alfresco.service.cmr.site.SiteService.getSiteGroup=ACL_ALLOW
				org.alfresco.service.cmr.site.SiteService.getSiteRoleGroup=ACL_ALLOW
				org.alfresco.service.cmr.site.SiteService.getSiteRoles=ACL_ALLOW
				org.alfresco.service.cmr.site.SiteService.getSiteRoot=ACL_ALLOW,AFTER_ACL_NODE.sys:base.ReadProperties
				org.alfresco.service.cmr.site.SiteService.hasContainer=ACL_ALLOW
				org.alfresco.service.cmr.site.SiteService.hasCreateSitePermissions=ACL_ALLOW
				org.alfresco.service.cmr.site.SiteService.hasSite=ACL_ALLOW
				org.alfresco.service.cmr.site.SiteService.isMember=ACL_ALLOW
				org.alfresco.service.cmr.site.SiteService.listMembers=ACL_ALLOW
				org.alfresco.service.cmr.site.SiteService.listMembersInfo=ACL_ALLOW
				org.alfresco.service.cmr.site.SiteService.listMembersPaged=ACL_ALLOW
				org.alfresco.service.cmr.site.SiteService.listSiteMemberships=ACL_ALLOW
				org.alfresco.service.cmr.site.SiteService.listSites=ACL_ALLOW,AFTER_ACL_NODE.sys:base.ReadProperties
				org.alfresco.service.cmr.site.SiteService.listSitesPaged=ACL_ALLOW,AFTER_ACL_NODE.sys:base.ReadProperties
				org.alfresco.service.cmr.site.SiteService.removeMembership=ACL_ALLOW
				org.alfresco.service.cmr.site.SiteService.canAddMember=ACL_ALLOW
				org.alfresco.service.cmr.site.SiteService.setMembership=ACL_ALLOW
				org.alfresco.service.cmr.site.SiteService.updateSite=ACL_ALLOW
				org.alfresco.service.cmr.site.SiteService.countAuthoritiesWithRole=ACL_ALLOW
				org.alfresco.service.cmr.site.SiteService.isSiteAdmin=ACL_ALLOW
				org.alfresco.service.cmr.site.SiteService.*=ACL_DENY
			</value>
		</property>
	</bean>

</beans>

Notice the following line, this will allow only admin users to delete the sites.

org.alfresco.service.cmr.site.SiteService.deleteSite=ACL_METHOD.ALFRESCO_ADMINISTRATORS

 

You can find documentation on topic here:

https://docs.alfresco.com/5.2/tasks/site-creation-permission.html

~Abhinav
(ACSCE, AWS SAA, Azure Admin)

View solution in original post

3 Replies
abhinavmishra14
Advanced

Re: Disable site deletion for all non admin users

Jump to solution

Follow these steps:

1- Create site-security-model-context.xml (you can choose any meaningful name) under <ALFRESCO_HOME>/tomcat/shared/classes/alfresco/extension or at module level if you are using custom modules and applying it to the alfresco.war.

At module level it could be like;

<YOUR_CUSTOM_REPO_MODULE>/src/main/resources/alfresco/module/YOUR_CUSTOM_REPO_MODULE/context/site-security-model-context.xml

 

2- Add following bean definition:

<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE beans PUBLIC '-//SPRING//DTD BEAN//EN' 'http://www.springframework.org/dtd/spring-beans.dtd'>
<beans>
	<bean id="SiteService_security"
		class="org.alfresco.repo.security.permissions.impl.acegi.MethodSecurityInterceptor">
		<property name="authenticationManager">
			<ref bean="authenticationManager" />
		</property>
		<property name="accessDecisionManager">
			<ref bean="accessDecisionManager" />
		</property>
		<property name="afterInvocationManager">
			<ref bean="afterInvocationManager" />
		</property>
		<property name="objectDefinitionSource">
			<value>
				org.alfresco.service.cmr.site.SiteService.cleanSitePermissions=ACL_NODE.0.sys:base.ReadProperties
				org.alfresco.service.cmr.site.SiteService.createContainer=ACL_ALLOW,AFTER_ACL_NODE.sys:base.ReadProperties
				org.alfresco.service.cmr.site.SiteService.createSite=ACL_METHOD.GROUP_SITE_CREATORS
				org.alfresco.service.cmr.site.SiteService.deleteSite=ACL_METHOD.ALFRESCO_ADMINISTRATORS
				org.alfresco.service.cmr.site.SiteService.findSites=ACL_ALLOW,AFTER_ACL_NODE.sys:base.ReadProperties
				org.alfresco.service.cmr.site.SiteService.getContainer=ACL_ALLOW,AFTER_ACL_NODE.sys:base.ReadProperties
				org.alfresco.service.cmr.site.SiteService.listContainers=ACL_ALLOW,AFTER_ACL_NODE.sys:base.ReadProperties
				org.alfresco.service.cmr.site.SiteService.getMembersRole=ACL_ALLOW
				org.alfresco.service.cmr.site.SiteService.getMembersRoleInfo=ACL_ALLOW
				org.alfresco.service.cmr.site.SiteService.resolveSite=ACL_ALLOW
				org.alfresco.service.cmr.site.SiteService.getSite=ACL_ALLOW,AFTER_ACL_NODE.sys:base.ReadProperties
				org.alfresco.service.cmr.site.SiteService.getSiteShortName=ACL_ALLOW,AFTER_ACL_NODE.sys:base.ReadProperties
				org.alfresco.service.cmr.site.SiteService.getSiteGroup=ACL_ALLOW
				org.alfresco.service.cmr.site.SiteService.getSiteRoleGroup=ACL_ALLOW
				org.alfresco.service.cmr.site.SiteService.getSiteRoles=ACL_ALLOW
				org.alfresco.service.cmr.site.SiteService.getSiteRoot=ACL_ALLOW,AFTER_ACL_NODE.sys:base.ReadProperties
				org.alfresco.service.cmr.site.SiteService.hasContainer=ACL_ALLOW
				org.alfresco.service.cmr.site.SiteService.hasCreateSitePermissions=ACL_ALLOW
				org.alfresco.service.cmr.site.SiteService.hasSite=ACL_ALLOW
				org.alfresco.service.cmr.site.SiteService.isMember=ACL_ALLOW
				org.alfresco.service.cmr.site.SiteService.listMembers=ACL_ALLOW
				org.alfresco.service.cmr.site.SiteService.listMembersInfo=ACL_ALLOW
				org.alfresco.service.cmr.site.SiteService.listMembersPaged=ACL_ALLOW
				org.alfresco.service.cmr.site.SiteService.listSiteMemberships=ACL_ALLOW
				org.alfresco.service.cmr.site.SiteService.listSites=ACL_ALLOW,AFTER_ACL_NODE.sys:base.ReadProperties
				org.alfresco.service.cmr.site.SiteService.listSitesPaged=ACL_ALLOW,AFTER_ACL_NODE.sys:base.ReadProperties
				org.alfresco.service.cmr.site.SiteService.removeMembership=ACL_ALLOW
				org.alfresco.service.cmr.site.SiteService.canAddMember=ACL_ALLOW
				org.alfresco.service.cmr.site.SiteService.setMembership=ACL_ALLOW
				org.alfresco.service.cmr.site.SiteService.updateSite=ACL_ALLOW
				org.alfresco.service.cmr.site.SiteService.countAuthoritiesWithRole=ACL_ALLOW
				org.alfresco.service.cmr.site.SiteService.isSiteAdmin=ACL_ALLOW
				org.alfresco.service.cmr.site.SiteService.*=ACL_DENY
			</value>
		</property>
	</bean>

</beans>

Notice the following line, this will allow only admin users to delete the sites.

org.alfresco.service.cmr.site.SiteService.deleteSite=ACL_METHOD.ALFRESCO_ADMINISTRATORS

 

You can find documentation on topic here:

https://docs.alfresco.com/5.2/tasks/site-creation-permission.html

~Abhinav
(ACSCE, AWS SAA, Azure Admin)
bip1989
Established Member

Re: Disable site deletion for all non admin users

Jump to solution

Thanks for this, it works for me.

I have one small question, can i do the same for securing create site option as well on the repository side?

i see the config present for create site as well

abhinavmishra14
Advanced

Re: Disable site deletion for all non admin users

Jump to solution

Yes, you can do that as well. 

Suppose you want sites to be created by only admins then this would be the config:

org.alfresco.service.cmr.site.SiteService.createSite=ACL_METHOD.ALFRESCO_ADMINISTRATORS

~Abhinav
(ACSCE, AWS SAA, Azure Admin)