How to enable non-admin user to modify ACLs to docs

cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
longinus
Member II

How to enable non-admin user to modify ACLs to docs

Jump to solution

Hello All

How do we enable user to modify ACLs (add new, remove existing) ?

Me as an admin can make a call to folder.addAcl() and assign new permissions for principals. But how can i enable other selected user to achieve the same thing? Would i need to put a user into a group and then assign it some capabilities that would enable them to assign acls?

Thanks

Krzysztof

1 Solution

Accepted Solutions
afaust
Master

Re: How to enable non-admin user to modify ACLs to docs

Jump to solution

You mean out-of-the-box? There isn't even a way to set this privilege in Share without some minor customisation. But as long as you have a tool / client that can call a ReST API, you could use either ReST v1 API or custom web scripts to set this privilege.

10 Replies
afaust
Master

Re: How to enable non-admin user to modify ACLs to docs

Jump to solution

A user needs to have the ChangePermissions privilege / permission on the document (or inherited from the parent folder) to be able to manage the ACL.

longinus
Member II

Re: How to enable non-admin user to modify ACLs to docs

Jump to solution

Is there a way to set it outside of Share?

afaust
Master

Re: How to enable non-admin user to modify ACLs to docs

Jump to solution

You mean out-of-the-box? There isn't even a way to set this privilege in Share without some minor customisation. But as long as you have a tool / client that can call a ReST API, you could use either ReST v1 API or custom web scripts to set this privilege.

longinus
Member II

Re: How to enable non-admin user to modify ACLs to docs

Jump to solution

Thanks for reply.

Do you mind telling me which rest public so i I can use to set permissions?

afaust
Master

Re: How to enable non-admin user to modify ACLs to docs

Jump to solution

A pu to the /nodes/{nodeId} v1 ReST endpoint allows to set permissions.

longinus
Member II

Re: How to enable non-admin user to modify ACLs to docs

Jump to solution

Thanks for pointing me to this endpoint. I am able to add new permissions with it now.

However, overwriting the existing inherited permissions doesn't work. Inherited permissions are: GROUP_EVERYONE, Consumer, ALLOWED. I would like to remove it or overwrite it with GROUP_EVERYONE, Consumer, DENIED.

I end up having them both set, and since ALLOWED is first on the list, it is applied first.

Is there a way to remove ALLOWED or overwrite it?

afaust
Master

Re: How to enable non-admin user to modify ACLs to docs

Jump to solution

The order of the permissions does not matter. If there is a DENIED set on a level in addition to an inherited ALLOWED, the DENIED has precedence.

The only way to remove inherited ALLOWED is to disable the inheritance on that folder alltogether.

longinus
Member II

Re: How to enable non-admin user to modify ACLs to docs

Jump to solution

I see. 

What's the precedence in reverse situation? I.e. when DENIED is inherited and you want to enable a group to documents in child folder only?

longinus
Member II

Re: How to enable non-admin user to modify ACLs to docs

Jump to solution

And what happens when user is in GROUP_EVERYONE with DENIED and also in another group with "Write" ALLOWED?

Would the GROUP_EVERYONE rule overwrite the 2nd group's write access? Can user be in two different groups, one of which allows him access and the other denying him access?