How to enable non-admin user to modify ACLs to docs

cancel
Showing results for 
Search instead for 
Did you mean: 
Member II

How to enable non-admin user to modify ACLs to docs

Jump to solution

Hello All

How do we enable user to modify ACLs (add new, remove existing) ?

Me as an admin can make a call to folder.addAcl() and assign new permissions for principals. But how can i enable other selected user to achieve the same thing? Would i need to put a user into a group and then assign it some capabilities that would enable them to assign acls?

Thanks

Krzysztof

1 Solution

Accepted Solutions
Master

Re: How to enable non-admin user to modify ACLs to docs

Jump to solution

You mean out-of-the-box? There isn't even a way to set this privilege in Share without some minor customisation. But as long as you have a tool / client that can call a ReST API, you could use either ReST v1 API or custom web scripts to set this privilege.

View solution in original post

10 Replies
Master

Re: How to enable non-admin user to modify ACLs to docs

Jump to solution

A user needs to have the ChangePermissions privilege / permission on the document (or inherited from the parent folder) to be able to manage the ACL.

Member II

Re: How to enable non-admin user to modify ACLs to docs

Jump to solution

Is there a way to set it outside of Share?

Master

Re: How to enable non-admin user to modify ACLs to docs

Jump to solution

You mean out-of-the-box? There isn't even a way to set this privilege in Share without some minor customisation. But as long as you have a tool / client that can call a ReST API, you could use either ReST v1 API or custom web scripts to set this privilege.

View solution in original post

Member II

Re: How to enable non-admin user to modify ACLs to docs

Jump to solution

Thanks for reply.

Do you mind telling me which rest public so i I can use to set permissions?

Master

Re: How to enable non-admin user to modify ACLs to docs

Jump to solution

A pu to the /nodes/{nodeId} v1 ReST endpoint allows to set permissions.

Member II

Re: How to enable non-admin user to modify ACLs to docs

Jump to solution

Thanks for pointing me to this endpoint. I am able to add new permissions with it now.

However, overwriting the existing inherited permissions doesn't work. Inherited permissions are: GROUP_EVERYONE, Consumer, ALLOWED. I would like to remove it or overwrite it with GROUP_EVERYONE, Consumer, DENIED.

I end up having them both set, and since ALLOWED is first on the list, it is applied first.

Is there a way to remove ALLOWED or overwrite it?

Master

Re: How to enable non-admin user to modify ACLs to docs

Jump to solution

The order of the permissions does not matter. If there is a DENIED set on a level in addition to an inherited ALLOWED, the DENIED has precedence.

The only way to remove inherited ALLOWED is to disable the inheritance on that folder alltogether.

Member II

Re: How to enable non-admin user to modify ACLs to docs

Jump to solution

I see. 

What's the precedence in reverse situation? I.e. when DENIED is inherited and you want to enable a group to documents in child folder only?

Member II

Re: How to enable non-admin user to modify ACLs to docs

Jump to solution

And what happens when user is in GROUP_EVERYONE with DENIED and also in another group with "Write" ALLOWED?

Would the GROUP_EVERYONE rule overwrite the 2nd group's write access? Can user be in two different groups, one of which allows him access and the other denying him access?