Allow coordinator to create user

Showing results for 
Search instead for 
Did you mean: 
Member II

Allow coordinator to create user

I can't figure out how to give the coordinator enough priviledges to successfully create a user. The issue right now is that the coordinator is able to create the person using personService but fails when the coordinator tries to setPermissions on the newly created person. The command
this.permissionService.setPermission(newPerson, this.userName, permissionService.getAllPermission(), true);

fails and sends back a Access Denied. Inappropriate permissions.

I am using 1.2 RC1. Any help would be appreciated.

Thanks in advance.
2 Replies
Active Member

Re: Allow coordinator to create user


Apologies, I am not sure where you have got to and have missed some of this as it appears in several places….

To set a permission you would need the approprite permission for the node "ChangePermissions", which you do not have from the error.

The Coordinator permission group (role if you must) is normally assigned to a folder. It seems odd that an object level permission would include creating users for the repo as a whole.

You could assign someone as a Coordinator for the whole repo.
This permission can be assigned to people/groups as a global permission in the permissionDefinitions.xml. You may need a new permission group for this including ChangePermissions. This will allow more than adding a user…..

Currently only administrators can manage people.
I suggest you could have (and may be alfresco should have …) a permission associated with the person type like manage people.
This permission could then be assigned to people/groups as a global permission in the permissionDefinitions.xml. The person service could then be protected using this permission, without leaking more general permissions …..

If really you want some people to have full admin rights then you can add them to the admin group in the authority-services-context.xml.

Hope this helps


Member II

Re: Allow coordinator to create user

thanks for the reply.

I got around the issue by giving the person permissions to the person container node. 

What I am trying to do is create a role that allows a person to add(invite+create new) to a group and create subgroups of the group that they are the "admin" of. That person would not be able to control anywhere else.

I have created a new permissionGroup in sys:base called GroupAdmin that has the required permissions.  This GroupAdmin permissionSet is assigned to the appropriate method  in the public security xml file.

Is this an appropriate approach?