Create Custom Role

cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
sandroh
Member II

Create Custom Role

Where can take a documetation for study the exist permissions groups???
14 Replies
zaizi
Member II

Re: Create Custom Role

sandroh
Member II

Re: Create Custom Role

On the wiki at http://wiki.alfresco.com/wiki/Permissions_and_Roles_Configuration#Default_Permissions


Thanks Zaizi for this link, But my problem now is other. Create new custom rule.

ex:Contributor permissions
Start Discussion, create only content, delete only content, no permissions for copy content.

Editor permissions
Invite user for space.

You know where make this custom permissions, because in default_permissions, no exist… Where can create a new type rule, for add in my  custom rule???
zaizi
Member II

Re: Create Custom Role

The file you need to look at is your_install_dir/tomcat/webapps/alfresco/WEB-INF/classes/alfresco/model/permissionDefinitions.xml or <JBOSS_HOME>/server/default/tmp/deploy/tmp*alfresco-exp.war/WEB-INF/classes/alfresco/model/permissionDefinitions.xml.

The following snippet from the file shows the default roles.You can use it to create your custom role.

   <permissionSet type="cm:cmobject" expose="selected">
      
      <!– Kept for backward compatibility - the administrator permission has   –>
      <!– been removed to aviod confusion –>
      <permissionGroup name="Administrator" allowFullControl="true" expose="false" />
     
      <!– A coordinator can do anything to the object or its childeren unless the     –>
      <!– permissions are set not to inherit or permission is denied.                 –>
      <permissionGroup name="Coordinator" allowFullControl="true" expose="true" />
     
      <!– A collaborator can do anything that an editor and a contributor can do –>
      <permissionGroup name="Collaborator" allowFullControl="false" expose="true">
         <includePermissionGroup permissionGroup="Editor" type="cm:cmobject" />
         <includePermissionGroup permissionGroup="Contributor" type="cm:cmobject" />
      </permissionGroup>
     
      <!– A contributor can create content and then they have full permission on what –>
      <!– they have created - via the permissions assigned to the owner.              –>
      <permissionGroup name="Contributor" allowFullControl="false" expose="true" >
          <!– Contributor is a consumer who can add content, and then can modify via the –>
          <!– owner permissions.                                                      –>
          <includePermissionGroup permissionGroup="Consumer" type="cm:cmobject"/>
          <includePermissionGroup permissionGroup="AddChildren" type="sys:base"/>
          <includePermissionGroup permissionGroup="ReadPermissions" type="sys:base" />
      </permissionGroup>
     
      <!– An editor can read and write to the object; they can not create    –>
      <!– new nodes. They can check out content into a space to which they have       –>
      <!– create permission.                                                          –>
      <permissionGroup name="Editor"  expose="true" allowFullControl="false" >
          <includePermissionGroup type="cm:cmobject" permissionGroup="Consumer"/>
          <includePermissionGroup type="sys:base" permissionGroup="Write"/>
          <includePermissionGroup type="cm:lockable" permissionGroup="CheckOut"/>
          <includePermissionGroup type="sys:base" permissionGroup="ReadPermissions"/>
      </permissionGroup>
     
      <!– The Consumer permission allows read to everything by default.                  –>
      <permissionGroup name="Consumer" allowFullControl="false" expose="true" >
          <includePermissionGroup permissionGroup="Read" type="sys:base" />
      </permissionGroup>
     
      <permissionGroup name="Pending" allowFullControl="false" expose="true" >
          <includePermissionGroup permissionGroup="Read" type="sys:base" />
      </permissionGroup>
     
      <!– records permission –>
      <!– Should be tied to the aspect –>
      <!– onwership should be removed when using this permission –>
      <permissionGroup name="RecordAdministrator" allowFullControl="false" expose="false">
          <includePermissionGroup type="sys:base" permissionGroup="ReadProperties"/>
          <includePermissionGroup type="sys:base" permissionGroup="ReadChildren"/>
          <includePermissionGroup type="sys:base" permissionGroup="WriteProperties"/>
          <includePermissionGroup type="sys:base" permissionGroup="ReadContent"/>
          <includePermissionGroup type="sys:base" permissionGroup="DeleteChildren"/>
          <includePermissionGroup type="sys:base" permissionGroup="CreateChildren"/>
          <includePermissionGroup type="sys:base" permissionGroup="LinkChildren"/>
          <includePermissionGroup type="sys:base" permissionGroup="DeleteAssociations"/>
          <includePermissionGroup type="sys:base" permissionGroup="CreateAssociations"/>
      </permissionGroup>
      
   </permissionSet>
sandroh
Member II

Re: Create Custom Role

The file you need to look at is your_install_dir/tomcat/webapps/alfresco/WEB-INF/classes/alfresco/model/permissionDefinitions.xml or <JBOSS_HOME>/server/default/tmp/deploy/tmp*alfresco-exp.war/WEB-INF/classes/alfresco/model/permissionDefinitions.xml.

The following snippet from the file shows the default roles.You can use it to create your custom role.

   <permissionSet type="cm:cmobject" expose="selected">
      
      <!– Kept for backward compatibility - the administrator permission has   –>
      <!– been removed to aviod confusion –>
      <permissionGroup name="Administrator" allowFullControl="true" expose="false" />
     
      <!– A coordinator can do anything to the object or its childeren unless the     –>
      <!– permissions are set not to inherit or permission is denied.                 –>
      <permissionGroup name="Coordinator" allowFullControl="true" expose="true" />
     
      <!– A collaborator can do anything that an editor and a contributor can do –>
      <permissionGroup name="Collaborator" allowFullControl="false" expose="true">
         <includePermissionGroup permissionGroup="Editor" type="cm:cmobject" />
         <includePermissionGroup permissionGroup="Contributor" type="cm:cmobject" />
      </permissionGroup>
     
      <!– A contributor can create content and then they have full permission on what –>
      <!– they have created - via the permissions assigned to the owner.              –>
      <permissionGroup name="Contributor" allowFullControl="false" expose="true" >
          <!– Contributor is a consumer who can add content, and then can modify via the –>
          <!– owner permissions.                                                      –>
          <includePermissionGroup permissionGroup="Consumer" type="cm:cmobject"/>
          <includePermissionGroup permissionGroup="AddChildren" type="sys:base"/>
          <includePermissionGroup permissionGroup="ReadPermissions" type="sys:base" />
      </permissionGroup>
     
      <!– An editor can read and write to the object; they can not create    –>
      <!– new nodes. They can check out content into a space to which they have       –>
      <!– create permission.                                                          –>
      <permissionGroup name="Editor"  expose="true" allowFullControl="false" >
          <includePermissionGroup type="cm:cmobject" permissionGroup="Consumer"/>
          <includePermissionGroup type="sys:base" permissionGroup="Write"/>
          <includePermissionGroup type="cm:lockable" permissionGroup="CheckOut"/>
          <includePermissionGroup type="sys:base" permissionGroup="ReadPermissions"/>
      </permissionGroup>
     
      <!– The Consumer permission allows read to everything by default.                  –>
      <permissionGroup name="Consumer" allowFullControl="false" expose="true" >
          <includePermissionGroup permissionGroup="Read" type="sys:base" />
      </permissionGroup>
     
      <permissionGroup name="Pending" allowFullControl="false" expose="true" >
          <includePermissionGroup permissionGroup="Read" type="sys:base" />
      </permissionGroup>
     
      <!– records permission –>
      <!– Should be tied to the aspect –>
      <!– onwership should be removed when using this permission –>
      <permissionGroup name="RecordAdministrator" allowFullControl="false" expose="false">
          <includePermissionGroup type="sys:base" permissionGroup="ReadProperties"/>
          <includePermissionGroup type="sys:base" permissionGroup="ReadChildren"/>
          <includePermissionGroup type="sys:base" permissionGroup="WriteProperties"/>
          <includePermissionGroup type="sys:base" permissionGroup="ReadContent"/>
          <includePermissionGroup type="sys:base" permissionGroup="DeleteChildren"/>
          <includePermissionGroup type="sys:base" permissionGroup="CreateChildren"/>
          <includePermissionGroup type="sys:base" permissionGroup="LinkChildren"/>
          <includePermissionGroup type="sys:base" permissionGroup="DeleteAssociations"/>
          <includePermissionGroup type="sys:base" permissionGroup="CreateAssociations"/>
      </permissionGroup>
      
   </permissionSet>

Ok, i'm editing this file, but the rule for create only content(no create folder and content), start discussion, invited user, i don't provide. Where find this rule.

I find in this link, but i don't find.
I need make, or customize any file for create this rule, or these rule exist???
ginny_a
Member II

Re: Create Custom Role

hi sandroh,
Did you get any clue about creating a new role which can only add content? I don't want my custom role to create new folders.
I need a little help please…
sandroh
Member II

Re: Create Custom Role

I did not have additional tips, but I believe that is possible. Sorry for delay replying, been busy on some other projects.
I believe that is possible but will require a customization of greater complexity. Our profile createChildrens (create folders and contents), what we would like createFolder, these rules are actually called the set of commands that access apiAlfresco. But not only this custom xml files.
jenn_l
Active Member

Re: Create Custom Role

Hoi all,

I have a situation where a user want to add content <via business rule> but he can't see that space. I get 'Access Denied". I want to add a new role in order to add content even when the folder is not visible.  I've found this site http://www.packtpub.com/article/roles-in-alfresco that look like my case. I've tried this but it will not work. I am working with 3.0
Can anyone help me out with this, please?
g_rathod
Active Member II

Re: Create Custom Role

Hi,

I wanna to do same, developing my custom role called  "CustomConsumer" having permission of read and can post topic in discussion (alfresco share)

I tried following in permissionDefinitions.xml


   <!– ***************The Consumer custom role - ******************************************   –>
      <permissionGroup name="CustomConsumer" allowFullControl="false" expose="true" >
          <includePermissionGroup permissionGroup="Read" type="sys:base" />
        <includePermissionGroup permissionGroup="AddChildren" type="fm:topic"/>
      </permissionGroup>

related entry in sitePermissionDefinitions.xml


<!– CustomConsumer role - –>
      <permissionGroup name="SiteCustomConsumer" allowFullControl="false" expose="true" >
         <includePermissionGroup permissionGroup="CustomConsumer" type="cm:cmobject" />
      </permissionGroup>

But I am getting error
14:23:23,734  ERROR [web.context.ContextLoader] Context initialization failed
org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'indexerComponent' defined in class path resource [alfresco/core-services-context.xml]: Ca
n: Error creating bean with name 'contentService' defined in class path resource [alfresco/content-services-context.xml]: Cannot resolve reference to bean 'nodeService' while se
permissionService'; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'permissionService' defined in class path resource
n: 04270000 There is no permission group :{http://www.alfresco.org/model/forum/1.0}topic AddChildren
Caused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'indexerAndSearcherFactory' defined in class path resource [alfresco/core-servi
ean with name 'nodeService': FactoryBean threw exception on object creation; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean wit
operty 'target'; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'permissionServiceImpl' defined in class path resourc
Caused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'admLuceneIndexerAndSearcherFactory' defined in class path resource [alfresco/c
ualContentService' while setting bean property 'multilingualContentService'; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean wit
namicAuthorities' with key [1]; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'lockOwnerDynamicAuthority' defined in
Caused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'contentService' defined in class path resource [alfresco/content-services-cont
ference to bean 'permissionService' while setting bean property 'permissionService'; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating
esco.repo.security.permissions.impl.model.PermissionModelException: 04270000 There is no permission group :{http://www.alfresco.org/model/forum/1.0}topic AddChildren
Caused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'nodeService': FactoryBean threw exception on object creation; nested exception
xml]: Cannot resolve reference to bean 'permissionServiceImpl' while setting bean property 'target'; nested exception is org.springframework.beans.factory.BeanCreationException:
Caused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'mlPropertyInterceptor' defined in class path resource [alfresco/node-services-
eption: Error creating bean with name 'permissionServiceImpl' defined in class path resource [alfresco/public-services-security-context.xml]: Cannot resolve reference to bean 'l
Caused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'multilingualContentService' defined in class path resource [alfresco/model-spe
BeanCreationException: Error creating bean with name 'lockOwnerDynamicAuthority' defined in class path resource [alfresco/public-services-security-context.xml]: Invocation of in
Caused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'permissionService' defined in class path resource [alfresco/public-services-se
ssion group :{http://www.alfresco.org/model/forum/1.0}topic AddChildren
Caused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'permissionServiceImpl' defined in class path resource [alfresco/public-service
Caused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'lockOwnerDynamicAuthority' defined in class path resource [alfresco/public-ser
Caused by: org.alfresco.repo.security.permissions.impl.model.PermissionModelException: 04270000 There is no permission group :{http://www.alfresco.org/model/forum/1.0}topic AddC
        at org.alfresco.repo.security.permissions.impl.model.PermissionModel.getPermissionGroup(PermissionModel.java:806)


any idea? or what is exact steps to create new role?
g_rathod
Active Member II

Re: Create Custom Role

Hi experts,

Can I create my custom role like following :

Role = CustomConsumer ( Having consumer role plus they can add discussion(forum) topic ) in alfresco share. ??
any idea?