Change the permissions on a Share Site

In Alfresco Share the group EVERYONE gets the Consumer role by default. This does not fit the scenario where Share is used in an Extranet scenario. External users do need to have access to the Site they are participating in. All other internal Sites do not need to be visible by design. The trick is to remove the group EVERYONE from the default permissions list, and to substitute this with any other group of internal employees.

This posting uses a script that is run on the Inbound event of creating a Site. If the site is created, the permissions for EVERYONE are revoked, and a new group Employees is granted the Consumer role for each and every site.

Remind: you have to ensure ‘manually’ that all new users that are internal users (i.e. Employees) are member of the group Employees. (A nice alternative can be to change the default permissions before the Site is created. However, I have not found this configuration yet…)

The script has a DEBUG variable. If this is set to true, the description of the Site is filled with the new settings.
If any error occurs while persisting the new permissions, this is ‘logged’ in the description field of the Site.

// By design, EVERYONE has access to all Sites (except private ones).
// The default should be, consumer access for all Employees
// If external people (but Share users) are added, do it on an individual site-by-site basis
// When a site is created:
// - remove access for EVERYONE
// - add group Medewerkers to the Consumer role
// Execute this script against a site Folder

var DEBUG = false;

if ((document.isContainer) && (null != companyhome.childByNamePath("Sites/"+{

var groupEmployees = "GROUP_Employees"; // the group to assign Consumer rights
var groupEveryone = "GROUP_EVERYONE"; //GROUP_EVERYONE the group to remove from the permission list

var display="";

var site = siteService.getSite(;

// if the group Employees does not exist yet, create it.
var group_employees = people.getGroup(groupEmployees);
if (null == group_employees) {

// set permissions for our employees

// remove any existing generic permissions

// disable inheritance to prevent EVERYONE access from the 'Site' space

var perms = document.getPermissions();
for each (perm in perms){
display += "{"+ perm + "}, ";

if (DEBUG){
logger.log("DEBUG: setting Site permissions: " display);
} //end if debug
} catch (err) {
logger.log("ERROR in setting Site permissions, display: " display);
logger.log("ERROR in setting Site permissions, error: " err);
} // end try

} // end if isContainer