Posts Tagged 'permissions'

Sudo for Scripts in Alfresco

sudoToday I ran into the pitfall of Alfresco scripts and permissions again. For all kind of reasons I cannot rewrite code, but run into trouble because a user having a particular role executes a script that modifies permissions. This of course fails if this user has less permissions on a given space or document than expected. The user/group will have more permissions (that make no sense) than needed, and only a little tiny change in the security settings can screw-up the transaction the script is part of. The best approach is of course to get rid of the script approach at all (related to permissions), and implement a decent class running as System. But I cannot.

I remember having seen the sudoUtils in the past, and the improved version after that, created by Fabio Strozzi. This is nice, but not exactly matching my use case/requirements. I have no clue who executes this function. An unknown, in time growing set of groups can execute, but only if it is defined in a particular script. The script limits the access, not the user or group. It would make sense to allow execution of a particular named script (or better, a set of predefined scripts). My idea is that I can define a set of scripts that can be executed as System user. However, to make sure we meet security, these named scripts (in alfresco-global.properties) need to be loaded from classpath, not from repository.

Lets face it, if someone has access to the file system, anything is possible… Continue reading ‘Sudo for Scripts in Alfresco’

Change the permissions on a Share Site

In Alfresco Share the group EVERYONE gets the Consumer role by default. This does not fit the scenario where Share is used in an Extranet scenario. External users do need to have access to the Site they are participating in. All other internal Sites do not need to be visible by design. The trick is to remove the group EVERYONE from the default permissions list, and to substitute this with any other group of internal employees.

This posting uses a script that is run on the Inbound event of creating a Site. If the site is created, the permissions for EVERYONE are revoked, and a new group Employees is granted the Consumer role for each and every site. Continue reading ‘Change the permissions on a Share Site’

Recursive overview of Permissions in Alfresco

Often we create all kind of folder structures, and assign, add or remove permissions for particular groups. But how to keep overview on who can do what? What folders inherit permissions, and where are they set again?
I frequently use this presentation template (as a custom view in the Alfresco Explorer) to find out how the permissions are set. Continue reading ‘Recursive overview of Permissions in Alfresco’