Block access to nuxeo administrator

Hi,

Is it possible to block access to the administrator for a certain workspace/folder in Nuxeo(-dm) 5.5?

We tried set all permissions to “deny” but the folder is still visible to administrator. And we did save “local rights”.

The same behavior happens if administrator in question is defined through “administratorId” in the config of is only a member of administrators.

The desired effect is the following :

We want to have a “nuxeo officer/administrator” who is able to fine tune our Nuxeo instance, and sometime helps user with problems.

But we don't want this user be able to see certain sensitive documents (like salaries). Is there a way to achieve this goal?

Thanks.

Patrick

0 votes

1 answers

1059 views

ANSWER

I played a little bit with the SecurityPolicy api, but it seems that if a user is in the groups "administrators", the SecurityPolicy extension checkPermission method is not called.
02/28/2012

What happens if you enable document-level security and remove inherited rights? Same result?
03/01/2012

Can you point me to the right place in the documentation to enable document-level security?
03/01/2012

Have a look here > http://doc.nuxeo.com/display/KB/How+to+let+user+set+rights+on+non+folderish+documents

Although based on what you describe I don't hold out hope that this will make any difference.

03/01/2012



This is not possible with the current security model. Note that even if it was, your administrator probably has access to the database and storage and would be able to access the document anyway, albeit not as easily.

You may want to store an encrypted version of the document instead, with the decryption key shared only between people who should be able to access it (encryption/decryption would be done client-side, outside Nuxeo).

1 votes



Not in our case.
03/01/2012