Block access to nuxeo administrator


Is it possible to block access to the administrator for a certain workspace/folder in Nuxeo(-dm) 5.5?

We tried set all permissions to “deny” but the folder is still visible to administrator. And we did save “local rights”.

The same behavior happens if administrator in question is defined through “administratorId” in the config of is only a member of administrators.

The desired effect is the following :

We want to have a “nuxeo officer/administrator” who is able to fine tune our Nuxeo instance, and sometime helps user with problems.

But we don't want this user be able to see certain sensitive documents (like salaries). Is there a way to achieve this goal?



0 votes

1 answers



I played a little bit with the SecurityPolicy api, but it seems that if a user is in the groups "administrators", the SecurityPolicy extension checkPermission method is not called.

What happens if you enable document-level security and remove inherited rights? Same result?

Can you point me to the right place in the documentation to enable document-level security?

Have a look here >

Although based on what you describe I don't hold out hope that this will make any difference.


This is not possible with the current security model. Note that even if it was, your administrator probably has access to the database and storage and would be able to access the document anyway, albeit not as easily.

You may want to store an encrypted version of the document instead, with the decryption key shared only between people who should be able to access it (encryption/decryption would be done client-side, outside Nuxeo).

1 votes

Not in our case.