Block permissions inheritance programatically


is it possible to block permission inheritance via API?

When we try by resetting the ACP it seems not to work, and still permissions are inherited.

Thank you

EDIT: my use case is the following:

i want to create a document (folder) inside a tree of other folders, but want only the creator and users from the admin group to have access on it

0 votes

1 answers




I also have the same question but in the contexte of the content automation with the rest api…

My need is to block inheritance on a specific folder

Thank you for your help


@vieville Automation is a different matter, please ask a new question.

Don't know about the API, but you could create a listener for various document creation events (DOCUMENT_CREATED, DOCUMENT_CREATED_BY_COPY, DOCUMENT_DUPLICATED, etc.) and then remove inheritance and set default ACL.

Something like…

DocumentRef docRef = docModel.getRef();
ACP acp = this.session.getACP(docRef);

// delete existing 'local' ACL 

// block inheritance
acp.getOrCreateACL().add(new ACE(SecurityConstants.EVERYONE, SecurityConstants.EVERYTHING, false));

// and then create the local ACL entries you do want
ACL acl = acp.getOrCreateACL(ACL.LOCAL_ACL);
... and then create desired ACEs ...
acl.add(new ACE("testgroup","Read", true));
this.session.setACP(docRef, acp, true);
0 votes

hello Bruce thank you very much for your answer i have tried what you suggest above, and, while the inheritance is removed, local permissions do not seem to work. Do you have any suggestions on that / have you ever had such a case?

Thanks again


I added lines to above example to create ACE and then save updated ACL to doc - is this what you tried?

hello bruce, thanks for the info,the main difference i can find is the override=true in setACP, will try that and get back to you with the result, thanks

hello bruce, it doesn't seem to work, unless we are doing something wrong.

We found out it works if we set the local ACL before doing acp.getOrCreateACL().add(new ACE(SecurityConstants.EVERYONE, SecurityConstants.EVERYTHING, false));

We are thinking it may have something to do with the fact that the above line may remove also the right te set the new ACP.


The only other thing I can think is that I have this code running in a class that extends UnrestrictedSessionRunner so it has fully trusted status

bruce, i am going to accept your answer as it pointed me in the right direction, thank you

Hey Bruce,

How you are getting docModel Object if you want to write a stand alone java program and do the same ?

Thanks in Advance.