Visibility of documents according to the State

Hello everybody,

I'm currently working for an IT project and I'd like to customize the visibility of my documents according to the document's State, using the User Groups

Here's my example :

I created a user group called “Developer” for all our developers

  • if the document is in the Draft state, “Developer” users cannot see the document
  • when the document is in the Validated state, it automatically appears for “Developer” people

How can I do that ?

Thanks a lot, Julien

1 votes

2 answers



There is other way than Security Policy to implement this use case. Here, I assume your document is draft only after creation (certainly a simplification against your use case), but you will have the idea to implement if the document goes back to draft, I let you do it:

Create an eventHandler for creation Event :

  • Events : Document Created
  • Document type : yourDocType
  • Operation chain :
  • Fetch Context Document
  • User & Groups > Login As (let empty field)
  • Document > Set ACL : ReadWrite / yourGroup / aNameOfYourChoice / grant checked
  • Document > Set ACL : Everything / Everyone / aNameOfYourChoice / grant unchecked
  • User & Groups > Logout

And create a second eventHandler for the transition

  • Events : Lifecycle transition event
  • Document type : yourDocType
  • Operation chain :
  • Fetch Context Document
  • User & Groups > Login As (let empty field)
  • Document > remove ACL : aNameOfYourChoice
  • User & Groups > Logout

I think that's all. This is not the best implementation, I will suggest for a production server with a large volume of data a security policy. But this is fine for small/medium project.

0 votes

OK that's going to help me a lot ! You should really do a bigger tutorial about EventHandler, I just discovered it and it seems to be very, very useful ! A tutorial which would explain how to "automatically rename the title depending on some other fields values", "inherit some metadata from other content"…

Thanks a lot anyway ! :)


one last question : how to ensure that when a document has just been created (so it's in "Brouillon" state in my project), it's invisible to the Developer group ?

I guess you have to create another EventHandler, with permission "DenyRead" or something like that ?

Thank you


en gros je veux juste qu'à sa création, un document soit invisible aux développeurs, mais qu'il apparaisse automatiquement dès qu'il est validé…

Merci infiniment !


Ok my mistake I read can instead cannot… I modify my answer to follow your question.

modification done.

thank you for your help ;) have a nice day

we plan to create a documentation about that.

The best way is to use a Security Policy manage through Nuxeo IDE :

  • to start here is the link
  • Then create a Nuxeo Plugin project
  • Click on yellow NX link / Security / Security Policy
  • Give a name to your Security Policy (it will be the name of the classe that implements your logic) / set the order to -100 (to be sure to be the first one)

And finally in checkPermission method fill like the that:

public Access checkPermission(Document doc, ACP mergedAcp,
        Principal principal, String permission,
        String[] resolvedPermissions, String[] additionalPrincipals)
        throws SecurityException {
    NuxeoPrincipal nxPrincipal = (NuxeoPrincipal) principal;

    boolean isReadWriteAccess = false
    for (String permissionTmp : resolbedPermissions) {
      if ("ReadWrite".equals(permissionTmp) {
        isReadWriteAccess = true;
    if (isReadWriteAccess && "Validated".equals(doc.getLifeCycleState() && nxPrincipal.isMemberOf("developer")) {
      return Access.DENY;

    ... I think you understood the idea, implement your stuff...

    return Access.UNKNOWN;

To not have bad response time and problems for paginations, you will have also to implement the query transformer (see interface the class implement).

That's it.

1 votes

Super ! Merci, that's great

Just one question : there is no way to do it directly with Nuxeo Studio ? I'm more on the functional side and I'm not quite used to Eclipse…

I tried to solve this problem by myself and I think this could be done by the Document / Set ACL in the Automation Chains, am I right ?

Thank you very much, Julien


De rien vraiment, j'insiste :D

Try to use the comment for comments and answers for answers, I will give you answer with just studio.


ok thanks ! I'm waiting for your answer just for Studio… I can't wait to have it ! ahah