DAM and controling access to folders by groups
I am implimenting Nuxeo for my University Library system and I need to have a way to give each campus library who is participating their own workspace/domain/folder/folderish-thing where I can use the “Manage > Access Rights” tab to set the authorized users.
Using the DM, I set up these folders under the “Asset Libray” which I understand to be some sort of folderish domain thing where the stuff from the DAM goes.
I'm using the Nuxeo DAM default [BETA] 1.2.0 (cap-5.7.1) Application Template in Studio.
I modified Project > Listing & Views > Content Views > DAM-Custom Search based on the answer to this question so that it shows the folders I've created inside of the Asset Library.
But I'm not sure where to go from here.
Is there a better approach to accomplish some sort of “group” for each campus. When a user logs in from a campus, I'm going to want them to only be able to see assets they have permissions to work on.
I'm using the shibboleth plugin, but I could not figure out the expression language to create shibboleth groups, so I figure I'll just use the “Manage > Access Rights” tab on some sort of folderish things to add users to the correct “group” – but I'm not sure this is the right approach.
I think the easiest way is to:
- Create groups for each campus and add users to it
- Use the Access Rights tab on each folders to grand READ or WRITE access based on the group (you may want to block the rights inheritance on the Asset Library document to avoid users having READ access on all folders).
That way, users of the UC Davis campus will have only READ access to the UC Davis folder so they will see only assets in the UC Davis folder.
I think you don't need to display folders in the DAM view (if users can only see assets they should have access to), but you may want to limit the query for assets inside the Asset Library, by default the query returns all the assets the user has access to in the whole repository.
You can add the following to your NXQL query:
AND ecm:path STARTSWITH '/asset-library'
If a user have READ access to more than one campus, he can still filter on the Folder / Path.
For you Shibboleth groups issue, you can write another question explaining what you are trying to do.