Deny Remove permission but Delete button still enabled


I have just dowloaded and installed Nuxeo Document Management 5.5 and I tried what is described at about access rights management.

So I did the following steps:

As Administrator

  • login
  • create a John Do user
  • create a workspace
  • On the Manage tab, add two permissions: John Do - Grant - Write + John Do - Deny - Remove
  • create a note in the workspace

as John Do user

  • login
  • go to the workspace created above as Administrator
  • check the box in front of the Note created above as Administrator => the Delete button is enabled so the user John Do can remove the document

Question: Is it normal that the Delete button is enabled even if there is a Deny - Remove permission on the workspace for the user ?

I would have expected that the user won't be able to delete any document.

Thanks in advance for your answer

Best regards, Christophe

1 votes

4 answers




This is due to the access rights priorization, as explained on this page:

In this case, the user still has the right to remove documents because at the same level (in the same workspace) he's denied the right to delete documents, but he's also granted the Write permission. Since Write includes the Remove permission and granted rights win over denied rights, in the end the user is granted the right to remove.

1 votes


Thank you very much for the explanation !

So, is there a way to disable the delete button and having write permission in the same time ?

Thanks in advance for your answer.

Best regards, Christophe


I'm wondering why the Write permission needs to include Remove, it could be a good test to check if this is a problem for other features. I think it could be considered a bug, maybe to handle at the same time than

I got it to work. You will need a standard component wrapper around this but otherwise it works. Nuxeo is wonderful but does not make a good first date…


<extension target="" point="permissions">
<!-- Removed 'Remove' from Write permission -->
    <permission name="Write">
1 votes

a c
Is there some way to apply this extension to specific document types?

I think the original question is an important one: how to grant permission to create new objects but not remove old ones.

The comments above (directing to the doc) seem to be in conflict with the doc, which states:

The “Remove” permission is intended to be denied, so as to restrict the actions available to users with “Write” permission.

If “Remove” permission is intended to be denied, but granting Write takes precedence, how is it possible to ever deny remove? To me this smells like a defect.


0 votes

The answer is to redefine the aggregate permission Write to work the way you want it to. Or create a new permission (e.g., Write Only) which maps to a subset of the existing Write permission.

Here is a sample of how I have redefined the default Write permission - by default users with Write access do not get Remove Access

&lt;extension target=&quot;; point=&quot;permissions&quot;&gt;
&lt;!-- Removed &apos;AddChildren&apos; and &apos;Remove&apos; from Write permission --&gt;
    &lt;permission name=&quot;Write&quot;&gt;

Is <require> tag needed for override to take effect and if so what does need to refer to?

Also getting this error when trying to deploy:

java.lang.Exception: Permission 'WriteProperties' included by 'Write' is not a registered permission

Is there a list of permissions defined in the system I can use? Tried using explorer but they do not seem to be there.


If you want to override the default rights hierarchy then you can create a custom security policy by extending SecurityPolicy. See for more details.

Be careful with this because there can be negative performance side-effects if the custom policy is too complex!

0 votes