Deny Remove permission but Delete button still enabled
Hello,
I have just dowloaded and installed Nuxeo Document Management 5.5 and I tried what is described at http://doc.nuxeo.com/display/DMDOC/Managing+access+rights about access rights management.
So I did the following steps:
As Administrator
- login
- create a John Do user
- create a workspace
- On the Manage tab, add two permissions: John Do - Grant - Write + John Do - Deny - Remove
- create a note in the workspace
as John Do user
- login
- go to the workspace created above as Administrator
- check the box in front of the Note created above as Administrator => the Delete button is enabled so the user John Do can remove the document
Question: Is it normal that the Delete button is enabled even if there is a Deny - Remove permission on the workspace for the user ?
I would have expected that the user won't be able to delete any document.
Thanks in advance for your answer
Best regards, Christophe
Hello,
This is due to the access rights priorization, as explained on this page: http://doc.nuxeo.com/x/UYEk.
In this case, the user still has the right to remove documents because at the same level (in the same workspace) he's denied the right to delete documents, but he's also granted the Write permission. Since Write includes the Remove permission and granted rights win over denied rights, in the end the user is granted the right to remove.
Thank you very much for the explanation !
So, is there a way to disable the delete button and having write permission in the same time ?
Thanks in advance for your answer.
Best regards, Christophe
I got it to work. You will need a standard component wrapper around this but otherwise it works. Nuxeo is wonderful but does not make a good first date…
<require>org.nuxeo.ecm.core.security.SecurityService</require>
<require>org.nuxeo.ecm.core.security.defaultPermissions</require>
<extension target="org.nuxeo.ecm.core.security.SecurityService" point="permissions">
<!-- Removed 'Remove' from Write permission -->
<permission name="Write">
<remove>Remove</remove>
</permission>
</extension>
I think the original question is an important one: how to grant permission to create new objects but not remove old ones.
The comments above (directing to the doc) seem to be in conflict with the doc, which states:
The “Remove” permission is intended to be denied, so as to restrict the actions available to users with “Write” permission.
If “Remove” permission is intended to be denied, but granting Write takes precedence, how is it possible to ever deny remove? To me this smells like a defect.
Tom
The answer is to redefine the aggregate permission Write to work the way you want it to. Or create a new permission (e.g., Write Only) which maps to a subset of the existing Write permission.
Here is a sample of how I have redefined the default Write permission - by default users with Write access do not get Remove Access
<extension target="org.nuxeo.ecm.core.security.SecurityService" point="permissions">
<!-- Removed 'AddChildren' and 'Remove' from Write permission -->
<permission name="Write">
<remove>AddChildren</remove>
<include>WriteProperties</include>
<remove>Remove</remove>
<include>ManageWorkflows</include>
<include>WriteLifeCycle</include>
<include>ReadLifeCycle</include>
</permission>
</extension>
Also getting this error when trying to deploy:
java.lang.Exception: Permission 'WriteProperties' included by 'Write' is not a registered permission
Is there a list of permissions defined in the system I can use? Tried using explorer but they do not seem to be there.
If you want to override the default rights hierarchy then you can create a custom security policy by extending SecurityPolicy. See http://doc.nuxeo.com/display/NXDOC/Security+Policy+Service for more details.
Be careful with this because there can be negative performance side-effects if the custom policy is too complex!