Flexible Permissions Management with ACL Templates

Flexible & Repeatable
Permissions Management
with ACL Templates
Jeff Potts

Learn. Connect. Collaborate.
Alfresco is missing a feature: ACL Templates
• Many projects start with a spreadsheet that organizes folder structure
• The next step is often defining the permissions that go with that structure
• Usually, permissions are applied in a consistent, predictable way
according to business rules

Don’t Repeat Yourself
• When you programmatically create nodes and set permissions, it is
tempting to just make a bunch of API calls and be done
• What happens when you need to set permissions in different places?
– JavaScript versus Java
– Actions versus Behaviors
– Workflows
– Yes, you can centralize this logic in a common “service” class, but…

If it might change, why is it in code?
• What happens when the business rules change and a power user wants to
change how permissions are set?
• Build and deploy just because an entry in an ACL is changing from
“Collaborator” to “Consumer”?
• Yuck

How Does Everyone Else Do It?
• Many ECM systems allow permission sets to be declared, then applied
when needed
• Now you can do that with Alfresco
• I give you Alfresco ACL Templates!
– https://github.com/conexiam/alfresco-acl-templates
• Dun dun DUN!!!
1

Example: Folders that hold files related to client
projects
• /Project 1 for Client A
– /Design Discussion
– /Final Deliverables
– /Status Reports
– /Status Reports
• /Project 3 for Client B
– /Status Reports
Project 1 Team: Collaborator
Client A Team: Collaborator
Client A Team: Consumer
Client B Team: Consumer
Client B Team: Collaborator

I see a pattern!
– /Status Reports
– /Status Reports
– /Status Reports
There is a group for a
project that is always the
collaborator.
There is a group for the
client that is a Collaborator
on some folders and a
Consumer on other
folders.
That’s potentially two
“templates”

A Wrinkle: Group can’t be determined at design-time
– /Status Reports
– /Status Reports
– /Status Reports
Uh-oh, variability!

Another Wrinkle: Time
2
– /Status Reports
– /Status Reports
– /Status Reports
Project 1 Team: Consumer
Active Projects Completed Projects

Alfresco ACL Templates Add-On
• Open source project sponsored by a client called Conexiam
– I maintain it on their behalf at Github
• Allows you to declare ACL templates as JSON
– ACL Templates live in the Data Dictionary
• Provides an “ACL Template Service” that you can call from JavaScript or
Java to “apply” a template to a node

Example #1: Static ACL Template
{
"inherit": false,
"permissions": [
{
"authority": ”GROUP_Project 1 Team",
"permission": "Collaborator”
},
{
"authority": ”GROUP_Client A Team",
}
]
}

Example #2: Applying an ACL Template
import com.conexiam.acl.templates.service.AclTemplateService;
…SNIP…
AclTemplateService aclTemplateService;
…SNIP…
aclTemplateService.apply("test-template-2.json", testFolder);

Example #3: An ACL template with placeholders
3
{
"inherit": false,
"permissions": [
{
"authorityTemplate": ”project-team",
},
{
"authorityTemplate": ”client-team",
}
]
}

How do those placeholders work?
• Can specify an authorityTemplate instead of a hard-coded authority
• An authorityTemplate is just a Spring Bean that resolves an authority
template to an actual authority
• Examples:
– What is the correct “project group” for this site?
– What is the correct “client group” for this site?
– Basically anything that can use the nodeRef to resolve the template

Add-on ships with one sample authority template
resolver
• Site role group resolver
• Returns the site group for a given role
• Example: Always give the Site Collaborator group for this site Consumer
access
• Making your own authority template resolvers is easy

Implementing your own authority resolver
• Create a Java class that implements AuthorityResolver
• Inject your dependencies
• Implement public String resolve(NodeRef nodeRef)
• Config in Spring context XML
• Add to authorityResolvers map

Example: Site Role Group Authority Resolver
4
<bean
id="authority-template.site-manager-group”
class="com.conexiam.acl.templates.authority.resolvers.SiteRole
GroupResolver">
<property name="siteService">
<ref bean="SiteService" />
</property>
<property name="role" value="SiteManager" />
</bean>

Example: Site Role Group Authority Resolver
public String resolve(NodeRef nodeRef) {
SiteInfo siteInfo = siteService.getSite(nodeRef);
if (siteInfo == null) {
return null;
}
String siteId = siteInfo.getShortName();
String siteRoleGroup = siteService.getSiteRoleGroup(siteId,
role);
return siteRoleGroup;
}

Summary
• ACL Templates Add-on
• Declare permissions in JSON, store in Data Dictionary
• Apply permissions using ACL Template Service
• Removes permission logic from code
• Makes it easier for non-technical people to change the permissions your
code sets on nodes it creates

Summary
• ACL Templates can have hard-coded authorities, authority templates, or a
mix of both
• Authority templates are resolved with the help of an authority template
resolver class
– Can use properties on the node, or other services to help determine the right
authority

Support the Community!
• This add-on was funded by a Metaversant client called Conexiam
• Per their request, we did all of their Alfresco customizations in the open
• Check out the other related repositories at https://github.com/Conexiam
• Let me know if you have any questions!
• @jeffpotts01

Flexible & Repeatable
Permissions Management
with ACL Templates
Thank you!
@jeffpotts01

Flexible Permissions Management with ACL Templates

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Flexible Permissions Management with ACL Templates

Similar to Flexible Permissions Management with ACL Templates (20)

More from Jeff Potts

More from Jeff Potts (20)

Recently uploaded

Recently uploaded (20)

Flexible Permissions Management with ACL Templates