Alfresco supports an extensive set of permissions, in order to provide security controls. It also supports a set of roles by grouping these permissions. The security permissions and roles can be extended. However, before extending the permissions and roles, you need to evaluate and understand the existing permissions and roles, and justify the decision for extending them.
Alfresco supports a number of permissions to access the spaces, content, their properties, and so on. The following are some of the permissions for spaces:
_ReadProperties
: Reads the space's properties_ReadChildren
: Reads the content within a space_WriteProperties
: Updates properties such as title, description, and so on_DeleteNode
: Deletes the space_DeleteChildren
: Deletes content and subspaces within a space_CreateChildren
: Creates content within a spaceThe following are some of the permissions for content items:
A complete list of the default permissions and roles is provided in the Alfresco configuration file—<config>modelpermissionDefinitions.xml
.
Roles are collections of permissions assigned to users in a specific space. Subspaces may inherit permissions from the parent space. Roles may also be applied to individual content items. The following table lists the default roles supported out of the box by Alfresco:
Role |
Permission |
---|---|
Consumer |
Read spaces and content |
Editor |
Consumer + edit existing content |
Contributor |
Consumer + add new content |
Collaborator |
Editor + Contributor |
Coordinator |
Full control |
You can add a new custom role according to your security requirements. You will have to include the custom role details in the permissionDefinitions.xml file
, which is located at <config>model
. For a Tomcat installation, you can find this file at tomcatwebappsalfrescoWEB-INFclassesalfrescomodel permissionDefinitions.xml
.
You need to define your own permissions group (say TestRole
) and assign permissions as shown below:
<permissionGroup name="TestRole" allowFullControl="false" expose="true" > <includePermissionGroup permissionGroup="Read" type="sys:base" /> <includePermissionGroup permissionGroup="AddChildren" type="sys:base"/> <includePermissionGroup type="cm:lockable" permissionGroup="CheckOut"/> </permissionGroup>
Once you make the changes to the XML file, you need to restart Alfresco to have the new role added to the system.