Component
org.nuxeo.ecm.core.security.SecurityService

Individual Documentation Coverage

100.0 %

The security service is responsible to check the permission on a
repository. Permission check will be usually forwarded to the
security manager defined on the repository. This may change later.

The security service also holds a permission provider that defines
the list of available permission names and how they are combined
into groups of permissions.

The security service also defines which permissions are high level
permissions that are to be managed through the end user interface
and in which order they should be display in management menus.

Author: Bogdan Stefanescu

Author: Olivier Grisel

Version: missing

Location: org.nuxeo.ecm.core/nuxeo-core/src/main/resources/OSGI-INF/SecurityService.xml

Require

No requirements

Required by

Not required

Implementation

Extension Points:

permissions

Extension point to register permission definitions or override
existing permissions.

Example to define a single atomic permissions that are not meant
to be displayed in the rights management screen of folders:

        <permission name="Browse" />
        <permission name="ReadVersion" />
        <permission name="ReadProperties" />
        <permission name="ReadChildren" />
        <permission name="ReadLifeCycle" />
        <permission name="ReviewParticipant" />

Example to define a compound permission that holds many related
atomic permissions into a single high level (role-like)
permission:

        <permission name="Read">
          <include name="Browse" />
          <include name="ReadVersion" />
          <include name="ReadProperties" />
          <include name="ReadChildren" />
          <include name="ReadLifeCycle" />
          <include name="ReviewParticipant" />
        </permission>

Note that each of the included permissions should have been
previously registered with their on <permission/>
declaration.

It is later possible to override that definition in another
contribution to that extension-point to add a new permission
'CustomPerm' and remove 'ReviewParticipant':

        <permission name="CustomPerm" />
        <permission name="Read">
          <include name="CustomPerm" />
          <remove name="ReviewParticipant" />
        </permission>

Eventually the permissions declaration also accept 'alias' tags to
handle backward compatibility with deprecated permissions:

        <permission name="ReadVersion">
          <alias name="Version" />
        </permission>

NB: the alias feature is parsed by the extension point but the
underlying SecurityManager implementation does not leverage it
yet.

Object org.nuxeo.ecm.core.security.PermissionDescriptor

permissionsVisibility

Extension point to register permission visibility in user
interface or override existing settings.

Example to define the default list of permissions that are
manageable through the UI screens:

        <visibility>
          <item order="10" show="true">Read</item>
          <item order="50" show="true">ReadWrite</item>
          <item order="100" show="true">Everything</item>
        </visibility>

This list of options items will be displayed if no type specific
settings are registered.

Example to define the default list of permissions that are
specific to the Section document type:

        <visibility type="Section">
          <item order="10" show="true">Read</item>
          <item order="100" show="true">Everything</item>
        </visibility>

Note: the 'show' attribute defaults to 'true' and the 'order'
attribute defaults to '0'.

Object org.nuxeo.ecm.core.security.PermissionVisibilityDescriptor

Has contribution from:

org.nuxeo.ecm.core.security.defaultPermissions

Component org.nuxeo.ecm.core.security.SecurityService