Extension point permissions
Documentation
Extension point to register permission definitions or override existing permissions.
Example to define a single atomic permissions that are not meant to be displayed in the rights management screen of folders:
<permission name="Browse"/>
<permission name="ReadVersion"/>
<permission name="ReadProperties"/>
<permission name="ReadChildren"/>
<permission name="ReadLifeCycle"/>
<permission name="ReviewParticipant"/>
Example to define a compound permission that holds many related atomic permissions into a single high level (role-like) permission:
<permission name="Read">
<include>Browse</include>
<include>ReadVersion</include>
<include>ReadProperties</include>
<include>ReadChildren</include>
<include>ReadLifeCycle</include>
<include>ReviewParticipant</include>
</permission>
Note that each of the included permissions should have been previously registered with their on <permission/> declaration.
It is later possible to override that definition in another contribution to that extension-point to add a new permission 'CustomPerm' and remove 'ReviewParticipant':
<permission name="CustomPerm"/>
<permission name="Read">
<include>CustomPerm</include>
<remove>ReviewParticipant</remove>
</permission>
Eventually the permissions declaration also accept 'alias' tags to handle backward compatibility with deprecated permissions:
<permission name="ReadVersion">
<!-- The Version permission is deprecated
since it's name is ambiguous, use
ReadPermission instead -->
<alias>Version</alias>
</permission>
NB: the alias feature is parsed by the extension point but the underlying SecurityManager implementation does not leverage it yet.
Contribution Descriptors
- Class: org.nuxeo.ecm.core.security.PermissionDescriptor
Existing Contributions
Contributions are presented in the same order as the registration order on this extension point. This order is displayed before the contribution name, in brackets.
-
<extension point="permissions" target="org.nuxeo.ecm.core.security.SecurityService"> <permission name="CanAskForPublishing"/> </extension>
-
<extension point="permissions" target="org.nuxeo.ecm.core.security.SecurityService"> <permission name="Comment"> <include>WriteLifeCycle</include> </permission> <permission name="Moderate"/> </extension>
-
<extension point="permissions" target="org.nuxeo.ecm.core.security.SecurityService"> <permission name="DataVisualization"> <include>Read</include> </permission> </extension>
-
<extension point="permissions" target="org.nuxeo.ecm.core.security.SecurityService"> <permission name="ReadCanCollect"> <include>Read</include> <include>WriteProperties</include> </permission> </extension>
-
<extension point="permissions" target="org.nuxeo.ecm.core.security.SecurityService"> <permission name="Browse"/> <permission name="ReadProperties"> <include>Browse</include> </permission> <permission name="ReadChildren"/> <permission name="ReadLifeCycle"/> <permission name="ReviewParticipant"/> <permission name="ReadSecurity"/> <permission name="WriteProperties"/> <permission name="ReadVersion"/> <permission name="WriteVersion"> <include>WriteProperties</include> </permission> <permission name="Version"> <include>ReadVersion</include> <include>WriteVersion</include> </permission> <permission name="Read"> <include>Browse</include> <include>ReadVersion</include> <include>ReadProperties</include> <include>ReadChildren</include> <include>ReadLifeCycle</include> <include>ReadSecurity</include> <include>ReviewParticipant</include> </permission> <permission name="AddChildren"/> <permission name="RemoveChildren"/> <permission name="Remove"/> <permission name="ManageWorkflows"/> <permission name="WriteLifeCycle"/> <permission name="Unlock"/> <permission name="Remove"> <include>RemoveChildren</include> <!-- NXP-10929: necessary to follow the "delete" transition when Trash is enabled --> <include>WriteLifeCycle</include> </permission> <permission name="ReadRemove"> <include>Read</include> <include>Remove</include> </permission> <permission name="Write"> <include>AddChildren</include> <include>WriteProperties</include> <include>Remove</include> <include>ManageWorkflows</include> <include>WriteLifeCycle</include> <include>WriteVersion</include> </permission> <permission name="ReadWrite"> <include>Read</include> <include>Write</include> </permission> <permission name="WriteSecurity"/> <!-- special permission given to administrators: god-level access --> <permission name="Everything"/> <!-- deprecated - was used only for a single customer project before pluggable permission definitions --> <permission name="RestrictedRead"/> </extension>