Platform Explorer / Nuxeo Platform LTS 2019 10.10

Extension point permissions

Documentation

Extension point to register permission definitions or override existing permissions.

Example to define a single atomic permissions that are not meant to be displayed in the rights management screen of folders:

    <permission name="Browse"/>
    <permission name="ReadVersion"/>
    <permission name="ReadProperties"/>
    <permission name="ReadChildren"/>
    <permission name="ReadLifeCycle"/>
    <permission name="ReviewParticipant"/>

Example to define a compound permission that holds many related atomic permissions into a single high level (role-like) permission:

    <permission name="Read">
        <include>Browse</include>
        <include>ReadVersion</include>
        <include>ReadProperties</include>
        <include>ReadChildren</include>
        <include>ReadLifeCycle</include>
        <include>ReviewParticipant</include>
    </permission>

Note that each of the included permissions should have been previously registered with their on <permission/> declaration.

It is later possible to override that definition in another contribution to that extension-point to add a new permission 'CustomPerm' and remove 'ReviewParticipant':

    <permission name="CustomPerm"/>
    <permission name="Read">
        <include>CustomPerm</include>
        <remove>ReviewParticipant</remove>
    </permission>

Eventually the permissions declaration also accept 'alias' tags to handle backward compatibility with deprecated permissions:

    <permission name="ReadVersion">
        <!-- The Version permission is deprecated
            since it's name is ambiguous, use
            ReadPermission instead -->
        <alias>Version</alias>
    </permission>

NB: the alias feature is parsed by the extension point but the underlying SecurityManager implementation does not leverage it yet.

Contribution Descriptors

  • Class: org.nuxeo.ecm.core.security.PermissionDescriptor

Existing Contributions

Contributions are presented in the same order as the registration order on this extension point. This order is displayed before the contribution name, in brackets.

  • nuxeo-core-10.10-HF32.jar /OSGI-INF/permissions-contrib.xml
    <extension point="permissions" target="org.nuxeo.ecm.core.security.SecurityService">
    
        <permission name="Browse"/>
        <permission name="ReadProperties">
          <include>Browse</include>
        </permission>
        <permission name="ReadChildren"/>
        <permission name="ReadLifeCycle"/>
        <permission name="ReviewParticipant"/>
        <permission name="ReadSecurity"/>
    
        <permission name="WriteProperties"/>
        <permission name="ReadVersion"/>
    
        <permission name="WriteVersion">
           <include>WriteProperties</include>
        </permission>
    
        <permission name="Version">
           <include>ReadVersion</include>
           <include>WriteVersion</include>
        </permission>
    
        <permission name="Read">
          <include>Browse</include>
          <include>ReadVersion</include>
          <include>ReadProperties</include>
          <include>ReadChildren</include>
          <include>ReadLifeCycle</include>
          <include>ReadSecurity</include>
          <include>ReviewParticipant</include>
        </permission>
    
        <permission name="AddChildren"/>
        <permission name="RemoveChildren"/>
        <permission name="Remove"/>
        <permission name="ManageWorkflows"/>
        <permission name="WriteLifeCycle"/>
        <permission name="Unlock"/>
    
        <permission name="Remove">
          <include>RemoveChildren</include>
          <!-- NXP-10929: necessary to follow the "delete" transition when Trash is enabled -->
          <include>WriteLifeCycle</include>
        </permission>
    
        <permission name="ReadRemove">
          <include>Read</include>
          <include>Remove</include>
        </permission>
    
        <permission name="Write">
          <include>AddChildren</include>
          <include>WriteProperties</include>
          <include>Remove</include>
          <include>ManageWorkflows</include>
          <include>WriteLifeCycle</include>
          <include>WriteVersion</include>
        </permission>
    
        <permission name="ReadWrite">
          <include>Read</include>
          <include>Write</include>
        </permission>
    
        <permission name="WriteSecurity"/>
    
        <!-- special permission given to administrators: god-level access -->
        <permission name="Everything"/>
    
        <!-- deprecated - was used only for a single customer
          project before pluggable permission definitions -->
        <permission name="RestrictedRead"/>
    
        <permission name="MakeRecord"/>
        <permission name="SetRetention"/>
        <permission name="ManageLegalHold"/>
    
      </extension>
  • nuxeo-platform-collections-core-10.10-HF23.jar /OSGI-INF/collection-security-contrib.xml
    <extension point="permissions" target="org.nuxeo.ecm.core.security.SecurityService">
    
        <permission name="ReadCanCollect">
          <include>Read</include>
          <include>WriteProperties</include>
        </permission>
    
      </extension>
  • nuxeo-platform-comment-10.10-HF32.jar /OSGI-INF/comment-defaultPermissions-contrib.xml
    <extension point="permissions" target="org.nuxeo.ecm.core.security.SecurityService">
    
        <permission name="Comment">
          <include>WriteLifeCycle</include>
        </permission>
    
        <permission name="Moderate"/>
    
      </extension>
  • nuxeo-platform-publisher-core-contrib-10.10.jar /OSGI-INF/publisher-permissions-contrib.xml
    <extension point="permissions" target="org.nuxeo.ecm.core.security.SecurityService">
    
        <permission name="CanAskForPublishing"/>
    
      </extension>
  • nuxeo-routing-core-10.10-HF32.jar /OSGI-INF/document-routing-security-contrib.xml
    <extension point="permissions" target="org.nuxeo.ecm.core.security.SecurityService">
    
        <permission name="DataVisualization">
          <include>Read</include>
        </permission>
    
      </extension>