Platform Explorer / Nuxeo Platform 2023.14

Extension point permissions

Documentation

Extension point to register permission definitions or override existing permissions.

Example to define a single atomic permissions that are not meant to be displayed in the rights management screen of folders:

    <permission name="Browse"/>
    <permission name="ReadVersion"/>
    <permission name="ReadProperties"/>
    <permission name="ReadChildren"/>
    <permission name="ReadLifeCycle"/>
    <permission name="ReviewParticipant"/>

Example to define a compound permission that holds many related atomic permissions into a single high level (role-like) permission:

    <permission name="Read">
        <include>Browse</include>
        <include>ReadVersion</include>
        <include>ReadProperties</include>
        <include>ReadChildren</include>
        <include>ReadLifeCycle</include>
        <include>ReviewParticipant</include>
    </permission>

Note that each of the included permissions should have been previously registered with their on <permission/> declaration.

It is later possible to override that definition in another contribution to that extension-point to add a new permission 'CustomPerm' and remove 'ReviewParticipant':

    <permission name="CustomPerm"/>
    <permission name="Read">
        <include>CustomPerm</include>
        <remove>ReviewParticipant</remove>
    </permission>

Eventually the permissions declaration also accept 'alias' tags to handle backward compatibility with deprecated permissions:

    <permission name="ReadVersion">
        <documentation>
            The Version permission is deprecated since its name is ambiguous,
            use ReadPermission instead.
          </documentation>
        <alias>Version</alias>
    </permission>

NB: the alias feature is parsed by the extension point but the underlying SecurityManager implementation does not leverage it yet.

Contribution Descriptors

  • Class: org.nuxeo.ecm.core.security.PermissionDescriptor

Existing Contributions

Contributions are presented in the same order as the registration order on this extension point. This order is displayed before the contribution name, in brackets.

  • nuxeo-core-2023.14.23.jar /OSGI-INF/permissions-contrib.xml
    <extension point="permissions" target="org.nuxeo.ecm.core.security.SecurityService">
    
        <permission name="Browse"/>
        <permission name="ReadProperties">
          <include>Browse</include>
        </permission>
        <permission name="ReadChildren"/>
        <permission name="ReadLifeCycle"/>
        <permission name="ReviewParticipant"/>
        <permission name="ReadSecurity"/>
    
        <permission name="WriteProperties"/>
        <permission name="ReadVersion"/>
    
        <permission name="WriteVersion">
           <include>WriteProperties</include>
        </permission>
    
        <permission name="Version">
           <include>ReadVersion</include>
           <include>WriteVersion</include>
        </permission>
    
        <permission name="Read">
          <include>Browse</include>
          <include>ReadVersion</include>
          <include>ReadProperties</include>
          <include>ReadChildren</include>
          <include>ReadLifeCycle</include>
          <include>ReadSecurity</include>
          <include>ReviewParticipant</include>
        </permission>
    
        <permission name="AddChildren"/>
        <permission name="RemoveChildren"/>
        <permission name="Remove"/>
        <permission name="ManageWorkflows"/>
        <permission name="WriteLifeCycle"/>
        <permission name="Unlock"/>
    
        <permission name="Remove">
          <documentation>
            NXP-10929: necessary to follow the "delete" transition when Trash is enabled: include WriteLifeCycle
          </documentation>
          <include>RemoveChildren</include>
          <include>WriteLifeCycle</include>
        </permission>
    
        <permission name="ReadRemove">
          <include>Read</include>
          <include>Remove</include>
        </permission>
    
        <permission name="Write">
          <include>AddChildren</include>
          <include>WriteProperties</include>
          <include>Remove</include>
          <include>ManageWorkflows</include>
          <include>WriteLifeCycle</include>
          <include>WriteVersion</include>
        </permission>
    
        <permission name="ReadWrite">
          <include>Read</include>
          <include>Write</include>
        </permission>
    
        <permission name="WriteSecurity"/>
    
        <permission name="Everything">
          <documentation>
            Special permission given to administrators: god-level access
          </documentation>
        </permission>
    
        <permission name="RestrictedRead">
          <documentation>
            Deprecated - was used only for a single customer project before pluggable permission definitions
          </documentation>
        </permission>
    
        <permission name="MakeRecord"/>
        <permission name="SetRetention"/>
        <permission name="ManageLegalHold"/>
        <!-- Only for flexible records -->
        <permission name="UnsetRetention"/>
    
        <permission name="WriteColdStorage"/>
    
      </extension>
  • nuxeo-coldstorage-2023.3.6.jar /OSGI-INF/coldstorage-security.xml
    <extension point="permissions" target="org.nuxeo.ecm.core.security.SecurityService">
            <permission name="WriteColdStorage">
                <include>ReadWrite</include>
                <include>WriteColdStorage</include>
            </permission>
        </extension>
  • nuxeo-arender-core-2023.2.1.jar /OSGI-INF/nuxeo-arender-content-redaction-contrib.xml
    <extension point="permissions" target="org.nuxeo.ecm.core.security.SecurityService">
        <permission name="Redact"/>
      </extension>
  • nuxeo-platform-collections-core-2023.14.23.jar /OSGI-INF/collection-security-contrib.xml
    <extension point="permissions" target="org.nuxeo.ecm.core.security.SecurityService">
    
        <permission name="ReadCanCollect">
          <include>Read</include>
          <include>WriteProperties</include>
        </permission>
    
      </extension>
  • nuxeo-platform-comment-2023.14.23.jar /OSGI-INF/comment-defaultPermissions-contrib.xml
    <extension point="permissions" target="org.nuxeo.ecm.core.security.SecurityService">
    
        <permission name="Comment">
          <include>WriteLifeCycle</include>
        </permission>
    
        <permission name="Moderate"/>
    
      </extension>
  • nuxeo-platform-publisher-2023.14.23.jar /OSGI-INF/publisher-permissions-contrib.xml
    <extension point="permissions" target="org.nuxeo.ecm.core.security.SecurityService">
    
        <permission name="CanAskForPublishing"/>
    
      </extension>
  • nuxeo-retention-2023.3.6.jar /OSGI-INF/retention-security.xml
    <extension point="permissions" target="org.nuxeo.ecm.core.security.SecurityService">
    
        <permission name="ManageRecord">
          <include>ReadWrite</include>
          <include>MakeRecord</include>
          <include>SetRetention</include>
          <include>UnsetRetention</include>
        </permission>
    
        <permission name="ManageLegalHold">
          <include>ReadWrite</include>
          <include>MakeRecord</include>
          <include>ManageLegalHold</include>
        </permission>
    
      </extension>
  • nuxeo-routing-core-2023.14.23.jar /OSGI-INF/document-routing-security-contrib.xml
    <extension point="permissions" target="org.nuxeo.ecm.core.security.SecurityService">
    
        <permission name="DataVisualization">
          <include>Read</include>
        </permission>
    
      </extension>