Platform Explorer / Nuxeo Platform LTS 2017 9.10

Extension point permissions

Documentation

Extension point to register permission definitions or override existing permissions.

Example to define a single atomic permissions that are not meant to be displayed in the rights management screen of folders:

    <permission name="Browse"/>
    <permission name="ReadVersion"/>
    <permission name="ReadProperties"/>
    <permission name="ReadChildren"/>
    <permission name="ReadLifeCycle"/>
    <permission name="ReviewParticipant"/>

Example to define a compound permission that holds many related atomic permissions into a single high level (role-like) permission:

    <permission name="Read">
        <include>Browse</include>
        <include>ReadVersion</include>
        <include>ReadProperties</include>
        <include>ReadChildren</include>
        <include>ReadLifeCycle</include>
        <include>ReviewParticipant</include>
    </permission>

Note that each of the included permissions should have been previously registered with their on <permission/> declaration.

It is later possible to override that definition in another contribution to that extension-point to add a new permission 'CustomPerm' and remove 'ReviewParticipant':

    <permission name="CustomPerm"/>
    <permission name="Read">
        <include>CustomPerm</include>
        <remove>ReviewParticipant</remove>
    </permission>

Eventually the permissions declaration also accept 'alias' tags to handle backward compatibility with deprecated permissions:

    <permission name="ReadVersion">
        <!-- The Version permission is deprecated
            since it's name is ambiguous, use
            ReadPermission instead -->
        <alias>Version</alias>
    </permission>

NB: the alias feature is parsed by the extension point but the underlying SecurityManager implementation does not leverage it yet.

Contribution Descriptors

Existing Contributions

Contributions are presented in the same order as the registration order on this extension point. This order is displayed before the contribution name, in brackets.

  • nuxeo-platform-publisher-core-contrib-9.10.jar /OSGI-INF/publisher-permissions-contrib.xml
    <extension point="permissions" target="org.nuxeo.ecm.core.security.SecurityService">
    
        <permission name="CanAskForPublishing"/>
    
      </extension>
  • nuxeo-platform-comment-9.10.jar /OSGI-INF/comment-defaultPermissions-contrib.xml
    <extension point="permissions" target="org.nuxeo.ecm.core.security.SecurityService">
    
        <permission name="Comment">
          <include>WriteLifeCycle</include>
        </permission>
    
        <permission name="Moderate"/>
    
      </extension>
  • nuxeo-platform-collections-core-9.10.jar /OSGI-INF/collection-security-contrib.xml
    <extension point="permissions" target="org.nuxeo.ecm.core.security.SecurityService">
    
        <permission name="ReadCanCollect">
          <include>Read</include>
          <include>WriteProperties</include>
        </permission>
    
      </extension>
  • nuxeo-routing-core-9.10.jar /OSGI-INF/document-routing-security-contrib.xml
    <extension point="permissions" target="org.nuxeo.ecm.core.security.SecurityService">
    
        <permission name="DataVisualization">
          <include>Read</include>
        </permission>
    
      </extension>
  • nuxeo-core-9.10.jar /OSGI-INF/permissions-contrib.xml
    <extension point="permissions" target="org.nuxeo.ecm.core.security.SecurityService">
    
        <permission name="Browse"/>
        <permission name="ReadProperties">
          <include>Browse</include>
        </permission>
        <permission name="ReadChildren"/>
        <permission name="ReadLifeCycle"/>
        <permission name="ReviewParticipant"/>
        <permission name="ReadSecurity"/>
    
        <permission name="WriteProperties"/>
        <permission name="ReadVersion"/>
    
        <permission name="WriteVersion">
           <include>WriteProperties</include>
        </permission>
    
        <permission name="Version">
           <include>ReadVersion</include>
           <include>WriteVersion</include>
        </permission>
    
        <permission name="Read">
          <include>Browse</include>
          <include>ReadVersion</include>
          <include>ReadProperties</include>
          <include>ReadChildren</include>
          <include>ReadLifeCycle</include>
          <include>ReadSecurity</include>
          <include>ReviewParticipant</include>
        </permission>
    
        <permission name="AddChildren"/>
        <permission name="RemoveChildren"/>
        <permission name="Remove"/>
        <permission name="ManageWorkflows"/>
        <permission name="WriteLifeCycle"/>
        <permission name="Unlock"/>
    
        <permission name="Remove">
          <include>RemoveChildren</include>
          <!-- NXP-10929: necessary to follow the "delete" transition when Trash is enabled -->
          <include>WriteLifeCycle</include>
        </permission>
    
        <permission name="ReadRemove">
          <include>Read</include>
          <include>Remove</include>
        </permission>
    
        <permission name="Write">
          <include>AddChildren</include>
          <include>WriteProperties</include>
          <include>Remove</include>
          <include>ManageWorkflows</include>
          <include>WriteLifeCycle</include>
          <include>WriteVersion</include>
        </permission>
    
        <permission name="ReadWrite">
          <include>Read</include>
          <include>Write</include>
        </permission>
    
        <permission name="WriteSecurity"/>
    
        <!-- special permission given to administrators: god-level access -->
        <permission name="Everything"/>
    
        <!-- deprecated - was used only for a single customer
          project before pluggable permission definitions -->
        <permission name="RestrictedRead"/>
    
      </extension>