Easily Manage Permissions in Nuxeo With Extended ACLs


Thu 12 November 2015 By Anne Jubert

With the release of Nuxeo Platform 7.4, managing user permissions has become easier than ever before! We have worked a lot around permission or security management and we are happy to provide you with many improvements and new features around it. Let’s take a look at these new features with some examples.

What's New for a User in Terms of UI


For a great user experience, the Permissions tab is now directly visible on the document even when the user only has read permission. As a user, you can see who has access to the document even if you are not allowed to manage those permissions. This tab is also visible on all documents, not only on folderish documents like it used to be, but also on file objects, note objects, etc.

Here’s an example of user julie who only has read permission but can see this new tab on the document Opportunity-developper.pdf:


User with read permission has access to the new permissions tab User with read permission has access to the new permissions tab

The New Features


Let’s focus on the new features that were added.

One of the many helpful features we added is that permissions can be temporary and the user is notified when the permission is set.

Let's take an example: We want to give julie the write permission on the Opportunity-developper.pdf document between October 22th and October 29th.

To do this, let’s connect as john to add a New Permission. Select:


  • the User / Group that will be granted this permission

  • the Right (Read, Write, Remove, or Manage Everything)

  • the Time Frame (permanent or date based)


Finally, you can choose to Send an email to notify user. The user will receive the email as soon as the permission on the document is active.

Once added, existing permissions can be edited or deleted. You can also block/unblock inherited permissions.


Adding temporary permission to Julie on the “Opportunity-developper.pdf” document Adding temporary permission to Julie on the “Opportunity-developper.pdf” document

New permission added to julie New permission added to julie

The second feature is Shared with Me on the user dashboard.

Here’s an example: john wants to give read permission to the user david for the document Opportunity-developper.pdf even if david has no access to the Human Resources Department. david won't be able to access the document through the workspace UI but he can by using the Shared with Me available on the dashboard:  


“Shared with me” available on the dashboard “Shared with Me” available on the dashboard

“Shared with me” “Shared with Me”

Another feature is the new Permissions tab in the Admin Center. It has the ability to look for past and current permissions. This feature is very useful for audit and heavily regulated environments such as in financial and pharmaceutical organizations.

For example, you can find out things like “Who had the write permission on that folder or subfolders between this period and that period?" or “On what documents does julie have permissions” ?


Search for permissions Search for permissions

Last but not the least, you have the ability to Purge ACLs of a given user on a specific part of the repository. This will be very useful in cases where you don't want the user to have any more access, for instance when a user leaves your organization.


Purge of permissions for julie - Step 1 Purge of permissions for julie - Step 1

Purge of permissions for julie - Step 2 Purge of permissions for julie - Step 2

Here is a demo of all the features I described above:

 

The Technical Side


The tab has been rewritten using REST API calls only, providing a very reactive UI. This represents a preliminary work regarding the UI and we may replicate what we did on this tab in the entire product in the coming year.

It is possible to query the documents that have specific ACLs. Here’s an example of a query on documents where bob has been granted a permission:

SELECT  FROM Document WHERE ecm:acl/1/principal = 'bob'
AND ecm:acl/1/grant = 1
AND ecm:acl/
1/permission IN ('Browse', 'Read', 'ReadProperties', 'ReadWrite', 'ReadRemove', 'Everything')

Because it is restful, we provide operations and APIs that allow reimplementing what is available.

Also, this has been made using web components. An element called “document-permissions” can be used on any HTML page outside of the Nuxeo Platform (custom HTML page, any portal, any AngularJS website, etc.) to display and use the Permissions screen of a given Nuxeo document. All you have to know is the document ID.

<nx-connection id="nx_connection" url="https://nightly.nuxeo.com/nuxeo/"></nx-connection&gt;
<document-permissions doc-id="8d46d1cf-5ad7-4c27-bba8-ff4021a7c4d1"></document-permissions>

 


Category: Product & Development
Tagged: Demo, Features, Nuxeo Platform 7.x