Permissions Purge — Easily Update Permissions to Block Unauthorized Access

Thu 04 May 2017 By Gregory Carlin

Monitoring user and group permissions is fundamental when dealing with confidential or corporate content. This is especially true in certain situations, for instance, one of your employee is leaving the company and you want to be 100% sure that:

  • He can't authenticate anymore to access the repository
  • All his active tasks are reassigned or delegated to somebody else
  • All the document permissions on the content that he has access to are updated - which is the topic of this blog post! Let’s take a look at this in detail.

Providing a platform which allows the control and the security of every content is one of Nuxeo's key concern and priority. It is in this context that we’ve integrated a permissions purge console. It enables any administrator to remove all the Access Control Entries of a particular user or group in the repository. Additionally, you can specify the location where the purge should happen.

So let's take a simple and practical example to illustrate this feature. Let’s say, for a particular project, you have worked with a partner to whom you've given access to your project folder. Once your project is finished, you have to archive it and remove your partner's permissions. This is where the permissions purge console will come into picture!

So let's see it in action.

In this short video, a user called "my_partner" has WRITE access to a folder called "My confidential project folder". We will remove his permission on this particular folder, and check whether the purge is working correctly or not after re-logging.

As expected, the partner can log in but an error message warns him that he doesn’t have access anymore to the content.

In situations where the employee departure or retirement process is managed by a third party software, as a business process management platform, you can still use the permissions purge by leveraging the Nuxeo REST API. In this case, you will use the REST API operation:

curl -H 'Content-Type:application/json+nxrequest' -X POST \
  -d '{"params":{"usernames":"my_partner"}, "input":"docId","context":{}}' \
  -u Administrator:Administrator https://SERVER_NUXEO/nuxeo/api/v1/automation/PermissionsPurge

Finally, you can even use this operation in any automation chain as it is exposed in Nuxeo Studio. As such, you can trigger this operation in any workflow template or if any particular event occurs in the repository:

To get the full description of the operation, take a look at the Nuxeo Explorer webpage.

In conclusion, the permissions purge operation is one of the features which typically shows you how easy it is to control and deploy any security policy in a Nuxeo repository. So now, it’s time to ask yourself if your content is correctly secured and under control. If not, you know what to do!

Tagged: REST API, Nuxeo Platform, How to