• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer
TSB Alfresco Cobrand White tagline

Technology Services Group

  • Home
  • Products
    • Alfresco Enterprise Viewer
    • OpenContent Search
    • OpenContent Case
    • OpenContent Forms
    • OpenMigrate
    • OpenContent Web Services
    • OpenCapture
    • OpenOverlay
  • Solutions
    • Alfresco Content Accelerator for Claims Management
      • Claims Demo Series
    • Alfresco Content Accelerator for Policy & Procedure Management
      • Compliance Demo Series
    • OpenContent Accounts Payable
    • OpenContent Contract Management
    • OpenContent Batch Records
    • OpenContent Government
    • OpenContent Corporate Forms
    • OpenContent Construction Management
    • OpenContent Digital Archive
    • OpenContent Human Resources
    • OpenContent Patient Records
  • Platforms
    • Alfresco Consulting
      • Alfresco Case Study – Canadian Museum of Human Rights
      • Alfresco Case Study – New York Philharmonic
      • Alfresco Case Study – New York Property Insurance Underwriting Association
      • Alfresco Case Study – American Society for Clinical Pathology
      • Alfresco Case Study – American Association of Insurance Services
      • Alfresco Case Study – United Cerebral Palsy
    • HBase
    • DynamoDB
    • OpenText & Documentum Consulting
      • Upgrades – A Well Documented Approach
      • Life Science Solutions
        • Life Sciences Project Sampling
    • Veeva Consulting
    • Ephesoft
    • Workshare
  • Case Studies
    • White Papers
    • 11 Billion Document Migration
    • Learning Zone
    • Digital Asset Collection – Canadian Museum of Human Rights
    • Digital Archive and Retrieval – ASCP
    • Digital Archives – New York Philharmonic
    • Insurance Claim Processing – New York Property Insurance
    • Policy Forms Management with Machine Learning – AAIS
    • Liferay and Alfresco Portal – United Cerebral Palsy of Greater Chicago
  • About
    • Contact Us
  • Blog

Extending Alfresco Security Beyond ACLs

You are here: Home / Alfresco / Extending Alfresco Security Beyond ACLs

July 2, 2015

Recently TSG worked with an Alfresco client that had unique requirements around document and folder security.  In addition to traditional ACL security, the client needed the ability to tag documents with metadata that would deny users access to content unless they were members of a particular group.  This post will focus on our approach for addressing the security requirements in Alfresco.

At first glance, the requirement to deny access to content based on metadata values seems like something that could be solved by using behaviors in Alfresco to modify ACL permissions any time metadata is updated.  The nuance that makes this problem more challenging is that we needed to deny read permissions to certain users, regardless of what the ACL already permitted.

ACLs inherently give a user the least restrictive access possible given the permissions defined on the ACL.  Take the following ACL as an example:

  • John Doe – Consumer
  • Group A – Contributor
  • Group Z – Collaborator

If user John Doe is a member of Group A and Group Z, this ACL will permit John to have Collaborator permissions on the content because it is the least restrictive permission level that the ACL permits for John based on his group membership.

Getting back to the client’s requirement, we need to DENY all users in a group access to content, regardless of what any other permissions in the ACL dictate.  In other words, in this special case, we want the most restrictive permission to win.

For those who are more intimately familiar with Alfresco permissions, you may be aware that Alfresco’s permission model does support both GRANT and DENY permissions. The challenge with using DENY permissions is that they are not exposed in the Alfresco Share interface, which is the client’s chosen interface.

Another option that was considered was using Alfresco Records Manager’s “Supplemental Markings” feature to address the security requirement.  Initially, supplemental markings seemed to be exactly what we were looking for.  They allow documents to be tagged with metadata that then permitted only defined users groups access to the documents.  Our bubble was burst when we discovered that the supplemental markings feature is only available for documents that have been declared as records.  Even though Alfresco Records Manager supports in place records in Share, as soon as documents are declared as records, other Share features become disabled for the documents, and this was not acceptable for the client.

Finally, we settled on implementing some small customizations to satisfy the requirements, which turned out to be simpler than expected because Alfresco is an open source platform.  The solution involved adding an aspect with a property to store the metadata that would determine the special security.  From there, we created a custom permission service implementation defined in the public-services-security-context.xml.  Our custom permission service checked the metadata of the document and the user’s group membership to permit or deny the user access to content after the standard ACL permission checks were complete.  This nice thing with this approach is that it intercepts the user’s access at the lowest possible level and it only required a customization in one place.

Overall we were pleasantly surprised to see that the permissions model in Alfresco could be so easily manipulated to meet the client’s unique requirements. This would have been a much more difficult challenge if the client had chosen another ECM platform.

Filed Under: Alfresco, Product Suite, R&D, Records Management, Share

Reader Interactions

Leave a Reply Cancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Primary Sidebar

Search

Related Posts

  • Top 5 Differences between Records Management and Document Management
  • Alfresco Records Management – Using Rules to Make Records Filing Easy for Users
  • Auto-Numbering Content in Alfresco
  • Documentum or Alfresco – Redacting Sensitive Information with OpenRedact
  • Alfresco Data List-Driven Value Assistance
  • Alfresco Chicago User Group Meeting Recap
  • Chicago Alfresco User Group Meeting – March 1st
  • Alfresco and Liferay – Lessons Learned from UCP of Greater Chicago
  • Alfresco DevCon Wrap Up
  • Alfresco Consulting – Consulting in an Open Source world

Recent Posts

  • Alfresco Content Accelerator and Alfresco Enterprise Viewer – Improving User Collaboration Efficiency
  • Alfresco Content Accelerator – Document Notification Distribution Lists
  • Alfresco Webinar – Productivity Anywhere: How modern claim and policy document processing can help the new work-from-home normal succeed
  • Alfresco – Viewing Annotations on Versions
  • Alfresco Content Accelerator – Collaboration Enhancements
stacks-of-paper

11 BILLION DOCUMENT
BENCHMARK
OVERVIEW

Learn how TSG was able to leverage DynamoDB, S3, ElasticSearch & AWS to successfully migrate 11 Billion documents.

Download White Paper

Footer

Search

Contact

22 West Washington St
5th Floor
Chicago, IL 60602

inquiry@tsgrp.com

312.372.7777

Copyright © 2023 · Technology Services Group, Inc. · Log in

This website uses cookies to improve your experience. Please accept this site's cookies, but you can opt-out if you wish. Privacy Policy ACCEPT | Cookie settings
Privacy & Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Non-necessary
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
SAVE & ACCEPT