Access Control Editor

The Access Control Editor provides the option to control user access, e.g. for reading or modifying folders and documents and to give permission on access control settings on these. Please note that document permissions on folders are working recursively, thus if read access to a folder is not permitted, none of the documents in this folder or sub-folders can be read.

The editor contains the following two tables:

• Inherited Permissions - to display the permissions of the parent folder.
• Granted Permissions - the permissions granted on the participants. It provides the option to add, remove and edit participant permissions.

Figure: Access Control Editor

Enabling Security in RAD

To make security work with Jackrabbit, perform the following steps:

1. Stop the server.
2. In folder carnot-jackrabbit/WEB-INF/jackrabbit:
   
   • Rename repository.xml, e.g. repository.xml.nonsecure.
   • Rename repository.xml.security to repository.xml.
   • Rename repository-full-text-search.xml , e.g. repository-full-text-search.xml.nonsecure.
   • Rename repository-full-text-search.xml.security to repository-full-text-search.xml.
3. In folder carnot-jackrabbit/WEB-INF/config/ipp/spring:
   
   • Rename jackrabbit-jcr-context.xml, e.g. jackrabbit-jcr-context.xml.nonsecure.
   • Rename jackrabbit-jcr-context.xml.security to jackrabbit-jcr-context.xml.
4. Create new JCR.
5. Republish and restart the server.

Figure: Replaced security files in RAD.

Policies on folder creation

Please note that implicit policies are only set on folder creation with the security enabled. In case you set the security after a folder is already created from a non security enabled repository access, the policy is not retroactively set. A user without administrator role does not have access to this folder. In this case a user with administrator role has to set policies on the folder manually. For example to make it possible to upload documents, policies on the folder /process-instances have to be set manually if it was created before the security setting.

For the following folder pattern, the permission ALL is set on creation for everyone in case security is enabled:

• /ipp-repository/partitions/<partitionId>/process-instances
• /ipp-repository/partitions/<partitionId>/realms/<realmId>/users/<userId>
• /ipp-repository/partitions/<partitionId>/preferences

Inherited Permissions

The table with inherited permissions lists the permissions inherited from parent folders. These entries are not editable.

• Inherited Permissions on Folders
• Inherited Permissions on Documents

Inherited Permissions on Folders

The following columns are listed for inherited permissions on folders:

• Participant: the participant the inherited permissions are granted to.
• Create: inherited permission to create sub-folders, upload files and create text files in this folder.
• Read: inherited permission to read this folder.
• Modify: inherited permission to modify this folder.
• Delete: inherited permission to delete this folder.
• Read ACL: inherited permission to read the list of permissions of the folder.
• Modify ACL: inherited permission to modify the list of permissions of the folder.

Figure: Inherited Permissions for a folder.

Inherited Permissions on Documents

The following columns are listed for inherited permissions on documents:

• Participant: the participant the inherited permissions are granted to.
• Read: inherited permission to read this document.
• Modify: inherited permission to modify this document.
• Delete: inherited permission to delete this document.
• Read ACL: inherited permission to read the list of permissions of the document.
• Modify ACL: inherited permission to modify the list of permissions of the document.

Figure: Inherited Permissions for a document.

Column Selection and Reordering

You have the option to select the columns to be displayed in the table and reorder them. Click the Select Columns icon to open the Select Columns dialog, which is described in detail in the section Column Selection and Reordering of the chapter Stardust Portal Components.

Sorting

The table may be sorted by all columns by clicking the sort icon . The table data can be toggled between ascending and descending order when the sort icon is clicked.

Please refer to the section Sorting of the chapter Stardust Portal Components for detailed information.

Granted Permissions

Depending on whether the Access Control Editor was opened for a folder or for a document, one of the following tables are available:

• Granted Permissions on Folders
• Granted Permissions on Documents

The following operations on permissions are provided:

• Adding Participants
• Removing Participants
• Editing Permissions

Granted Permissions on Folders

Granted permissions on folders have a table with the following columns:

• Participant: the participant the permissions are granted to.
• Create: permission to create sub-folders, upload files and create text files in this folder.
• Read: permission to read this folder.
• Modify: permission to modify this folder.
• Delete: permission to delete this folder.
• Read ACL: permission to read the list of permissions of the folder.
• Modify ACL: permission to modify the list of permissions of the folder.
• Actions: provided action Edit. Please refer to the section Editing Permissions.

Figure: Granted Permissions on a Folder

Column Selection and Reordering

You have the option to select the columns to be displayed in the table and reorder them. Click the Select Columns icon to open the Select Columns dialog, which is described in detail in the section Column Selection and Reordering of the chapter Stardust Portal Components.

Sorting

The table may be sorted by all columns by clicking the sort icon . The table data can be toggled between ascending and descending order when the sort icon is clicked.

Please refer to the section Sorting of the chapter Stardust Portal Components for detailed information.

Granted Permissions on Documents

Granted permissions on documents have a table with the following columns:

• Participant: the participant the permissions are granted to.
• Read: permission to read this document.
• Modify: permission to modify this document.
• Delete: permission to delete this document.
• Read ACL: permission to read the list of permissions of the document.
• Modify ACL: permission to modify the list of permissions of the document.
• Actions: provided action Edit. Please refer to the section Editing Permissions.

Figure: Granted Permissions on a Document

Column Selection and Reordering

You have the option to select the columns to be displayed in the table and reorder them. Click the Select Columns icon to open the Select Columns dialog, which is described in detail in the section Column Selection and Reordering of the chapter Stardust Portal Components.

Sorting

The table may be sorted by all columns by clicking the sort icon . The table data can be toggled between ascending and descending order when the sort icon is clicked.

Please refer to the section Sorting of the chapter Stardust Portal Components for detailed information.

Adding Participants

To add a participant to change the permission of, click the Add Participant icon:

Figure: Add Participant

The Select Participant dialog opens, where you can select the participant in a list. The allowed participants are role, organization, department and its sub-organization and children.

Figure: Select a Participant

OR

Click the link Pick from Tree. The participant tree gets displayed. Select the participant from the tree.

Figure: Participant Tree

Note that the access can be granted to a role but when the role is scoped, the accessing user's scope that is department is also displayed. So, if a user would not be allowed to see or work with a process instance due to department association then similarly, the access to the process attachment is denied to that user.

Removing Participants

To remove selected participant(s) from the permissions table, you can either:

• Click the Delete Participant icon above the table.

  
  Figure: Removing a Participant from the List.

• Click the Remove action in the Actions column.

  
  Figure: Removing a Participant via Remove action.

Selecting one or more participant(s) in the table is done by clicking directly on the according row(s). For details on selecting rows in tables, refer to section Table Row Selection of chapter Stardust Portal Components. Note that administrators cannot be removed and will remain even in case all rows are selected.

Editing Permissions

To edit selected permission(s) you can do one of the following:

• Select Edit in the Action column of a participant.

  
  Figure: Edit a Permission

• Select one or more participants in the list and click the Edit Permissions icon

  
  Figure: Editing all selected Permissions

Selecting one or more participant(s) in the table is done by clicking directly on the according row(s). For details on selecting rows in tables, refer to section Table Row Selection of chapter Stardust Portal Components.

Now the permission for the participant(s) can be edited.

Figure: Permissions can be edited now.

You can switch the granted permissions in the columns between the following values provided in the drop-down list:

• Allow
• Deny

Figure: Set the Permission.

Click Apply to apply your changes.