Controlling User Access

The Access Control Editor provides the option to control user access, e.g. for reading or modifying folders and documents and to give permission on access control settings on these. Please note that document permissions on folders are working recursively, thus if modify access to a folder is not permitted, none of the documents in this folder or sub-folders can be modified.

The editor contains the following two tables:

• Inherited Permissions - to display the permissions of the parent folder.
• Granted Permissions - the permissions granted on the participants. It provides the option to add, remove and edit participant permissions.

Figure: Access Control Editor

Note
To use security with Jackrabbit in the rapid application environment, you have to enable security setting as described in the following section.

Enabling Security in RAD

To make security work with Jackrabbit, perform the following steps:

1. Stop the server
2. In folder carnot-jackrabbit/WEB-INF/jackrabbit:
   
   • Rename repository.xml, e.g. repository.xml.nonsecure
   • Rename repository.xml.security to repository.xml
   • Rename repository-full-text-search.xml , e.g. repository-full-text-search.xml.nonsecure.
   • Rename repository-full-text-search.xml.security to repository-full-text-search.xml
3. In folder carnot-jackrabbit/WEB-INF/config/ipp/spring:
   
   • Rename jackrabbit-jcr-context.xml, e.g. jackrabbit-jcr-context.xml.nonsecure.
   • Rename jackrabbit-jcr-context.xml.security to jackrabbit-jcr-context.xml.
4. Create new JCR
5. Republish and restart the server

Figure: Replaced security files in RAD.

Policies on folder creation

Please note that implicit policies are only set on folder creation with the security enabled. In case you set the security after a folder is already created from a non security enabled repository access, the policy is not retroactively set. A user without administrator role does not have access to this folder. In this case a user with administrator role has to set policies on the folder manually. For example to make it possible to upload documents, policies on the folder /process-instances have to be set manually if it was created before the security setting.

For the following folder pattern, the permission ALL is set on creation for everyone in case security is enabled:

• /ipp-repository/partitions/<partitionId>/process-instances
• /ipp-repository/partitions/<partitionId>/realms/<realmId>/users/<userId>
• /ipp-repository/partitions/<partitionId>/preferences

Participant Permissions

The following permissions are provided for participants:

: inherit permission for according action on folder/document

: allow according action on folder/document

: deny according action on folder/document

Inherited Permissions

The table with inherited permissions lists the permissions inherited from parent folders. These entries are not editable.

• Inherited Permissions on Folders
• Inherited Permissions on Documents

Inherited Permissions on Folders

The following columns are listed for inherited permissions on folders:

• Participant: the participant the inherited permissions are granted to.
• Create: inherited permission to create sub-folders, upload files and create text files in this folder.
• Read: inherited permission to read this folder.
• Modify: inherited permission to modify this folder.
• Delete: inherited permission to delete this folder.
• Read ACL: inherited permission to read the list of permissions of the folder.
• Modify ACL: inherited permission to modify the list of permissions of the folder.

Figure: Inherited Permissions for a folder.

Default inherited folder permissions

Per default, inherited permissions for Administrators and Everyone are set. Administrators have the grant Allow for all permissions. Everyone has an Allow value set for the reading grant, whereas all other permissions for Everyone are Inherit (indicated by three dashes) by default.

Inherited Permissions on Documents

The following columns are listed for inherited permissions on documents:

• Participant: the participant the inherited permissions are granted to.
• Read: inherited permission to read this document.
• Modify: inherited permission to modify this document.
• Delete: inherited permission to delete this document.
• Read ACL: inherited permission to read the list of permissions of the document.
• Modify ACL: inherited permission to modify the list of permissions of the document.

Figure: Inherited Permissions for a document.

Default inherited document permissions

Per default, inherited permissions for Administrators and Everyone are set. Administrators have the grant Allow for all permissions. Everyone has an Allow value set for the reading grant, whereas all other permissions for Everyone are Inherit (indicated by three dashes) by default.

Granted Permissions

Depending on whether the Access Control Editor was opened for a folder or for a document, one of the following tables are available:

• Granted Permissions on Folders
• Granted Permissions on Documents

The following operations on permissions are provided:

• Adding Participants
• Removing Participants
• Editing Permissions

Granted Permissions on Folders

Granted permissions on folders have a table with the following columns:

• Participant: the participant the permissions are granted to.
• Create: permission to create sub-folders, upload files and create text files in this folder.
• Read: permission to read this folder.
• Modify: permission to modify this folder.
• Delete: permission to delete this folder.
• Read ACL: permission to read the list of permissions of the folder.
• Modify ACL: permission to modify the list of permissions of the folder.
• Actions: provided action Edit. Please refer to the section Editing Permissions.

Figure: Granted Permissions on a Folder

Granted Permissions on Documents

Granted permissions on documents have a table with the following columns:

• Participant: the participant the permissions are granted to.
• Read: permission to read this document.
• Modify: permission to modify this document.
• Delete: permission to delete this document.
• Read ACL: permission to read the list of permissions of the document.
• Modify ACL: permission to modify the list of permissions of the document.
• Actions: provided action Edit. Please refer to the section Editing Permissions.

Figure: Granted Permissions on a Document

Adding Participants

To add a participant to change the permission of, click the Add Participant icon:

Figure: Add Participant

The Select Participant dialog opens, where you can select the participant in a list. The allowed participants are role, organization, department and its sub-organization and children.

Figure: Select a Participant

OR

Click the link Pick from Tree. The participant tree gets displayed. Select the participant from the tree.

Figure: Participant Tree

The selected participant is created in the table with editable permissions.

Figure: Participant added to table

Note that the access can be granted to a role but when the role is scoped, the accessing user's scope that is department is also displayed. So, if a user would not be allowed to see or work with a process instance due to department association then similarly, the access to the process attachment is denied to that user.

Removing Participants

To remove selected participant(s) from the permissions table, you can either:

• Click the Delete Participant icon above the table.

  
  Figure: Removing a Participant from the List.

• Click the Remove action in the Actions column.

  
  Figure: Removing a Participant via Remove action.

Selecting one or more participant(s) in the table is done by clicking directly on the according row(s). For details on selecting rows in tables, refer to chapter Selecting Rows in a Table. Note that administrators cannot be removed and will remain even in case all rows are selected.

Editing Permissions

To edit selected permission(s) you can do one of the following:

• Select Edit in the Action column of a participant.

  
  Figure: Edit a Permission

• Select one or more participants in the list and click the Edit Permissions icon

  
  Figure: Editing all selected Permissions

Now the permission for the participant(s) can be edited.

Figure: Permissions can be edited now.

You can switch the granted permissions in the columns between the following values provided in the drop-down list:

• inherit: ---
• Allow
• Deny

Figure: Set the Permission.

Click Apply to apply your changes.