cancel
Showing results for 
Search instead for 
Did you mean: 

IPermission vs IAclPermission

Former Member
0 Kudos

Hello,

I want to create a Read permisson on a folder for a certain user. I want to do this because I only want to make the folder visible for certain users.

I checked out the forum for how to set IAclPermissions on resources and all KM documentation. For instance see:

My interpretation is that these IAclPermissions can be used to change read, write etc permissions for the item itself.

But what happens is they show up in the end as being service permissions (in the Detail pop-up). I guess that's the way it is. But how then do I change the read write etc. permissions on the item itself so that they will show up in the Permission section of the Details (instead of the Service permission section)? This is important for me because adding them as a Permission (= non-Service permission) is the only way to control visibility in the Navigation iView.

Do I have to set IPermissions instead of IAclPermissions on a resource? and if so how do I change IPermissions on a resource?

Thanks,

Bart

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
0 Kudos

Ok Detlev, her is my code and improrts:

import com.sapportals.portal.prt.component.IPortalComponentResponse;

import com.sapportals.portal.security.usermanagement.IUMPrincipal;

import com.sapportals.portal.security.usermanagement.IUser;

import com.sapportals.portal.security.usermanagement.UserManagementException;

import com.sapportals.wcm.repository.IResource;

import com.sapportals.wcm.repository.IResourceFactory;

import com.sapportals.wcm.repository.ResourceContext;

import com.sapportals.wcm.repository.ResourceException;

import com.sapportals.wcm.repository.ResourceFactory;

import com.sapportals.wcm.repository.security.IResourceAcl;

import com.sapportals.wcm.repository.security.IResourceAclEntry;

import com.sapportals.wcm.repository.security.IResourceAclManager;

import com.sapportals.wcm.repository.service.IRepositoryServiceFactory;

import com.sapportals.wcm.repository.service.serviceacl.IAclService;

import com.sapportals.wcm.util.acl.AclExistsException;

import com.sapportals.wcm.util.acl.AclPersistenceException;

import com.sapportals.wcm.util.acl.AlreadyAssignedToAclException;

import com.sapportals.wcm.util.acl.IAclPermission;

import com.sapportals.wcm.util.acl.InvalidClassException;

import com.sapportals.wcm.util.acl.NotAuthorizedException;

import com.sapportals.wcm.util.acl.PermissionNotSupportedException;

import com.sapportals.wcm.util.uri.RID;

import com.sapportals.wcm.util.usermanagement.WPUMFactory;

public static void setReadPermission(IPortalComponentResponse response){

try {

IUser user = WPUMFactory.getServiceUserFactory().getServiceUser("cmadmin_service");

ResourceContext c = new ResourceContext(user);

IResource resource = ResourceFactory.getInstance().getResource(RID.getRID("/documents/Bart Docs/PERMISSION"),c);

IResourceFactory resFactory = ResourceFactory.getInstance();

IRepositoryServiceFactory repServiceFactory = resFactory.getServiceFactory();

IAclService aclService = (IAclService) repServiceFactory.getRepositoryService(resource, "ServiceAclRepositoryService");

IResourceAclManager aclMgr = aclService.getAclManager();

aclMgr.removeAcl(resource);

IResourceAcl resourceAcl = aclMgr.createAcl(resource);

IUMPrincipal everyone = WPUMFactory.getGroupFactory().getGroup("Everyone");

IResourceAclEntry entry = aclMgr.createAclEntry(everyone, false, aclMgr.getPermission(IAclPermission.ACL_PERMISSION_WRITE), 0);

resourceAcl.addEntry(entry);

} catch (InvalidClassException e) {

response.write("<h1>1<h1>");

e.printStackTrace();

} catch (AlreadyAssignedToAclException e) {

response.write("<h1>2<h1>");

e.printStackTrace();

} catch (PermissionNotSupportedException e) {

response.write("<h1>3<h1>");

e.printStackTrace();

} catch (UnsupportedOperationException e) {

response.write("<h1>4<h1>");

e.printStackTrace();

} catch (AclPersistenceException e1) {

response.write("<h1>5<h1>");

e1.printStackTrace();

} catch (NotAuthorizedException e1) {

response.write("<h1>6<h1>");

e1.printStackTrace();

} catch (ResourceException e1) {

response.write("<h1>7<h1>");

e1.printStackTrace();

} catch (AclExistsException e1) {

response.write("<h1>8<h1>");

e1.printStackTrace();

} catch (UserManagementException e1) {

response.write("<h1>9<h1>");

e1.printStackTrace();

}

}

Again, it work fine for Service Permissions bu not for normal Access Permissions. I hope it makes sense what I said about the Dialog permissions.

Thanks for helping,

Bart

detlev_beutner
Active Contributor
0 Kudos

Hi Bart,

take this

RID rid = RID.getRID("/documents/MeinKleinerTest");
IUser user = WPUMFactory.getServiceUserFactory().getServiceUser("cmadmin_service");
ResourceContext ctx = new ResourceContext(user);
IResourceFactory resFactory = ResourceFactory.getInstance();
IResource resource = resFactory.getResource(rid ,ctx);
IAclSecurityManager asm = (IAclSecurityManager) resource.getRepositoryManager().getSecurityManager(resource);
IResourceAclManager ram = asm.getAclManager();
ram.removeAcl(resource);
IResourceAcl resourceAcl = ram.createAcl(resource);
IUMPrincipal everyone = WPUMFactory.getGroupFactory().getGroup("Everyone"); 
IResourceAclEntry entry = ram.createAclEntry(everyone, false, ram.getPermission(IAclPermission.ACL_PERMISSION_WRITE), 0);
resourceAcl.addEntry(entry);  

Hope it helps

Detlev

Answers (5)

Answers (5)

Former Member
0 Kudos

You're right, I'm 100% Dutch.

I just happen to work & live in the US for a while.

I'm 95% sure you're German or from one of the other german speaking European countries.

Next time I'll throw in some Deutch, see how that works. I hope my 3 years of German classes have not worn off yet.

Again, Danke schön!

detlev_beutner
Active Contributor
0 Kudos

> I'm 95% sure you're German

100% rrrighty

Former Member
0 Kudos

Detlev, you are the man.

I only replaced these lines from my code:

// IResourceFactory resFactory = ResourceFactory.getInstance();

// IRepositoryServiceFactory repServiceFactory = resFactory.getServiceFactory();

// IAclService aclService = (IAclService) repServiceFactory.getRepositoryService(resource, "ServiceAclRepositoryService");

// IResourceAclManager aclMgr = aclService.getAclManager();

with a piece of your code:

IAclSecurityManager asm = (IAclSecurityManager) resource.getRepositoryManager().getSecurityManager(resource);

IResourceAclManager aclMgr = asm.getAclManager();

I knew that there are two ways to get your hands on an IResourceAclManager ( using the IAclService or by the IAclSecurityManager ) but I never would have guest that they give different results.

It seems that the IResourceAclManager implementation is different for the two approaches.

Now my permission shows up as a Permission and not as a Service Permission.

I think this is important for people to know.

Muy bien! Danke and I will start handing out some points

- Bart

detlev_beutner
Active Contributor
0 Kudos

Hi Bart,

that was the hardest thread of the day, nice to have it solved in the end

Welterusten

Detlev

PS: Your BC says your situated in the US, but your name indicates strongly being dutch or belgium?! So I hope you understand when I'm throwing in some nuggets of my dutch vocabulary (even if in the USA "welterusten" may be a bit early at the moment)

Former Member
0 Kudos

Ok, here I go...

Scenario:

1) I strip a resource from all its permissions so the resource is not visible/accessible by normal users

2) I created a new IResourceAcl for the resource

3) I created an IAclPermission.ACL_PERMISSION_READ based entry for the user and added it to the IResourceAcl

3) Now I use the Navigation iView to navigate to the resource and start up the Details dialog.

4) I select the Sections -> Permissions menu option and expect to see an entry for the IResourceAclEntry I just created. I don't see it...

5) I select the Sections -> Service Permission menu option and there it is.

But this entry in the Service Permission doesn't do anything for me: the resource is still not visible for this user. Only when I select Sections -> Permissions and add an entry for the user with Read access the resource becomes visible.

So I guess my question is how do I set permissions programmatically that show up in the Permission section? (= Permissions control who is allowed to view and change items)

Maybe I need a whole different API for this?

Please advice,

Bedankt alvast,

Bart

detlev_beutner
Active Contributor
0 Kudos

Hi Bart,

check your code against and - if you don't find the solution by this, post your complete code fragment of which you are expecting the whished behaviour including Import statements (and in CODE block).

Hope it helps

Detlev

Former Member
0 Kudos

I know it's completely explicit and clear. It just doesn't work for me. So I'm looking for alternatives.

- Bart

detlev_beutner
Active Contributor
0 Kudos

Hi Bart,

?!?!?! Have you checked the thread I have referred to? <i>What</i> does not work for you? <i>What</i> are the problems?

Groetjes

Detlev

detlev_beutner
Active Contributor
0 Kudos

Dag Bart,

the thread you've referred to is explicitely about service permissions!

For the resource permissions, see for example

Hope it helps, doei

Detlev