jackrabbit-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From anjan <poliset...@gmail.com>
Subject ACL inheritance
Date Tue, 07 Jan 2014 05:25:34 GMT
The question I have regarding the ACL inheritance can be explained taking the
below example:

Let us assume that there is a folder 'parent-folder' whose child is
'child-folder'.  Assume that 'parent-folder' was assigned  "jcr:read"
privilege for "everyone" logical group and "jcr:write" privilege for
"Managers" group.

If we don't want all the users to view 'child-folder', then we need to set
"jcr:read" privilege to "deny" for "everyone" group at the 'child-folder'
level.  Since ACEs defined on a particular node take precedence over
inherited onces, none of the users will be able to view 'child-folder' (even
though  "jcr:write" privilege for "Managers" group is present in
'parent-folder').  "jcr:write" privilege for "Managers" group needs to be
applied at the 'child-folder' as well for the users of "Managers" group to
read and write.  Is this the expected behavior?

As noted in Jackrabbit wiki, a core concept of resource-based ACLs is that
they inherit the ACLs from the parent node, thus for each node, all the ACLs
of its ancestor come into play as well.  But in the above scenario, setting 
"jcr:read" privilege to "deny" for "everyone" group will effectively stop
the inheritance.

View this message in context: http://jackrabbit.510166.n4.nabble.com/ACL-inheritance-tp4660110.html
Sent from the Jackrabbit - Users mailing list archive at Nabble.com.

View raw message