Permissions
Permission checks are done when using the Content API (the REST api).
Users
All usernames can be retrieved using the REST service GET @ {aceurl}/security/user/search.
A specific username can be searched by providing the query parameter query={query} to the same URL.
Permissions
Note: all permissions are applied to the content as a whole, using its type. There are no separate permissions for different aspects of a content.
The available permissions are:
| Permission | Explanation |
|---|---|
Create |
Permits creating contents of a specific type. Note that having Read permission for a content type automatically includes Create permission for that type. |
Read |
Permits reading contents of a specific type in a context . Note that all users have this permission to read all contents on the view acePublic (or any symbolic view resolving to acePublic). |
Update |
Permits updating contents of a specific type. |
Delete |
Permits deleting contents of a specific type. |
AssignAlias |
Permits assigning aliases to contents of a specific type. |
AssignToView |
Permits assigning contents of a specific type to any view, e.g., assign article contents to acePublic view to make article contents publicly available. Note that, the permission is also needed, if the view is backed by a content, i.e., the content have the alias _view/{viewname}. |
UnassignFromView |
Permits unassigning contents of a specific type from any view. |
ContentMetadata |
Unused. |
AddOwner |
Permits adding an owner to a content's security context. |
RemoveOwner |
Permits removing an owner from a content's security context. |
Role
A Role is defined in a content of type aceRole as a list of permissions for each content type. The content for
a role needs an Alias of form _role/{rolename}. Roles can be retrieved using GET @ {aceurl}/security/role.
Example of a role
An editor role with Alias _role/editor:
{
"system": {
"contentType": "aceRoleContent"
},
"aspects": {
"aceRole": {
"_type": "aceRole",
"name": "editor",
"permissions": {
"com.atex.ace.content.Article": [
"Create",
"Read",
"Update"
],
"com.atex.ace.content.SomeOtherType": [
"Read",
"AssignToView",
"UnassignFromView"
]
}
}
}
}
Contexts
Contexts defines the scope where permissions for a given user are valid. Contexts allows a user to assume different types of roles in different scenarios.
When creating a new content, you may pass a content metadata operation containing an aceSecurityContext aspect with
the contexts you want to apply to the content (See Content Metadata).
Default Context
If there is no aceSecurityContext while creating a content, a default security context will be assigned according to
the following steps:
-
If a Content Hierarchy is present, the security context will be based on that.
-
Otherwise, the content will inherit contexts from the user's contexts, where the
Createpermission is present.
UserRoles
UserRoles defines what roles a user has in different contexts. UserRoles is stored in a content of type aceUserRoles
with Alias of form _userroles/{username}.
Example of roles being assigned to a user
An aceUserRoles content with Alias _userroles/kalle:
{
"system": {
"contentType": "aceUserRolesContent"
},
"aspects": {
"aceUserRoles": {
"_type": "aceUserRoles",
"username": "kalle",
"roles": {
"sitemap": [
"editor",
"publisher"
],
"site_sports_section": [
"editor"
],
"site_news_section": [
"editor"
]
}
}
}
}
Permission/roles/user example
A user has role editor in context context_1 and role publisher and editor in context_2. The editor role
contains permissions Create, Read, Update and the publisher role contains permissions AssignToView,
UnassignFromView on content type editorialArticle. Therefore, the user can create an editorialArticle type content in
context_1 and can assign the article to/from any view in context_2.
Note that it is possible to add multiple roles for a user in the same context.