You are viewing a plain text version of this content. The canonical link for it is here.
Posted to oak-dev@jackrabbit.apache.org by Angela Schreiber <an...@adobe.com> on 2014/04/01 09:03:54 UTC
Re: [Group management] Define ACL on a group to allow membership
modification but deny group deletion
hi vikas
yes, that's the way this is now handled in oak by default. if you
want to have regular 'removeNode' permissions being enforced for
removing a group or user you can to set the "permissionsJr2" config
parameter to ""USER_MANAGEMENT" in the authorization config. as
an effect the rep:userManagement privilege is no longer respected.
kind regards
angela
On 29/03/14 19:48, "Vikas Saurabh" <vi...@gmail.com> wrote:
>Hi,
>
>I want to have a group (say 'authors'), such that members of another group
>(say 'root') can add/remove members to it, but can't delete the group
>itself.
>
>To allow membership modification, I had to give rep:userManagement. But,
>with that, even after denying 'removeNode', I could delete the group by
>group.remove().
>
>Thanks,
>Vikas
Re: [Group management] Define ACL on a group to allow membership
modification but deny group deletion
Posted by Vikas Saurabh <vi...@gmail.com>.
Thanks Angela,
I've logged OAK-1653 for making rep:userManagement an aggregate. I'd use
'permissionJr2' and regular ACLs in the meantime.
I don't know Oak component responsible for user management, so I've left
that field blank.
Thanks,
Vikas
Re: [Group management] Define ACL on a group to allow membership
modification but deny group deletion
Posted by Angela Schreiber <an...@adobe.com>.
hi vikas
>are there any side - effects of 'set the "permissionsJr2" config
>parameter to ""USER_MANAGEMENT" in the authorization config.'?
the side effect is that all user management related operations will be
covered by regular write permissions and the specific user management
permission for creating, modifying and removing items identifying user
and groups will not longer be respected... that's the behavior as it
used to be in jackrabbit 2.x. since many of those items are protected
it's more consistent to have them handled by dedicated permissions.
>Also, does it seem like a valid requirement to allow membership
>modification but not whole user management privilege? Should I log an
>issue
>for this?
we could make the rep:userManagement privilege an aggregate in order to
allow for more fine grained control. feel free to file an improvement in
the
oak jira.
kind regards
angela
>
>Thanks,
>Vikas
Re: [Group management] Define ACL on a group to allow membership
modification but deny group deletion
Posted by Vikas Saurabh <vi...@gmail.com>.
Hi Angela,
are there any side - effects of 'set the "permissionsJr2" config
parameter to ""USER_MANAGEMENT" in the authorization config.'?
Also, does it seem like a valid requirement to allow membership
modification but not whole user management privilege? Should I log an issue
for this?
Thanks,
Vikas