...
Ownership allows to limit a permission to the owner property of an instance. 2 7 keywords are available
$selfowner: User must be the owner of the instance to be able to perform an action$anyowner: No restriction on ownership$boardcollaborator: Specific to boards domain - Identify the surfer as a collaborator on a board
Groups pkgsecugroup
Groups allow to centralize multiple permissions on one or many objects, for one or many roles and one or many users.
name: Name of the group
template (boolean): it is convenient to have
$teammember:
Allows to check whether the surfer is part of the fieldStatus colour Purple title since 2024.1 team(team is a child multi on user). This requires the structure to have thepkg/security/collaborativeconfig tag$teamleader:
Allows to check whether the surfer is denoted in the fieldStatus colour Purple title since 2024.1 jobowner. This requires the structure to have thepkg/security/collaborativeconfig tag$teamviewer:
Allows to check whether the surfer is part of the fieldStatus colour Purple title since 2024.4 viewers(viewers is a child multi on user). This requires the structure to have thepkg/security/collaborativeconfig tag.
Caution,$teamviewerownership can only be used with view action$public:
Allows to check whether the instance is NOT private →private field as a child activated = 2. This requires the structure to have theStatus colour Purple title since 2024.4 pkg/security/collaborativeconfig tag.
Groups pkgsecugroup
Groups allow to centralize multiple permissions on one or many objects, for one or many roles and one or many users.
name: Name of the group
template (boolean): it is convenient to have groups as templates. If template is true, then this instance is not used when resolving groups to which belong a user
activated (boolean): Inactive instances are ignored
objectsselector (string): A structure selector to define which objects are managed by the group. For instance:
assetkeywordwould apply to structure named assetkeyword.#damobjectwould apply to any structure having the tagdamobject(on table level)assetkeyword,#damobjectwould apply to structure assetkeyword and to any object having the tag damobject
permissions (childmulti → pkgsecupermission): Permissions granted to users belonging to this group for objects matching objectselector
roles (childmulti →role): All users of selected roles will be members of the group
users (childmulti →user): All users selected will be members of this group
...
It is possible to automatically extend some bases with the ones provided by the plugin:
Set plugin parameter
extend_basestotrueMake sure
extended_basesreferences to the coma-separated list of bases you want the plugin to extend (base_list,base_searchby default)Make sure
extend_withreferences the coma-separated list of bases you want to use to extend theextended_baseslist of bases (base_pkgsecurity_viewby default)
By doing so, you will be instructing the plugin to extend base_list and base_search with base_pkgsecurity_view for each object.
...
Preventing bases for Developers to be extended
Given that
extend_bases = trueextended_bases = base_list,base_searchextend_with = base_pkgsecurity_view
To deactivate the extension for all objects for role 4 (and therefor to be able to see any instance), you can define the config to:
...
@pkgV1ObjectActions is defined to check for an objectname if some permissions were given to a user for the corresponding objectdata action → No additional configuration is required on objectactions: an action from objectactions domain will be granted if some permissions were given on objectdata
Equivalences
objectactions action domain | tested objectdata action | |
|---|---|---|
create | insert | Check for existence of either
|
damimport | ||
massimport | ||
multiupdate | update | Check for existence of |
datavaluespicker | ||
broadcastVideo | broadcastVideo | Check for existence of |
defineVideoPoster | defineVideoPoster | Check for existence of |
delete | delete | Check for existence of |
editPicture | editPicture | Check for existence of |
editVideoChapters | editVideoChapters | Check for existence of |
editVideoSubtitles | editVideoSubtitles | Check for existence of |
embed | embed | Check for existence of |
manageVideoCallToActions | manageVideoCallToActions | Check for existence of |
manageVideoRolls | manageVideoRolls | Check for existence of |
order | order | Check for existence of |
sliceVideo | sliceVideo | Check for existence of |
Cheat sheet
Find for each managed domain / action, the permission pattern
domain | action | permission pattern |
|---|---|---|
applications | isAvailable |
|
boards | makePublicBoard |
|
boards | shareBoard |
|
objectdata | broadcastVideo |
|
objectdata | changeStatus |
|
objectdata | defineVideoPoster |
|
objectdata | delete |
|
objectdata | editPicture |
|
objectdata | editVideoChapters |
|
objectdata | editVideoSubtitles |
|
objectdata | embed |
|
objectdata | i18nFieldsTranslate |
|
objectdata | insert |
|
objectdata | manageVideoCallToActions |
|
objectdata | manageVideoRolls |
|
objectdata | order |
|
objectdata | retrieveCaption |
|
objectdata | sliceVideo |
|
objectdata | update |
|
objectdata |
view |
|
objectdata
sliceVideo
v1/objectdata/slicevideo/:instanceStatus/:ownership
objectdata
update
v1/objectdata/update/:instanceStatus/:ownership
objectdata
view
v1/objectdata/view/:instanceStatus/:ownership
Find available values for modifiers
modifier
value
description
applicationName
<name>
Name of the application (BackOffice → bo...)
boardVisibility
$publicboard
A board that is not private
$privateboard
A private board
$anyvisibilityboard
A board private or not
boardType
$anyboardtype
Any type of board
<type>
A board of type <type>
creationMode
$newcreation
Only fresh new instances
$copycreation
Only copies
$anycreation
Any mode
instanceStatus
$online
An online marked state
$archived
An archived marked state
$offline
A state that is neither marked online not archived
$initialstatus
The initial state of the instance (usually = 2)
$anystatus
Any state
<customMetaStatus>
A custom meta state
<statusID>
The ID of a status
ownership
$selfowner
User must be the owner of the instance to be able to perform an action
$anyowner
No restriction on ownership
$boardcollaborator
|
Find available values for modifiers
modifier | value | description | ||||
|---|---|---|---|---|---|---|
applicationName |
| Name of the application (BackOffice → | ||||
boardVisibility |
| A board that is not private | ||||
| A private board | |||||
| A board private or not | |||||
boardType |
| Any type of board | ||||
| A board of type | |||||
creationMode |
| Only fresh new instances | ||||
| Only copies | |||||
| Any mode | |||||
instanceStatus |
| An online marked state | ||||
| An archived marked state | |||||
| A state that is neither marked online not archived | |||||
| The initial state of the instance (usually = 2) | |||||
| Any state | |||||
| A custom meta state | |||||
| The ID of a status | |||||
ownership |
| User must be the owner of the instance to be able to perform an action | ||||
| No restriction on ownership | |||||
| Specific to boards domain - Identify the surfer as a collaborator on a board | |||||
| User is referenced on Requires
| |||||
| User is referenced on Requires
| |||||
| User is referenced on Requires
| |||||
| Instance has property Requires
| |||||
workflowAction |
| Publishing action: performing a workflow action that will move the instance in an online marked state | ||||
| Archiving action: performing a workflow action that will move the instance in an archived marked state | |||||
| Forward action: performing an action marked forward, and that will not lead to online or archived marked state. | |||||
| Backward action: performing an action NOT marked forward, and that will not lead to online or archived marked state. | |||||
| Any process action: performing that will not lead to online or archived marked state. | |||||
| Any workflow action (including publishing and archiving actions) | |||||
| If none of the above keywords, the action name is taken as is and resolved base on the instance’s workflow |
Further reading
Rights and roles To learn how the default application is configured in terms of roles and permissions
Roles & Permissions To learn how you can use a dedicated user interface to configure roles and permissions