Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 4 Next »

Creative workflow with security from security.xml

Here you will find current permissions by role (provided with a starter-kit) transcribed into readable text. This way we hope you can setup appropriate security rules for the creative worklow while using a security from security.xml.

Role 27: Administrator

 Permission details : readable text view

View Action:

  • Objects: collaborativebrief, collaborativespace, massimportitem, massimportjob, massimportpreviousitem.

  • Permission: Any user can view objects regardless of status or ownership.

Delete Action:

  • Objects: collaborativebrief, collaborativespace, massimportitem, massimportjob, massimportpreviousitem.

  • Permission: Any user can delete objects regardless of status or ownership.

Insert Action:

  • Objects: collaborativebrief, collaborativespace, massimportitem, massimportjob, massimportpreviousitem.

  • Permission: User can create a fresh instance (eg click on the “New” button)

Update Action:

  • Objects: collaborativebrief, collaborativespace, massimportitem, massimportjob, massimportpreviousitem.

  • Permission: Any user can update objects regardless of status or ownership.

Change Status Action:

  • Objects: collaborativebrief, collaborativespace, massimportitem, massimportjob, massimportpreviousitem.

  • Permission: Any workflow action, such as publishing or archiving, can change the status of objects, regardless of current status or ownership.

 Permission details : technical view

Action : view, permission = $anystatus/$anyowner

for objects :

  • collaborativebrief

  • collaborativespace

  • massimportitem

  • massimportjob

  • massimportpreviousitem


Action : delete, permission = $anystatus/$anyowner

for objects :

  • collaborativebrief

  • collaborativespac

  • massimportitem

  • massimportjob

  • massimportpreviousitem


Action : insert, permission = $newcreation

for objects :

  • collaborativebrief

  • collaborativespace

  • massimportitem

  • massimportjob

  • massimportpreviousitem


Action : update, permission = $anystatus/$anyowner

for objects :

  • collaborativebrief

  • collaborativespace

  • massimportitem

  • massimportjob

  • massimportpreviousitem


Action : changestatus, permission = $anyaction/$anystatus/$anyowner

for objects :

  • collaborativebrief

  • collaborativespace

  • massimportitem

  • massimportjob

  • massimportpreviousitem


Role 28 : Contributor

 Permission details : readable text view

View Action:

  • Objects: collaborativebrief, massimportitem, massimportjob

  • Permission:

    • Any user can view these objects if they are the owner.

    • Any user can view these objects if they are the team leader.

    • Any user can view these objects if they are a team member.

  • Objects: massimportpreviousitem, collaborativebrief

  • Permission:

    • Any user can view these objects regardless of ownership.

Insert Action:

  • Objects: collaborativebrief, collaborativespace, massimportitem, massimportjob, massimportpreviousitem

  • Permission:

    • User can create a fresh instance (eg click on the “New” button)

Update Action:

  • Objects: massimportitem, massimportjob

  • Permission:

    • Any user can update these objects if they are the owner.

    • Any user can update these objects if they are the team leader.

    • Any user can update these objects if they are a team member.

  • Objects: collaborativespace

  • Permission:

    • Any user can update Collaborative Spaces if they are the owner.

    • Any user can update Collaborative Spaces if they are the team leader.

  • Objects: massimportpreviousitem

  • Permission:

    • Any user can update massimportpreviousitem regardless of ownership.

Delete Action:

  • Objects: collaborativespace, massimportitem, massimportjob, collaborativebrief

  • Permission:

    • Any user can delete these objects if they are the owner.

    • Any user can delete these objects if they are the team leader.

  • Objects: massimportpreviousitem

  • Permission:

    • Any user can delete massimportpreviousitem regardless of ownership.

Change Status Action:

  • Objects: collaborativespace, massimportjob

  • Permission:

    • Any workflow action can change the status of these objects if they are the owner.

    • Any workflow action can change the status of these objects if they are the team leader.

  • Objects: massimportitem

  • Permission:

    • Any workflow action can change the status of massimportitem if the user is the team leader.

  • Objects: massimportpreviousitem, collaborativebrief

  • Permission:

    • Any workflow action can change the status of these objects regardless of ownership.

 Permission details : technical view

Action : view

for objects :

  • collaborativespace

  • massimportitem

  • massimportjob

Permission:

  • $anystatus/$selfowner

  • $anystatus/$teamleader

  • $anystatus/$teammember

for objects :

  • massimportpreviousitem

  • collaborativebrief

Permission :

  • $anystatus/$anyowner




Action : insert

for objects :

  • collaborativebrief

  • collaborativespace

  • massimportitem

  • massimportjob

  • massimportpreviousitem

permission :

  • $newcreation



Action : update

for objects :

  • massimportitem

  • massimportjob

permission :

  • $anystatus/$selfowner

  • $anystatus/$teamleader

  • $anystatus/$teammember

for objects :

  • collaborativespace

permission :

  • $anystatus/$selfowner

  • $anystatus/$teamleader

for objects :

  • massimportpreviousitem

permission :

  • $anystatus/$anyowner

for objects :

  • collaborativebrief

permission :

  • $anystatus/$selfowner



Action : Delete

for objects :

  • collaborativespace

  • massimportitem

  • massimportjob

permission :

  • $anystatus/$selfowner

  • $anystatus/$teamleader

for objects :

  • massimportpreviousitem

permission :

  • $anystatus/$anyowner

for objects :

  • collaborativebrief

permission :

  • $anystatus/$selfowner



Action : Changestatus

for objects :

  • collaborativespace

  • massimportjob

permission :

  • $anyaction/$anystatus/$selfowner

  • $anyaction/$anystatus/$teamleader

for objects :

  • massimportitem

permission:

  • $anyaction/$anystatus/$teamleader

for objects :

  • massimportpreviousitem

permission:

  • $anyaction/$anystatus/$anyowner

for objects :

  • collaborativebrief

permission :

  • $anyaction/$anystatus/$selfowner


Role 29 : Reader

 Permission details : readable text view

View Action:

  • Objects: collaborativespace, massimportitem, massimportjob

  • Permission:

    • Any user can view these objects if they are the owner.

    • Any user can view these objects if they are a team member.

  • Objects: massimportpreviousitem, collaborativebrief

  • Permission:

    • Any user can view these objects regardless of ownership.

Insert Action:

  • Objects: collaborativebrief, collaborativespace, massimportjob

  • Permission:

    • Insertion is never allowed.

  • Objects: massimportitem, massimportpreviousitem

  • Permission:

    • User can create a fresh instance (eg click on the “New” button)

Update Action:

  • Objects: collaborativebrief, collaborativespace

  • Permission:

    • Updating is never allowed.

  • Objects: massimportitem, massimportjob

  • Permission:

    • Any user can update these objects if they are a team member or the owner.

  • Objects: massimportpreviousitem

  • Permission:

    • Any user can update massimportpreviousitem if they are the owner.

Delete Action:

  • Objects: collaborativebrief, collaborativespace, massimportjob

  • Permission:

    • Deletion is never allowed.

  • Objects: massimportitem

  • Permission:

    • Deletion is allowed only for self-owned items.

  • Objects: massimportpreviousitem

  • Permission:

    • Any user can delete massimportpreviousitem if they are the owner.

Change Status Action:

  • Objects: massimportpreviousitem

  • Permission:

    • No permission for changing status.

  • Objects: massimportitem

  • Permission:

    • Any workflow action can change the status of massimportitem if the user is the owner.

  • Objects: collaborativespace, massimportjob, collaborativebrief

  • Permission:

    • Changing status is never allowed.

 Permission details : technical view

Action : View

for objects :

  • collaborativespace

  • massimportitem

  • massimportjob

permission :

  • $anystatus/$selfowner

  • $anystatus/$teammember

for objects :

  • massimportpreviousitem

  • collaborativebrief

permission :

  • $anystatus/$anyowner

Action : Insert

for objects :

  • collaborativebrief

  • collaborativespace

  • massimportjob

permission :

  • $never

for objects :

  • massimportitem

  • massimportpreviousitem

permission :

  • $newcreation

Action : Update

for objects :

  • collaborativebrief

  • collaborativespace

permission :

  • $never

for objects :

  • massimportitem

  • massimportjob

permission :

  • $anystatus/$teammember

  • $anystatus/$selfowner

for objects :

  • massimportpreviousitem

permission :

  • $anystatus/$selfowner

Action : Delete

for objects :

  • collaborativebrief

  • collaborativespace

  • massimportjob

permission :

  • $never

for objects :

  • massimportitem

permission :

  • 3/$selfowner

for objects :

  • massimportpreviousitem

permission :

  • $anystatus/$selfowner

Action : Changestatus

for objects :

  • massimportpreviousitem

permission :

  • no permission

for objects :

  • massimportitem

permission :

  • $anyaction/$anystatus/$selfowner

for objects :

  • collaborativebrief

  • collaborativespace

  • massimportjob

permission :

  • $never

  • $anystatus: Any state

  • $anyowner: No restriction on ownership

  • $newcreation: Creating a fresh instance (eg click on the “New” button)

  • $anyaction: Any workflow action (including publishing and archiving actions)

  • $teammember : surfer is in instance’s team prop value

    Keyword’s activation conditions :

    • The structure must have this tag : pkg/security/collaborative

    • The structure must have a team property which is a childmultilngdb of user

  • $teamleader : surfer is team’s leader
    Keyword’s activation conditions :

    • The structure must have this tag : pkg/security/collaborative

    • The structure must have a jobowner property which is a child of user

  • $never : surfer not allowed

Setting Up Permissions and Roles

Status of assets created with the creative workflow

The current behavior is configured by a damutils configuration, which enables the transition of all assets created through the creative workflow to the published status (ID 6).

The actual configuration :

        {
            "objectSelector": "#damobject",
            "preventGuard": {
                "classAlias": "negate",
                "input": {
                    "preset": "canPublish"
                }
            },
            "workflowTrigger": [
                "publish"
            ]
        }

This configuration works for the assets created from the creative workflow, only because :

  • We are filling tmpsource with “massimport” on the item (before asset creation), and then the created asset has a tmpsource value which removed just after the status change

  • User has the enough rights to change the status of the asset.

So if you want to change the status of asset created with the creative worfklow, you will have to change the action called in worfklowTrigger

If new workflow status added, how will notifications behave

We are currently sending email notifications on each status change for each teammember or only for the owner according to PACKAGED_CreativeWorkflow.send_notification_to_team 's value.

Here you will find more detailed information about the notification system setup for the creative workflow.

As status change email notification are based on the delayed notification system, if you want to add a customized behaviour for a specific status (for example), you will have to create your own Groovy script (you can check existing ones for inspiration).

and update the configuration of PACKAGED_CreativeWorkflow.batch_topics_processors. You will have to follow the instructions described in the link provided above.

  • No labels