Deny Access to a Folder
Introduction
Goal
Deny a group access to a specific folder in the content repository.
Use Case
The use case is based on a Hippo project created using the Maven archetype, with the News feature added.
Such a project contains two root content folders:
- /content/documents/myhippoproject
Contains the news articles. - /content/documents/administration
Contains resource bundles to manage static labels on the website.
By default the 'editor' group has editor privileges on both folders, and the 'author' group has author privileges in both folders.
You want to deny the 'author' group access to the administration folder, while the 'editor' group retains all its privileges.
Strategy
To be able to deny access to the administration folder you will customize the default security domains as follows:
- Exclude the administration folder from the default hippodocuments and hippofolders domains.
- Define a new domain administrationdocuments that includes only the administration folder.
- Assign the 'editor' group editor privileges on the administrationdocuments domain.
Customize Security Domains
Exclude the Folder from the Default Domains
Log in to the Console as 'admin'.
At /hippo:configuration/hippo:domains/hippodocuments/hippo-document add a new facet rule exclude-administration-folder:
/hippo:configuration/hippo:domains/hippodocuments/hippo-document: /exclude-administration-folder: jcr:primaryType: hipposys:facetrule hipposys:equals: false hipposys:facet: jcr:path hipposys:filter: false hipposys:type: Reference hipposys:value: /content/documents/administration
At /hippo:configuration/hippo:domains/hippofolders/hippostd-folder add the same facet rule exclude-administration-folder:
/hippo:configuration/hippo:domains/hippofolders/hippostd-folder: /exclude-administration-folder: jcr:primaryType: hipposys:facetrule hipposys:equals: false hipposys:facet: jcr:path hipposys:filter: false hipposys:type: Reference hipposys:value: /content/documents/administration
Create a New Domain for the Folder
At /hippo:configuration/hippo:domains add a new security domain administrationdocuments:
/hippo:configuration/hippo:domains: /administrationdocuments: jcr:primaryType: hipposys:domain /hippo-document: jcr:primaryType: hipposys:domainrule /hide-prototypes: jcr:primaryType: hipposys:facetrule hipposys:equals: false hipposys:facet: nodename hipposys:filter: false hipposys:type: Name hipposys:value: hipposysedit:prototype /include-administration-folder: jcr:primaryType: hipposys:facetrule hipposys:equals: true hipposys:facet: jcr:path hipposys:filter: false hipposys:type: Reference hipposys:value: /content/documents/administration /nodetype-hippo-document: jcr:primaryType: hipposys:facetrule hipposys:equals: true hipposys:facet: nodetype hipposys:filter: false hipposys:type: Name hipposys:value: hippo:document
Grant Permissions
Grant the Admin and Editors Groups Editor Privileges on the New Domain
Log in to the CMS as 'admin'.
Browse to the Admin perspective.
Select 'Permissions'.
Grant the group 'admin' editor privileges in the administrationdocuments domain.
Grant the group 'editor' editor privileges in the administrationdocuments domain.
Log out.
Verify Permissions
Log in to the CMS as 'editor'.
Verify that you can browse to the administration folder and can edit documents inside the administration folder.
Log out.
Log in to the CMS as 'author'.
Verify that you can't see the administration folder.