This article covers a Bloomreach Experience Manager version 13. There's an updated version available that covers our most recent release.

Security Domains

A security domain is a definition of a set of nodes in the repository in which users and groups are bound to roles which grant them certain permissions.

Domains Configuration

The domains are stored in the repository as children of the node /hippo:configuration/hippo:domains. Domain rules consisting of facet rules define a set of nodes in the repository. Auth role nodes assign permissions to users and groups for that set of nodes.

Structure

/hippo:configuration:
  /hippo:domains:
    /mydomain:
      /mydomainruleA:
        /myfacetruleA:
        /myfacetruleB:
      /mydomainruleB:
        /myfacetruleC:
        /myfacetruleD:
        /myfacertuleE:
      /mydomainruleC:
        /myfacetruleF:
      /hippo:authrole:
      /hippo:authrole:

A node is a member of a domain if it matches at least one of the domain rules; it matches a domain rule if it matches all facet rules of the domain rule.

Nodes

hippo:domain

Name

Type

Required

Description

node name

String

yes

the domain name

The hipposys:domain can hold multiple hipposys:domainrule and hipposys:authrole nodes.

hipposys:domainrule

Name

Type

Required

Description

node name

String

yes

hippo:domainrule

The hipposys:domainrule can hold multiple hipposys:facetrule nodes.

hippo:facetrule

Name

Type

Required

Description

node name

String

yes

hipposys:facetrule

hipposys:facet

String

yes

The name of the facet to match. There are two special values possible:

  1. nodetype : matches all nodes of the type specified in hipposys:value.
  2. jcr:uuid: matches the node at the absolute path specified in hipposys:value.
    Note that hipposys:type must be Reference.
  3. jcr:path: matches all nodes that are either at, or a descendant of the absolute path specified in by hipposys:value.
    Note that hipposys:type must be Reference.

The use of the facet hippo:paths is no longer recommended because it only matches nodes that have a hippo:paths property, potentially leaving nodes unsecured. Use jcr:path instead.

hipposys:value

String

yes

The value of the facet to match. Four special values can be used:

  • * : match everything
  • __role__: match the current user's role (for the domain)
  • __user__: match the current username
  • __group__: match any of the current user's groups

hipposys:type

String

yes

The property type of the facet. Must be either String, Name or Reference.

hipposys:equals

Boolean

yes

Whether the value must match or must not match. If set to false the hippo:facetrule is only effective if the facet actually exists.

hipposys:filter

Boolean

no

Whether the facet must exist to create a match. If set to true the hippo:facetrule is only effective if the facet actually exists.

The effect and usage of the hipposys:filter property is tricky and only needed for one specific condition, when hipposys:equals=true but the facet doesn't exist, as shown in the table below. For that condition using hipposys:filter=true will include the node, otherwise it will be excluded.

  hipposys:filter=false (default) hipposys:filter=true
facet exists facet doesn't exist facet exists facet doesn't exist
hipposys:equals=true match: include
!match: exclude
exclude match: include
!match: exclude
include
hipposys:equals=false match: exclude
match: include
include match: exclude
!match: include
include

hipposys:authrole

Name

Type

Required

Description

node name

String

yes

hippo:authrole

hipposys:role

String

yes

The role to assign to users or groups in the domain.

hipposys:users

String

no

The users that have the role in the domain.

hipposys:groups

String

no

The groups that have the role in the domain.

Examples

Did you find this page helpful?
How could this documentation serve you better?
On this page
    Did you find this page helpful?
    How could this documentation serve you better?