Security Domains
A security domain is a definition of a set of nodes in the repository in which users and groups are bound to roles which grant them certain permissions.
Domains Configuration
The domains are stored in the repository as children of the node /hippo:configuration/hippo:domains. Domain rules consisting of facet rules define a set of nodes in the repository. Auth role nodes assign permissions to users and groups for that set of nodes.
Structure
/hippo:configuration: /hippo:domains: /mydomain: /mydomainruleA: /myfacetruleA: /myfacetruleB: /mydomainruleB: /myfacetruleC: /myfacetruleD: /myfacertuleE: /mydomainruleC: /myfacetruleF: /hippo:authrole: /hippo:authrole:
A node is a member of a domain if it matches at least one of the domain rules; it matches a domain rule if it matches all facet rules of the domain rule.
Nodes
hippo:domain
|
Name |
Type |
Required |
Description |
|---|---|---|---|
|
node name |
String |
yes |
the domain name |
The hipposys:domain can hold multiple hipposys:domainrule and hipposys:authrole nodes.
hipposys:domainrule
|
Name |
Type |
Required |
Description |
|---|---|---|---|
|
node name |
String |
yes |
hippo:domainrule |
The hipposys:domainrule can hold multiple hipposys:facetrule nodes.
hippo:facetrule
|
Name |
Type |
Required |
Description |
|---|---|---|---|
|
node name |
String |
yes |
hipposys:facetrule |
|
hipposys:facet |
String |
yes |
The name of the facet to match. There are two special values possible:
The use of the facet hippo:paths is no longer recommended because it only matches nodes that have a hippo:paths property, potentially leaving nodes unsecured. Use jcr:path instead. |
|
hipposys:value |
String |
yes |
The value of the facet to match. Four special values can be used:
|
|
hipposys:type |
String |
yes |
The property type of the facet. Must be either String, Name or Reference. |
|
hipposys:equals |
Boolean |
yes |
Whether the value must match or must not match. If set to false the hippo:facetrule is only effective if the facet actually exists. |
|
hipposys:filter |
Boolean |
no |
Whether the facet must exist to create a match. If set to true the hippo:facetrule is only effective if the facet actually exists. |
The effect and usage of the hipposys:filter property is tricky and only needed for one specific condition, when hipposys:equals=true but the facet doesn't exist, as shown in the table below. For that condition using hipposys:filter=true will include the node, otherwise it will be excluded.
| hipposys:filter=false (default) | hipposys:filter=true | |||
| facet exists | facet doesn't exist | facet exists | facet doesn't exist | |
| hipposys:equals=true | match: include !match: exclude |
exclude | match: include !match: exclude |
include |
| hipposys:equals=false | match: exclude match: include |
include | match: exclude !match: include |
include |
hipposys:authrole
|
Name |
Type |
Required |
Description |
|---|---|---|---|
|
node name |
String |
yes |
hippo:authrole |
|
hipposys:role |
String |
yes |
The role to assign to users or groups in the domain. |
|
hipposys:users |
String |
no |
The users that have the role in the domain. |
|
hipposys:groups |
String |
no |
The groups that have the role in the domain. |