hi yes that mixin exists. but the CugValidatorProvider is performs additional validation and doesn't allow for usage of the reserved names if the mixin is not there... so we cannot limit the evaluation to nodes that have the mixin type set (or inherited through super-type). see http://jackrabbit.apache.org/oak/docs/security/authorization/cug.html for details.
kind regards angela On 22/02/17 14:26, "Marcel Reutegger" <mreut...@adobe.com> wrote: >Hi, > >On 22/02/17 12:57, Chetan Mehrotra wrote: >> One possible approach is to mark the parent with a specific hidden >> property which has such a node upon addition. This would avoid the >> negative lookup in case of updates > >Alternatively we could also mark the parent node with a mixin. This >would be similar to nodes that can have a rep:policy child nodes. In >that case the parent node is rep:AccessControllable. > >At least for rep:cugPolicy nodes this seems to be the case already. The >node type registry of my Oak 1.6 repository says: > >[rep:CugMixin] > mixin > + rep:cugPolicy (rep:CugPolicy) protected ignore > >[rep:CugPolicy] > rep:Policy > - rep:principalNames (string) mandatory protected multiple ignore > > >Regards > Marcel
