Hi Alex, principal-based ACL do not ease the setup. The real problem is, that the nodes with the different types are mixed in the hierarchies. So even with principal based ACLs I have to define the ACLs for each path separately which is not much easier to maintain the resource based ACLs.
Regards, Markus On Tue, Oct 11, 2011 at 12:15 AM, Alexander Klimetschek <[email protected]> wrote: > On 10.10.11 23:02, "Markus Joschko" <[email protected]> wrote: > >>Hi, >>In my repository I have a structure that has many deep branches. >>Within these branches there are three different types of nodes. >>Each type is maintained by another group of users. These groups can be >>configured per branch >>(it's a bit like in a file system where one group can only maintain >>the folders and the other group only the files in a branch). >> >>Now the question is how to best handle the access control here. >>I can: >>- either add an ace to each and every node in the repository and pay >>the price that I have to maintain a lot of them in case ownership of a >>branch changes or subbranches are moved into different branches. >>- find a way to hook into the accesscontrol mechanism of jackrabbit to >>make this easier. So far I have failed to find a good way to do so. >> I initially thought about introducing custom privileges that can be >>used as markers and then extend the ACLProvider to take these >>privileges also into account when calculating permissions. >> However from looking at the code it seems to me, that custom >>privileges can only be defined as aggregates of existing privileges >>and then also the aggregate can not exist twice. I guess it is not a >>good >> idea to create artificial aggregates just to define new privileges. >>- an alternative might be to create new accesscontrol entries that do >>not only have path restrictions but also nodetype restrictions. >>However that seems to be quite invasive and a lot of work. >> >>Any other ideas how to tackle that problem? > > Principal-based ACLs maybe? > > Alex > > -- > Alexander Klimetschek > Developer // Adobe (Day) // Berlin - Basel > > > > >
