This is was presented as an ignite-style lightning talk at DevCon 2018 in Lisbon. It discusses an open source add-on called ACL Templates which can be used to separate ACL settings from code.
2. Learn. Connect. Collaborate.
Alfresco is missing a feature: ACL Templates
• Many projects start with a spreadsheet that organizes folder structure
• The next step is often defining the permissions that go with that structure
• Usually, permissions are applied in a consistent, predictable way
according to business rules
3. Learn. Connect. Collaborate.
Don’t Repeat Yourself
• When you programmatically create nodes and set permissions, it is
tempting to just make a bunch of API calls and be done
• What happens when you need to set permissions in different places?
– JavaScript versus Java
– Actions versus Behaviors
– Workflows
– Yes, you can centralize this logic in a common “service” class, but…
4. Learn. Connect. Collaborate.
If it might change, why is it in code?
• What happens when the business rules change and a power user wants to
change how permissions are set?
• Build and deploy just because an entry in an ACL is changing from
“Collaborator” to “Consumer”?
• Yuck
5. Learn. Connect. Collaborate.
How Does Everyone Else Do It?
• Many ECM systems allow permission sets to be declared, then applied
when needed
• Now you can do that with Alfresco
• I give you Alfresco ACL Templates!
– https://github.com/conexiam/alfresco-acl-templates
• Dun dun DUN!!!
1
6. Learn. Connect. Collaborate.
Example: Folders that hold files related to client
projects
• /Project 1 for Client A
– /Design Discussion
– /Final Deliverables
– /Status Reports
• /Project 2 for Client A
– /Design Discussion
– /Final Deliverables
– /Status Reports
• /Project 3 for Client B
– /Design Discussion
– /Final Deliverables
– /Status Reports
Project 1 Team: Collaborator
Client A Team: Collaborator
Project 2 Team: Collaborator
Client A Team: Consumer
Project 1 Team: Collaborator
Client A Team: Consumer
Project 2 Team: Collaborator
Client A Team: Collaborator
Project 3 Team: Collaborator
Client B Team: Consumer
Project 3 Team: Collaborator
Client B Team: Collaborator
7. Learn. Connect. Collaborate.
I see a pattern!
• /Project 1 for Client A
– /Design Discussion
– /Final Deliverables
– /Status Reports
• /Project 2 for Client A
– /Design Discussion
– /Final Deliverables
– /Status Reports
• /Project 3 for Client B
– /Design Discussion
– /Final Deliverables
– /Status Reports
Project 1 Team: Collaborator
Client A Team: Collaborator
Project 2 Team: Collaborator
Client A Team: Consumer
Project 1 Team: Collaborator
Client A Team: Consumer
Project 2 Team: Collaborator
Client A Team: Collaborator
Project 3 Team: Collaborator
Client B Team: Consumer
Project 3 Team: Collaborator
Client B Team: Collaborator
There is a group for a
project that is always the
collaborator.
There is a group for the
client that is a Collaborator
on some folders and a
Consumer on other
folders.
That’s potentially two
“templates”
8. Learn. Connect. Collaborate.
A Wrinkle: Group can’t be determined at design-time
• /Project 1 for Client A
– /Design Discussion
– /Final Deliverables
– /Status Reports
• /Project 2 for Client A
– /Design Discussion
– /Final Deliverables
– /Status Reports
• /Project 3 for Client B
– /Design Discussion
– /Final Deliverables
– /Status Reports
Project 1 Team: Collaborator
Client A Team: Collaborator
Project 2 Team: Collaborator
Client A Team: Consumer
Project 1 Team: Collaborator
Client A Team: Consumer
Project 2 Team: Collaborator
Client A Team: Collaborator
Project 3 Team: Collaborator
Client B Team: Consumer
Project 3 Team: Collaborator
Client B Team: Collaborator
Uh-oh, variability!
9. Learn. Connect. Collaborate.
Another Wrinkle: Time
2
• /Project 1 for Client A
– /Design Discussion
– /Final Deliverables
– /Status Reports
• /Project 2 for Client A
– /Design Discussion
– /Final Deliverables
– /Status Reports
• /Project 3 for Client B
– /Design Discussion
– /Final Deliverables
– /Status Reports
Project 1 Team: Collaborator
Client A Team: Collaborator
Project 2 Team: Collaborator
Client A Team: Consumer
Project 1 Team: Collaborator
Client A Team: Consumer
Project 2 Team: Collaborator
Client A Team: Collaborator
Project 3 Team: Collaborator
Client B Team: Consumer
Project 3 Team: Collaborator
Client B Team: Collaborator
Project 1 Team: Consumer
Client A Team: Consumer
Project 2 Team: Consumer
Client A Team: Consumer
Project 1 Team: Consumer
Client A Team: Consumer
Project 2 Team: Consumer
Client A Team: Consumer
Project 3 Team: Consumer
Client B Team: Consumer
Project 3 Team: Consumer
Client B Team: Consumer
Active Projects Completed Projects
10. Learn. Connect. Collaborate.
Alfresco ACL Templates Add-On
• Open source project sponsored by a client called Conexiam
– I maintain it on their behalf at Github
• Allows you to declare ACL templates as JSON
– ACL Templates live in the Data Dictionary
• Provides an “ACL Template Service” that you can call from JavaScript or
Java to “apply” a template to a node
14. Learn. Connect. Collaborate.
How do those placeholders work?
• Can specify an authorityTemplate instead of a hard-coded authority
• An authorityTemplate is just a Spring Bean that resolves an authority
template to an actual authority
• Examples:
– What is the correct “project group” for this site?
– What is the correct “client group” for this site?
– Basically anything that can use the nodeRef to resolve the template
15. Learn. Connect. Collaborate.
Add-on ships with one sample authority template
resolver
• Site role group resolver
• Returns the site group for a given role
• Example: Always give the Site Collaborator group for this site Consumer
access
• Making your own authority template resolvers is easy
16. Learn. Connect. Collaborate.
Implementing your own authority resolver
• Create a Java class that implements AuthorityResolver
• Inject your dependencies
• Implement public String resolve(NodeRef nodeRef)
• Config in Spring context XML
• Add to authorityResolvers map
17. Learn. Connect. Collaborate.
Example: Site Role Group Authority Resolver
4
<bean
id="authority-template.site-manager-group”
class="com.conexiam.acl.templates.authority.resolvers.SiteRole
GroupResolver">
<property name="siteService">
<ref bean="SiteService" />
</property>
<property name="role" value="SiteManager" />
</bean>
18. Learn. Connect. Collaborate.
Example: Site Role Group Authority Resolver
public String resolve(NodeRef nodeRef) {
SiteInfo siteInfo = siteService.getSite(nodeRef);
if (siteInfo == null) {
return null;
}
String siteId = siteInfo.getShortName();
String siteRoleGroup = siteService.getSiteRoleGroup(siteId,
role);
return siteRoleGroup;
}
19. Learn. Connect. Collaborate.
Summary
• ACL Templates Add-on
• Declare permissions in JSON, store in Data Dictionary
• Apply permissions using ACL Template Service
• Removes permission logic from code
• Makes it easier for non-technical people to change the permissions your
code sets on nodes it creates
20. Learn. Connect. Collaborate.
Summary
• ACL Templates can have hard-coded authorities, authority templates, or a
mix of both
• Authority templates are resolved with the help of an authority template
resolver class
– Can use properties on the node, or other services to help determine the right
authority
21. Learn. Connect. Collaborate.
Support the Community!
• This add-on was funded by a Metaversant client called Conexiam
• Per their request, we did all of their Alfresco customizations in the open
• Check out the other related repositories at https://github.com/Conexiam
• Let me know if you have any questions!
• @jeffpotts01