Details
-
Story
-
Resolution: Fixed
-
Neutral
-
None
-
None
-
Empty show more show less
-
AdminX 36
-
3
-
Yes
Description
config:
magnolia.auth.permission.app.[permission-name].access=[ALLOW|DENY] magnolia.auth.permission.app.[permission-name].app-name=[magnolia-app-name] magnolia.auth.permission.app.[permission-name].policy=[policy-name] magnolia.auth.permission.app.[permission-name].subapp-name=[magnolia-subapp-name] magnolia.auth.permission.app.[permission-name].actions=[action-name's separated by comma]
Evaluator rules:
- If access is not specified, we should deny access.
- The most specific permission should have priority over the generic permission.
There is a hierarchical order that define whether a permission is generic or specific: app-name -> subapp -> actions - If subapp-name or actions are not specified, assume all
- If the user has 2 conflicting permissions for the same resource (set of resources), apply the most restrictive one: DENY
e.g. 1
magnolia.auth.permission.app.permission1.access=DENY
magnolia.auth.permission.app.permission1.app-name=pages-app
magnolia.auth.permission.app.permission1.policy=default
-> denies access to the app itself (the config does not do anything special, as the default access is deny)
e.g. 2
magnolia.auth.permission.app.permission2.access=ALLOW magnolia.auth.permission.app.permission2.app-name=pages-app magnolia.auth.permission.app.permission2.subapp-name=browser magnolia.auth.permission.app.permission2.policy=browser-read-only
-> allows user to enter only the browser app, but all the actions will be unavailable
e.g. 3
magnolia.auth.permission.app.permission3.access=ALLOW magnolia.auth.permission.app.permission3.app-name=pages-app magnolia.auth.permission.app.permission3.subapp-name=browser magnolia.auth.permission.app.permission3.actions=add, preview magnolia.auth.permission.app.permission3.policy=editor-browser-availabilities
-> allows user to enter only the browser app, but only add and preview actions are available to him
Checklists
Acceptance criteria
Attachments
Issue Links
- is depended upon by
-
CNTCTSAPP-122 Make content apps jcr security independent
-
- Accepted
-
There are no Sub-Tasks for this issue.