Uploaded image for project: 'Nuxeo Platform'
  1. Nuxeo Platform
  2. NXP-30342

Allow for granted users to delete and trash content under retention or legal hold

    XMLWordPrintable

    Details

    • Type: Improvement
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 10.10-HF51, 11.5, 2021.7
    • Component/s: Retention
    • Release Notes Summary:
      Only granted users can delete and trash content under retention or legal hold.
    • Epic Link:
    • Tags:
    • Upgrade notes:
      Hide

      The "Remove" permission is no longer granted to anyone (including Administrators) on documents under legal hold or retention.
      As a direct result, the permission enricher no longer returns the "Remove" permission in the listed ones.
      Third-party apps or clients can now only rely upon the presence of the "Remove" permission on the document and stop checking if the document is under legal hold or retention to prevents its deletion.
      However, if retention is not in compliance mode (i.e. nuxeo.retention.compliance.enabled=false which is the default), users belonging to the "NuxeoRecordCleaners" group will still have the "Remove" permission listed on documents under retention or legal hold if explicitly granted.

      Show
      The "Remove" permission is no longer granted to anyone (including Administrators) on documents under legal hold or retention. As a direct result, the permission enricher no longer returns the "Remove" permission in the listed ones. Third-party apps or clients can now only rely upon the presence of the "Remove" permission on the document and stop checking if the document is under legal hold or retention to prevents its deletion. However, if retention is not in compliance mode (i.e. nuxeo.retention.compliance.enabled=false which is the default), users belonging to the "NuxeoRecordCleaners" group will still have the "Remove" permission listed on documents under retention or legal hold if explicitly granted.
    • Sprint:
      nxApps 2021 Cycle 6

      Description

      User story

      As a platform administrator, I want to configure if a granted user can delete or trash a document under retention and/or legal hold.

      As a user with a specific role and ONLY in case of the retention addon is configured to allow it, I can delete a document under retention or under legal hold, so that I can delete content in case of mistake (wrong retention period) or in case of legal change with retroactive application.

       

      Description

      The goal is to maintain a high level of security by using retention features but with more flexibility (except with the Compliance mode) as power users can delete a record under retention or legal hold.

      This improvement requires to create a specific user group: NuxeoRecordCleaners

      To be enabled, this capability requires the following configuration:

      • "Compliance mode" (nuxeo.retention.compliance.enabled in nuxeo.conf) must NOT be enabled (e.g nuxeo.retention.compliance.enabled CANNOT = true)
      • the specific group NuxeoRecordCleaners is created from the admin menu

      Acceptance criteria

      When the retention addon is NOT configured in Compliance mode:

      • As a user with ManageRecord permission, I CANNOT delete a document under retention or legal hold
      • As a user with Remove permission but not belonging to the NuxeoRecordCleaners group, I CANNOT delete a document under retention or legal hold
      • As a user with Remove permission and belonging to the NuxeoRecordCleaners group, I can delete a document under retention or legal hold 
      • As an administrator, I CANNOT delete a document under retention or legal hold

       

      • As a user with ManageRecord permission, I CANNOT trash a document under retention or legal hold
      • As a user with Remove permission but not belonging to the NuxeoRecordCleaners group, I CANNOT trash a document under retention or legal hold
      • As a user with Remove permission and belonging to the NuxeoRecordCleaners group, I can trash a document under retention or legal hold 
      • As an administrator, I CANNOT trash a document under retention or legal hold

       

      When the retention addon is configured in Compliance mode (nuxeo.retention.compliance.enabled=true):

      • As a user with ManageRecord permission, I CANNOT delete a document under retention or legal hold
      • As a user with Remove permission but not belonging to the NuxeoRecordCleaners group, I CANNOT delete a document under retention or legal hold
      • As a user with Remove permission and belonging to the NuxeoRecordCleaners group, I CANNOT delete a document under retention or legal hold
      • As an administrator, I CANNOT delete a document under retention or legal hold

       

      • As a user with ManageRecord permission, I CANNOT trash a document under retention or legal hold
      • As a user with Remove permission but not belonging to the NuxeoRecordCleaners group, I CANNOT trash a document under retention or legal hold
      • As a user with Remove permission and belonging to the NuxeoRecordCleaners group, I CANNOT trash a document under retention or legal hold
      • As an administrator, I CANNOT trash a document under retention or legal hold

        Attachments

          Issue Links

          causes

          Bug - A problem which impairs or prevents the functions of the product. NXP-30572 Fix permission filtering for administrators

          • Blocker - Blocks development and/or testing work, production could not run.
          • Resolved

          Bug - A problem which impairs or prevents the functions of the product. NXP-30678 Retention: context parameter permissions are empty for an admin user

          • Critical - Crashes, loss of data, severe memory leak.
          • Resolved
          is duplicated by

          Improvement - An improvement or enhancement to an existing feature or task. NXP-30002 Retention Governance/"compliance light" mode - Allow for granted users to delete content under retention or legal hold

          • Major - Major loss of function.
          • Resolved

          Improvement - An improvement or enhancement to an existing feature or task. NXP-30003 Retention Governance mode - Handle S3 Governance mode

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Resolved
          is required by

          Improvement - An improvement or enhancement to an existing feature or task. NXP-30094 [CI] Allow Retention to use Governance Modes for AWS s3 storage on Previews

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Resolved
          Is referenced in

          [Captain Hook] PR for 10.10: #4896 PR for 10.10: #4896

          [Captain Hook] PR for 1010: #1840 PR for 1010: #1840

          [Captain Hook] PR for 2021: #198 PR for 2021: #198

          [Captain Hook] PR for 2021: #1839 PR for 2021: #1839

          [Captain Hook] PR for master: #63 PR for master: #63

          [Captain Hook] PR for master: #1838 PR for master: #1838

          [Captain Hook] PR for master: #1904 PR for master: #1904

          [Captain Hook] PR for master: #1905 PR for master: #1905

          [Captain Hook] PR for master: #4891 PR for master: #4891

          [Captain Hook] PR for master: #4924 PR for master: #4924

          [Captain Hook] PR for master: #4935 PR for master: #4935

            Activity

              People

              • Votes:
                0 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: