Uploaded image for project: 'Nuxeo Platform'
  1. Nuxeo Platform
  2. NXP-4532

Make it possible to define administrators group(s)

    Details

    • Type: Improvement
    • Status: Resolved
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: 5.3 GA
    • Fix Version/s: 5.3.1
    • Component/s: None
    • Impact type:
      API change
    • Upgrade notes:
      Hide

      Added UserManager#getAdministratorsGroups returning by default "administrators" for compatibility. New defined administrators groups are aslo taken into account.
      Added SearchPrincipal#isAdministrator for consistency in case this method is needed using the core session as search backend.
      Added SecurityConstants#SYSTEM_USERNAME to replace existing hardcoded references to the system user

      Show
      Added UserManager#getAdministratorsGroups returning by default "administrators" for compatibility. New defined administrators groups are aslo taken into account. Added SearchPrincipal#isAdministrator for consistency in case this method is needed using the core session as search backend. Added SecurityConstants#SYSTEM_USERNAME to replace existing hardcoded references to the system user

      Description

      Currently the user manager configuration makes it possible to define the default administrator id and default group.
      If any group can be set the "manage everything" permission at the root of the application, or if any virtual user can be put in the "administrators" group, it's not possible to give it rights to access vocabulary management for instance, as this is hardcoded to use the "administrators" group.

      So it should be possible to define a list of groups (virtual or not) as "administrators" and remove hardcoded references to this group in nuxeo code.

      This should be configurable on the user manager, by adding any number of group names to be considered as administrators:

      <administratorsGroup>group1</administratorsGroup>
      <administratorsGroup>group2</administratorsGroup>

      As the current administrators group is used in specific use cases, these groups will be also used when blocking rights inheritance.

      The "administrators" group is still considered for consistency, but it should be possible to disable it by using:
      <disableDefaultAdministratorsGroup>true</disableDefaultAdministratorsGroup>

        Attachments

          Activity

            People

            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                PagerDuty

                Error rendering 'com.pagerduty.jira-server-plugin:PagerDuty'. Please contact your Jira administrators.