Author: angela
Date: Wed Jun 17 09:58:05 2015
New Revision: 1685980
URL: http://svn.apache.org/r1685980
Log:
OAK-2997 : Document mapping between built-in privileges and API calls + items
Added:
jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/privilege/mappingtoitems.md
- copied, changed from r1685932,
jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/privilege/mapping.md
jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/privilege/mappingtoprivileges.md
Removed:
jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/privilege/mapping.md
Modified:
jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/privilege.md
Modified: jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/privilege.md
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/privilege.md?rev=1685980&r1=1685979&r2=1685980&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/privilege.md
(original)
+++ jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/privilege.md Wed
Jun 17 09:58:05 2015
@@ -119,7 +119,8 @@ Please note the following differences wi
- `jcr:modifyProperties` is now an aggregation of `rep:addProperties`,
`rep:alterProperties` and `rep:removeProperties`
An overview on how the built-in privileges map to API calls and individual
items
-can be found [here](privilege/mapping.html)
+can be found in ['Mapping Privileges to Items'](privilege/mappingtoitems.html)
+and ['Mapping API Calls to Privileges'](privilege/mappingtoprivileges.html)
##### New Privileges
Copied:
jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/privilege/mappingtoitems.md
(from r1685932,
jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/privilege/mapping.md)
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/privilege/mappingtoitems.md?p2=jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/privilege/mappingtoitems.md&p1=jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/privilege/mapping.md&r1=1685932&r2=1685980&rev=1685980&view=diff
==============================================================================
---
jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/privilege/mapping.md
(original)
+++
jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/privilege/mappingtoitems.md
Wed Jun 17 09:58:05 2015
@@ -14,68 +14,69 @@
See the License for the specific language governing permissions and
limitations under the License.
-->
-### Privilege Management : Mapping Privileges to API Calls and Items
+### Privilege Management : Mapping Privileges to Items
-The following table allows to identify which API calls require which type of
-privilege(s) and also list the affect items.
+The following table allows to identify which items will be affected by the
+invididual built in privileges.
+
+Note: the term _regular_ is used on contrast to _protected_ items that are
written
+using special API calls and thus mandate special privileges or are maintained
+by the system only and cannot be modified by the API consumer.
#### Read
-| Privilege | API Calls | Affected
Items |
-|-----------------------|----------------------------------------------------------|
-| rep:readNodes | all operations reading nodes | all nodes
except for access control content (see below) |
-| rep:readProperties | all operations reading properties | all
properties except for access control content (see below) |
-| jcr:readAccessControl |
`AccessControlManager.getApplicablePolicies`,`AccessControlManager.getPolicies`,
`AccessControlManager.getEffectivePolicies` | all nodes and properties that
defined access control content (details are implementation specific) |
+| Privilege | Affected Items
|
+|-----------------------|-------------------------------------------------------|
+| rep:readNodes | all nodes except for access control content
|
+| rep:readProperties | all properties except for access control content
|
+| jcr:readAccessControl | all items defining access control content (see
below) |
#### Writing Properties
-| Privilege | API Calls | Affected
Items |
-|-----------------------|----------------------------------------------------------|
-| rep:addProperties | `Node.setProperty` | all regular
(non-protected) properties that do not yet exist |
-| rep:alterProperties | `Property.setValue`, `Node.setProperty` | all
regular (non-protected) properties that already exist |
-| rep:removeProperties | `Property.remove`, `Node.setProperty(String, null)`,
`JackrabbitSession.removeItem` (if item is a property) | all regular
(non-protected) properties that do exist |
-
+| Privilege | Affected Items
|
+|-----------------------|-------------------------------------------------------|
+| rep:addProperties | creation of new regular properties
|
+| rep:alterProperties | changing existing regular properties
|
+| rep:removeProperties | removing existing regular properties
|
#### Writing Nodes
-| Privilege | API Calls | Affected
Items |
-|-----------------------|----------------------------------------------------------|
-| jcr:addChildNodes | `Node.addNode` | granted on
parent to create regular (non-protected) nodes |
-| jcr:removeChildNodes | `Node.remove`, `JackrabbitSession.removeItem` (if
item is a node) | granted on parent to remove regular (non-protected) nodes |
-| rep:removeNode | `Node.remove`, `JackrabbitSession.removeItem` (if
item is a node) | granted on the regular (non-protected) node to be removed |
-| jcr:nodeTypeManagement| `Node.addNode(String, String)`,
`Node.setPrimaryType`, `Node.addMixin`, `Node.removeMixin` | explicitly setting
or modifying node type information on a regular (non-protected) node; affected
properties are `jcr:primaryType`, `jcr:mixinTypes` |
-
-Please node the following special cases:
-
-- Reorder: `Node.orderBefore` requires `jcr:removeChildNodes` and
`jcr:addChildNodes` on the parent.
-- Move: `Session.move`, `Workspace.move` require `jcr:removeChildNodes` at the
source parent and `jcr:addChildNodes` at the target parent.
-- Copy: `Workspace.copy` requires require same privileges as if items would
be created using regular API calls.
-- Import: `Session.importXml`, `Workspace.importXml` require same privileges
as if items would be created using regular API calls.
+| Privilege | Affected Items
|
+|-----------------------|-------------------------------------------------------|
+| jcr:addChildNodes | granted on parent to create new regular child nodes
|
+| jcr:removeChildNodes | granted on parent to remove regular child nodes
|
+| rep:removeNode | required to be granted on regular nodes for removal
|
+| jcr:nodeTypeManagement| explicitly setting or modifying node type
information on a regular (non-protected) node; affected properties are
`jcr:primaryType`, `jcr:mixinTypes` |
#### Access Control Management
-| Privilege | API Calls | Affected
Items |
-|-----------------------|----------------------------------------------------------|
-| jcr:readAccessControl |
`AccessControlManager.getApplicablePolicies`,`AccessControlManager.getPolicies`,
`AccessControlManager.getEffectivePolicies` | all nodes and properties
defining access control content |
-| jcr:modifyAccessControl | `AccessControlManager.setPolicy`,
`AccessControlManager.removePolicy` | all nodes and properties defining access
control content |
-| rep:privilegeManagement | `PrivilegeManager.registerPrivilege` |
implementation specific |
+| Privilege | Affected Items
|
+|-------------------------|-----------------------------------------------------|
+| jcr:readAccessControl | all items defining access control content (1)
|
+| jcr:modifyAccessControl | all items defining access control content (1)
|
+| rep:privilegeManagement | implementation specific; in Oak everything below
`/jcr:system/rep:privileges` |
+
+(1) in Oak reading/writing nodes with the following node types: `rep:Policy`,
`rep:ACL`, `rep:ACE`, `rep:GrantACE`, `rep:DenyACE`, `rep:Restrictions`,
`rep:CugPolicy` and all protected items defined therein
#### Other Session and Workspace Operations
-| Privilege | API Calls | Affected
Items |
-|-------------------------|----------------------------------------------------------|
-| jcr:versionManagement | `VersionManager.*` (writing) | writing
`/jcr:system/jcr:versionStorage`, `/jcr:system/jcr:activities`,
`/jcr:system/jcr:configurations` and the following properties `jcr:activity`,
`jcr:activityTitle`, `jcr:baseVersion`, `jcr:childVersionHistory`,
`jcr:configuration`, `jcr:copiedFrom`, `jcr:frozenMixinTypes`,
`jcr:frozenPrimaryType`, `jcr:frozenUuid`, `jcr:isCheckedOut`,
`jcr:mergeFailed`,
`jcr:predecessors`,`jcr:successors`,`jcr:root`,`jcr:versionableUuid`,
`jcr:versionHistory` |
-| jcr:lockManagement | `LockManager.*` (writing) |
`jcr:lockIsDeep`, `jcr:lockOwner` |
-| jcr:lifecycleManagement | `Node.followLifecycleTransition` |
`jcr:lifecyclePolicy`, `jcr:currentLifecycleState` |
-| jcr:retentionManagement | `RetentionManager.*` (all writing) |
implementation specific, in Jackrabbit 2.x the following properties:
`rep:hold`, `rep:retentionPolicy` |
-| rep:userManagement | all user mgt operations writing protected items |
implementation specific; in Oak creating nodes with the following primary
types: `rep:User`, `rep:SystemUser`, `rep:Group`, `rep:Impersonatable`,
`rep:Members`, `rep:MemberReferences`, `rep:MemberReferencesList`,
`rep:Password` and all protected properties defined therein |
-| rep:indexDefinitionManagement | all write operations affecting index
definitions | implementation specific; in Oak trees starting with an
`oak:index` node |
+| Privilege | Affected Items
|
+|-------------------------|-----------------------------------------------------|
+| jcr:versionManagement | all items defining version content (2)
|
+| jcr:lockManagement | Properties `jcr:lockIsDeep`, `jcr:lockOwner`
|
+| jcr:lifecycleManagement | `jcr:lifecyclePolicy`, `jcr:currentLifecycleState`
|
+| jcr:retentionManagement | implementation specific, in Jackrabbit 2.x the
following properties: `rep:hold`, `rep:retentionPolicy`, Oak: NA |
+| rep:userManagement | all items defining user/group content (3)
|
+| rep:indexDefinitionManagement | implementation specific; in Oak trees
starting with an `oak:index` node |
+
+(2) granting jcr:versionManagement privilege at a given versionable node will
allow writing items through JCR version management API which writes below
`/jcr:system/jcr:versionStorage`, `/jcr:system/jcr:activities`,
`/jcr:system/jcr:configurations` and the following properties both in the
storage(s) and with the versionable node: `jcr:activity`, `jcr:activityTitle`,
`jcr:baseVersion`, `jcr:childVersionHistory`, `jcr:configuration`,
`jcr:copiedFrom`, `jcr:frozenMixinTypes`, `jcr:frozenPrimaryType`,
`jcr:frozenUuid`, `jcr:isCheckedOut`, `jcr:mergeFailed`,
`jcr:predecessors`,`jcr:successors`,`jcr:root`,`jcr:versionableUuid`,
`jcr:versionHistory`
+(3) in Oak creating nodes with the following primary types: `rep:User`,
`rep:SystemUser`, `rep:Group`, `rep:Impersonatable`, `rep:Members`,
`rep:MemberReferences`, `rep:MemberReferencesList`, `rep:Password` and all
protected properties defined therein
#### Repository Operations
-| Privilege | API Calls | Affected
Items |
-|-------------------------|----------------------------------------------------------|
-| jcr:namespaceManagement | `NamespaceRegistry.registerNamespace`,
`NamespaceRegistry.unregisterNamespace` | implementation specific; in Oak
everything below `/jcr:system/rep:namespaces` |
-| jcr:nodeTypeDefinitionManagement | `NodeTypeManager.registerNodeType`,
`NodeTypeManager.registerNodeTypes`, `NodeTypeManager.unregisterNodeType`,
`NodeTypeManager.unregisterNodeTypes` | implementation specific; in Oak
everything below `/jcr:system/jcr:nodeTypes` |
-| rep:privilegeManagement | `PrivilegeManager.registerPrivilege` |
implementation specific; in Oak everything below `/jcr:system/rep:privileges` |
-| jcr:workspaceManagement | `Workspace.createWorkspace`,
`Workspace.deleteWorkspace` | NA |
+| Privilege | Affected Items
|
+|-------------------------|-----------------------------------------------------|
+| jcr:namespaceManagement | implementation specific; in Oak everything below
`/jcr:system/rep:namespaces` |
+| jcr:nodeTypeDefinitionManagement | implementation specific; in Oak
everything below `/jcr:system/jcr:nodeTypes` |
+| rep:privilegeManagement | implementation specific; in Oak everything below
`/jcr:system/rep:privileges` |
+| jcr:workspaceManagement | NA
|
Added:
jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/privilege/mappingtoprivileges.md
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/privilege/mappingtoprivileges.md?rev=1685980&view=auto
==============================================================================
---
jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/privilege/mappingtoprivileges.md
(added)
+++
jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/privilege/mappingtoprivileges.md
Wed Jun 17 09:58:05 2015
@@ -0,0 +1,237 @@
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+ -->
+### Privilege Management : Mapping API Calls to Privileges
+
+The following table allows to identify which API calls require which type of
+privilege(s)
+
+#### Read
+
+| API Call | Privilege(s)
|
+|----------------------------------------------|--------------------------------|
+| `Session.itemExists` | `jcr:read`
|
+| `Session.getItem` | `jcr:read`
|
+| `Session.nodeExists` | `rep:readNodes`
|
+| `Session.nodeExists` | `rep:readNodes`
|
+| `Session.getNode` | `rep:readNodes`
|
+| `Session.getRootNode` | `rep:readNodes`
|
+| `Session.getNodeByUUID` | `jcr:read`
|
+| `Session.getNodeByIdentifier` | `jcr:read`
|
+| `Session.getNode` | `rep:readNodes`
|
+| `Session.propertyExists` | `rep:readProperties`
|
+| `Session.getProperty` | `rep:readProperties`
|
+| `Item.getParent` | `rep:readNodes` on parent
|
+| `Item.getAncestor` | `rep:readNodes` on ancestor
|
+| `Node.hasNode` | `rep:readNodes`
|
+| `Node.hasNodes` | `rep:readNodes`
|
+| `Node.getNode` | `rep:readNodes`
|
+| `Node.getNodes` | `rep:readNodes`
|
+| `Node.hasProperty` | `rep:readProperties`
|
+| `Node.hasProperties` | `rep:readProperties`
|
+| `Node.getProperty` | `rep:readProperties`
|
+| `Node.getProperties` | `rep:readProperties`
|
+| `Node.getUUID` | `rep:readProperties`
|
+| `Node.getIdentifier` | `rep:readProperties`
|
+| `Node.getReferences` | `rep:readProperties`
|
+| `Node.getWeakReferences` | `rep:readProperties`
|
+| `Node.getPrimaryItem` | `jcr:read`
|
+| `Node.getPrimaryNodeType` | `rep:readProperties` on
jcr:primaryType |
+| `Node.getMixinNodeTypes` | `rep:readProperties` on
jcr:mixinTypes |
+| `Property.getValue` | `rep:readProperties`
|
+| `Property.getValues` | `rep:readProperties`
|
+| `Property.get*` | `rep:readProperties`
|
+| `Property.getNode` | `rep:readProperties`,
`rep:readNodes` on ref-target |
+| `Session.exportSystemView` | `jcr:read`
|
+| `Session.exportDocumentView` | `jcr:read`
|
+
+#### Writing Properties
+
+| API Call | Privilege(s)
|
+|----------------------------------------------|--------------------------------|
+| `Node.setProperty` (new) | `rep:addProperties`
|
+| `Node.setProperty` (existing) | `rep:alterProperties`
|
+| `Property.setValue` | `rep:alterProperties`
|
+| `Property.remove` | `rep:removeProperties`
|
+| `Node.setProperty(String, null)` | `rep:removeProperties`
|
+| `JackrabbitSession.removeItem` (item is a property) | `rep:removeProperties`
|
+
+#### Writing Nodes
+
+| API Call | Privilege(s)
|
+|----------------------------------------------|--------------------------------|
+| `Node.addNode(String)` | `jcr:addChildNodes` (on
parent) |
+| `Node.remove` | `jcr:removeChildNodes` (on
parent), `jcr:removeNode` |
+| `JackrabbitSession.removeItem` (if item is a node) | `jcr:removeChildNodes`
(on parent), `jcr:removeNode` |
+| `Node.addNode(String, String)` | `jcr:addChildNodes` (on
parent), `jcr:nodeTypeManagement` |
+| `Node.setPrimaryType` | `jcr:nodeTypeManagement`
|
+| `Node.addMixin` | `jcr:nodeTypeManagement`
|
+| `Node.removeMixin` | `jcr:nodeTypeManagement`
|
+| `Node.orderBefore` | `jcr:addChildNodes` and
`jcr:removeChildNodes` (on parent) |
+
+#### Move, Copy and Import
+
+| API Call | Privilege(s)
|
+|----------------------------------------------|--------------------------------|
+| `Session.move` | `jcr:removeChildNodes`
(source parent) and `jcr:addChildNodes` (target parent) |
+| `Workspace.move` | `jcr:removeChildNodes`
(source parent) and `jcr:addChildNodes` (target parent) |
+| `Workspace.copy` | same privileges as if items
would be created using regular API calls |
+| `Session.importXml` | same privileges as if items
would be created using regular API calls |
+| `Workspace.importXml` | same privileges as if items
would be created using regular API calls |
+
+#### Version Management
+
+| API Call | Privilege(s)
|
+|----------------------------------------------|--------------------------------|
+| `VersionManager.isCheckedOut` | `rep:readNodes` on
versionable node and `rep:readProperties` on its property `jcr:isCheckedOut` |
+| `VersionManager.getVersionHistory` | `rep:readNodes` on
versionable node and `rep:readProperties` on its property `jcr:versionHistory` |
+| `VersionManager.getBaseVersion` | `rep:readNodes` on
versionable node and `rep:readProperties` on its property `jcr:baseVersion` |
+| `VersionManager.checkin` | `jcr:versionManagement` on
versionable node |
+| `VersionManager.checkout` | `jcr:versionManagement` on
versionable node |
+| `VersionManager.checkpoint` | `jcr:versionManagement` on
versionable node |
+| `VersionManager.restore` | _TODO_
|
+| `VersionManager.restoreByLabel` | _TODO_
|
+| `VersionManager.merge` | _TODO_
|
+| `VersionManager.cancelMerge` | _TODO_
|
+| `VersionManager.doneMerge` | _TODO_
|
+| `VersionManager.createConfiguration` | _TODO_
|
+| `VersionManager.setActivity` | _TODO_
|
+| `VersionManager.createActivity` | _TODO_
|
+| `VersionManager.removeActivity` | _TODO_
|
+| `VersionHistory.*` (read) | `rep:readNodes` on
versionable node |
+| `VersionHistory.removeVersion` | `jcr:versionManagement` on
versionable node |
+| `Version.*` (read) | `rep:readNodes` on
versionable node |
+
+NOTE: since Oak 1.0 read/write access to version storage is defined by
accessibility of the versionable node and _not_ to the version store items.
+
+#### Lock Management
+
+| API Call | Privilege(s)
|
+|----------------------------------------------|--------------------------------|
+| `LockManager.getLock` = `Node.getLock` | `jcr:read`
|
+| `LockManager.isLocked` = `Node.isLocked` | `jcr:read`
|
+| `LockManager.holdsLock` = `Node.holdsLock` | `jcr:read`
|
+| `LockManager.lock` = `Node.lock` | `jcr:lockManagement`
|
+| `LockManager.unlock` = `Node.unlock` | `jcr:lockManagement`
|
+
+#### Access Control Management
+
+| API Call | Privilege(s)
|
+|----------------------------------------------|--------------------------------|
+| `AccessControlManager.getApplicablePolicies` | `jcr:readAccessControl`
|
+| `AccessControlManager.getPolicies` | `jcr:readAccessControl`
|
+| `AccessControlManager.getEffectivePolicies` | `jcr:readAccessControl`
|
+| `AccessControlManager.setPolicy` | `jcr:modifyAccessControl`
|
+| `AccessControlManager.removePolicy` | `jcr:modifyAccessControl`
|
+| `PrivilegeManager.registerPrivilege` | `rep:privilegeManagent` at
'null' path |
+
+#### User Management
+
+| API Call | Privilege(s)
|
+|----------------------------------------------|--------------------------------|
+| `UserManager.getAuthorizable` | `jcr:read`
|
+| `UserManager.findAuthorizable` | `jcr:read`
|
+| `UserManager.createUser` | `rep:userManagement`
|
+| `UserManager.createSystemUser` | `rep:userManagement`
|
+| `UserManager.createGroup` | `rep:userManagement`
|
+| `User.isDisabled` | `jcr:read`
|
+| `User.getDisabledReason` | `jcr:read`
|
+| `User.disable` | `rep:userManagement`
|
+| `User.changePassword` | `rep:userManagement`
|
+| `User.getCredentials` | `jcr:read`
|
+| `User.getImpersonation` | `jcr:read`
|
+| `Impersonation.getImpersonators` | `jcr:read`
|
+| `Impersonation.allows` | `jcr:read`
|
+| `Impersonation.grantImpersonation` | `rep:userManagement`
|
+| `Impersonation.revokeImpersonation` | `rep:userManagement`
|
+| `Group.getDeclaredMembers` | `jcr:read`
|
+| `Group.getMembers` | `jcr:read`
|
+| `Group.isDeclaredMember` | `jcr:read`
|
+| `Group.isMember` | `jcr:read`
|
+| `Group.addMember` | `rep:userManagement`
|
+| `Group.removeMember` | `rep:userManagement`
|
+| `Authorizable.getID` | `jcr:read`
|
+| `Authorizable.getPrincipal` | `jcr:read`
|
+| `Authorizable.getPath` | `jcr:read`
|
+| `Authorizable.declaredMemberOf` | `jcr:read` (on groups listing
this user/group as member) |
+| `Authorizable.memberOf` | `jcr:read` (on groups listing
this user/group as member) |
+| `Authorizable.remove` | `rep:userManagement`
|
+| `Authorizable.getPropertyNames` | `jcr:read` or
`rep:readProperties` (no relPath) |
+| `Authorizable.hasProperty` | `jcr:read` or
`rep:readProperties` (no relPath) |
+| `Authorizable.getProperty` | `jcr:read` or
`rep:readProperties` (no relPath) | |
+| `Authorizable.setProperty` (no relPath) | `rep:addProperties` and/or
`rep:alterProperties` |
+| `Authorizable.setProperty` (with relPath | `rep:addProperties` and/or
`rep:alterProperties`, `jcr:addChildNodes` |
+| `Authorizable.removeProperty` | `rep:removeProperties`
|
+
+#### LifeCycle Management
+
+| API Call | Privilege(s)
|
+|----------------------------------------------|--------------------------------|
+| `Node.followLifecycleTransition` | `jcr:lifecycleManagement`
|
+
+#### Retention Management
+
+| API Call | Privilege(s)
|
+|----------------------------------------------|--------------------------------|
+| `RetentionManager.getHolds` | `jcr:read`
|
+| `RetentionManager.getRetentionPolicy` | `jcr:read`
|
+| `RetentionManager.addHold` | `jcr:retentionManagement`
|
+| `RetentionManager.removeHold` | `jcr:retentionManagement`
|
+| `RetentionManager.setRetentionPolicy` | `jcr:retentionManagement`
|
+| `RetentionManager.removeRetentionPolicy` | `jcr:retentionManagement`
|
+
+#### Namespace Management
+
+| API Call | Privilege(s)
|
+|----------------------------------------------|--------------------------------|
+| `NamespaceRegistry.getPrefix` | `jcr:read`
|
+| `NamespaceRegistry.getPrefixes` | `jcr:read`
|
+| `NamespaceRegistry.getURI` | `jcr:read`
|
+| `NamespaceRegistry.getURIs` | `jcr:read`
|
+| `NamespaceRegistry.registerNamespace` | `jcr:namespaceManagement`
|
+| `NamespaceRegistry.unregisterNamespace` | `jcr:namespaceManagement`
|
+
+#### NodeType Management
+
+| API Call | Privilege(s)
|
+|----------------------------------------------|--------------------------------|
+| `NodeTypeManager.hasNodeType` | `jcr:read`
|
+| `NodeTypeManager.getNodeType` | `jcr:read`
|
+| `NodeTypeManager.getAllNodeTypes` | `jcr:read`
|
+| `NodeTypeManager.getPrimaryNodeTypes` | `jcr:read`
|
+| `NodeTypeManager.getMixinNodeTypes` | `jcr:read`
|
+| `NodeTypeManager.createNodeTypeTemplate` | NA
|
+| `NodeTypeManager.createNodeDefinitionTemplate` | NA
|
+| `NodeTypeManager.createPropertyDefinitionTemplate` | NA
|
+| `NodeTypeManager.registerNodeType` |
`jcr:nodeTypeDefinitionManagement` |
+| `NodeTypeManager.registerNodeTypes` |
`jcr:nodeTypeDefinitionManagement` |
+| `NodeTypeManager.unregisterNodeType` |
`jcr:nodeTypeDefinitionManagement` |
+| `NodeTypeManager.unregisterNodeTypes` |
`jcr:nodeTypeDefinitionManagement` |
+
+#### Privilege Management
+
+| API Call | Privilege(s)
|
+|----------------------------------------------|--------------------------------|
+| `PrivilegeManager.getRegisteredPrivileges` | `jcr:read`
|
+| `PrivilegeManager.getPrivilege` | `jcr:read`
|
+| `PrivilegeManager.registerPrivilege` | `rep:privilegeManagement`
|
+
+#### Workspace Management
+
+| API Call | Privilege(s)
|
+|----------------------------------------------|--------------------------------|
+| `Workspace.createWorkspace` | `jcr:workspaceManagement`
|
+| `Workspace.deleteWorkspace` | `jcr:workspaceManagement`
|
