Re: change node ownership
Hi Marco Yeah... no, that's not how the default authorisation model works :-) But obviously you would be able to write and deploy your own authorisation model that just behaves as you expected it to work. Some hints can be found at http://jackrabbit.apache.org/oak/docs/security/introduction.html I still didn't have time to write a dedicated training session for the customize-authorization topic but it's on my TODOs. Kind regards Angela On 14/02/18 10:37, "Marco Piovesana" wrote: >Hi Angela, >thanks for the answer. I thought (and I was wrong) that the user that >created a node would have had complete control on it (and not just the >permissions explicitly granted to him). That's why my question... thanks >again for the clarification. > >Marco. > > >On Wed, Feb 14, 2018 at 9:47 AM Angela Schreiber > >wrote: > >> Hi Marco >> >> It depends a bit on how you originally setup the 'ownership' in the >>first >> place. >> - if you have granted permissions to userA _on_ that very node, you can >> simply remove the entries and create new ones for the new owner. >> - if you have granted permissions to userA on a _parent_ node you can >> either fix the entries at the parent or add a denying entry at the >>target. >> - if permissions are inherited from other principals (e.g. through group >> membership) you can either 'fix' the set of principals that is add to >>the >> Subject upon login (e.g. through changes of group membership) or again >> through an explicit deny. >> Which variant (and there might be some more) is the best one, depends on >> your requirements. >> Also note that for modification of the permission setup your session not >> only requires regular write privileges but read/modify access control >> privileges. >> >> See the Oak documentation for additional details in particular >> >>http://jackrabbit.apache.org/oak/docs/security/permission/evaluation.html >> You may also want to take a look at the oak-exercise module which comes >> with quite some training material for the default authorisation model. >> >> Hope that helps >> Angela >> >> >> On 13/02/18 18:36, "Marco Piovesana" wrote: >> >> >Hi all, >> >is it possible to change the owner of a node? What I'm trying to do is >> >move >> >a node created by userA from its original folder to another place. >>After >> >the node is moved I want to revoke all permission to userA on that >>node. >> > >> >Marco. >> >>
Re: change node ownership
Hi Angela, thanks for the answer. I thought (and I was wrong) that the user that created a node would have had complete control on it (and not just the permissions explicitly granted to him). That's why my question... thanks again for the clarification. Marco. On Wed, Feb 14, 2018 at 9:47 AM Angela Schreiber wrote: > Hi Marco > > It depends a bit on how you originally setup the 'ownership' in the first > place. > - if you have granted permissions to userA _on_ that very node, you can > simply remove the entries and create new ones for the new owner. > - if you have granted permissions to userA on a _parent_ node you can > either fix the entries at the parent or add a denying entry at the target. > - if permissions are inherited from other principals (e.g. through group > membership) you can either 'fix' the set of principals that is add to the > Subject upon login (e.g. through changes of group membership) or again > through an explicit deny. > Which variant (and there might be some more) is the best one, depends on > your requirements. > Also note that for modification of the permission setup your session not > only requires regular write privileges but read/modify access control > privileges. > > See the Oak documentation for additional details in particular > http://jackrabbit.apache.org/oak/docs/security/permission/evaluation.html > You may also want to take a look at the oak-exercise module which comes > with quite some training material for the default authorisation model. > > Hope that helps > Angela > > > On 13/02/18 18:36, "Marco Piovesana" wrote: > > >Hi all, > >is it possible to change the owner of a node? What I'm trying to do is > >move > >a node created by userA from its original folder to another place. After > >the node is moved I want to revoke all permission to userA on that node. > > > >Marco. > >
Re: change node ownership
Hi Marco It depends a bit on how you originally setup the 'ownership' in the first place. - if you have granted permissions to userA _on_ that very node, you can simply remove the entries and create new ones for the new owner. - if you have granted permissions to userA on a _parent_ node you can either fix the entries at the parent or add a denying entry at the target. - if permissions are inherited from other principals (e.g. through group membership) you can either 'fix' the set of principals that is add to the Subject upon login (e.g. through changes of group membership) or again through an explicit deny. Which variant (and there might be some more) is the best one, depends on your requirements. Also note that for modification of the permission setup your session not only requires regular write privileges but read/modify access control privileges. See the Oak documentation for additional details in particular http://jackrabbit.apache.org/oak/docs/security/permission/evaluation.html You may also want to take a look at the oak-exercise module which comes with quite some training material for the default authorisation model. Hope that helps Angela On 13/02/18 18:36, "Marco Piovesana" wrote: >Hi all, >is it possible to change the owner of a node? What I'm trying to do is >move >a node created by userA from its original folder to another place. After >the node is moved I want to revoke all permission to userA on that node. > >Marco.