hi
What's the best way to deal with this? Adding Permission.NODE_TYPE_MNGMT for
a user role/group on the root node? That doesn't feel quite right as there
are system nodes under the root nodes that shouldn't be included in the
permissions.
i guess there is no best way... it depends on your setup
and requirements. you could e.g.
- allow it for the root and deny it for those system nodes
you don't want it.
- you don't grant the privilege on the root but on each
invidual subtrees where you need that priv.
- you use another ac implementation that allows to specify
patterns (e.g. the principal-based ac) so you don't have
to deny/allow the privilege on individual subtrees which
may be cumbersome if you don't have a fixed list.
apart from that: i don't know exactly what system nodes
you were referring to... but as far as i know the huge part
of the system nodes/properties is at some point protected
and therefore regular write operations are pretty much
limited (thinking of versions, activities, node types,
access control, users).
regards
angela
