1. I think that should work. This approach is kind of a "everything open unless I close it" mindset, where you may want to consider "everything is closed unless I open it." If myapp and blog need anonymous access for some reason you may want to restructure so the content folders don't need to be under them.
2. All permissions will only go down a hierarchy. Changing the permissions on a child won't have any effect on the parent (except for the fact that it's child was changed). Obviously changed to the parents security will be inherited by the children. 3. I'm not too familiar but through trial and error it looks like you need to add jcr:nodeTypeManagement as well. I guess choosing a primary node type for a new node counts as nodeTypeManagement. -----Original Message----- From: Anuj Kumar [mailto:[email protected]] Sent: Tuesday, August 16, 2011 12:27 PM To: [email protected]; [email protected] Subject: Access Control Management with JCR Hello Everyone, I am trying to understand the access management with JCR, using an example of Blog posts. I am using espblog example of Apache Sling and trying to work with the permissions on different blog posts. I am trying to create some content in such a way that it is accessible to only a certain group of users. Also, there are posts that are public and private. It is my first attempt with Jackrabbit and Sling, so, please let me know what works and what does not. That would be of great help. Here are the details- Suppose, I have a repository structure as- / -- myapp | --- blogs | --- private | --- public | --- shared As, the folder name suggest, I am trying to organize the content depending on the required security, i.e. 1. If a user wants to publish the blog for everyone, the content is posted to /myapp/blogs/public/* 2. If a user wants to keep some articles private, it is posted to /myapp/blogs/private/* 3. If a user wants to publish the blog for a limited group of people, the content is posted to /myapp/blogs/shared/* with appropriate permissions. Depending on the scenario- 1. The 'private' folder disallows any anonymous access and each content is accessible only to the author. (All Permissions for the author) 2. The 'public' folder allows everyone, including anonymous (Read, Write) 3. The 'shared' folder has the policies set per content, depending on the author (Read, Write, Read Permission, Write Permission only to the author or participating entities) For this scenario, my questions are- 1. Does it makes sense to have this kind of access policies? Are there better ways to do so? 2. When I assign the permission to folders- private, public and shared, how does it effect the permission for parent folders- myapp and blogs? 3. Isn't 'write' permission enough for adding new content nodes to the existing node on which the 'write' permission is given? I tried assigning the read, write permissions to a group of blog users on 'private' folder but it didn't work. The write permission allows you to create child nodes as well but still I am getting access denied exception. Moreover, if I assign all the permissions on 'private' node it works, but that includes the read, write access to permissions as well. Thanks for your help. Regards, Anuj
