hi
What I am trying to do is the following:Create users "user1", "user2" Create structure: /templatesNode/template1Node/.../ /template2Node/.../ /template3Node/.../ /template4Node/.../ "user1" be able to delete and write on template1Node and template2Node "user2" be able to delete and write on template3Node and template4Node So in order to do that I need to: - Provide on /templatesNode jcr:removeChildNodes access to user1 and user2 - Provide /template1Node and /template2Node all access to user1
well... not all... i would just grant jcr:read, jcr:write and jcr:nodeTypeManagement.
- Provide /template3Node and /template4Node all access to user2
same here.
But like that user1 can remove template3Node and template4Node and user2 can remove template1Node and template2Node.
why that? in order to be able to remove a node you must have both privileges. jcr:removeChildNodes on the parent AND jcr:removeNode on the target node itself. so, user1 will not be able to remove template3Node if he/she is only granted jcr:removeChildNode on the parent...
With the little knowledge of Jackrabbit a solution can be deny removeNode o template3Node and template4Node to user1 and do the same for user2 on template1Node and template2Node, but I am planing to have many users and many nodes under templatesNode so I think is not a solution.
you don't have to remove jcr:removeNode privilege if it hasn't been granted before. and as far as i understood your user1 would not have any kind of write permission on the template3Node. so, i think it does what you expected.
Do you a better approach to what I am trying to do?
from time to time its possible to simplify things using an additional pattern-matching restriction with the access control entries. but that requires a naming pattern that is suitable for this. kind regards angela
Thank you! -- View this message in context: http://jackrabbit.510166.n4.nabble.com/AccessControll-tp4604580p4605812.html Sent from the Jackrabbit - Users mailing list archive at Nabble.com.
