The question I have regarding the ACL inheritance can be explained taking the below example:
Let us assume that there is a folder 'parent-folder' whose child is 'child-folder'. Assume that 'parent-folder' was assigned "jcr:read" privilege for "everyone" logical group and "jcr:write" privilege for "Managers" group. If we don't want all the users to view 'child-folder', then we need to set "jcr:read" privilege to "deny" for "everyone" group at the 'child-folder' level. Since ACEs defined on a particular node take precedence over inherited onces, none of the users will be able to view 'child-folder' (even though "jcr:write" privilege for "Managers" group is present in 'parent-folder'). "jcr:write" privilege for "Managers" group needs to be applied at the 'child-folder' as well for the users of "Managers" group to read and write. Is this the expected behavior? As noted in Jackrabbit wiki, a core concept of resource-based ACLs is that they inherit the ACLs from the parent node, thus for each node, all the ACLs of its ancestor come into play as well. But in the above scenario, setting "jcr:read" privilege to "deny" for "everyone" group will effectively stop the inheritance. -- View this message in context: http://jackrabbit.510166.n4.nabble.com/ACL-inheritance-tp4660110.html Sent from the Jackrabbit - Users mailing list archive at Nabble.com.
