I have tree structured data about members in system. Fx. members objects are stored in members directory, and members projects objects are stored in members object. Key of member object is email of member.
So full paths to members project objects look like members/user#mail.com/project, members/user2#email.com/project, etc.
Now, I'm going to set full access to /members path, but I want to deny access to members projects objects. It woks fine when I set full access to /members workspace and deny access to specified path /members/user#mail.com/project but user#mail.com is a variable. Is it possible to do it by regex like #^/members/(.*)/project#? Is there any other solution?
Related
I have a set of a few thousand FileNet documents that need to have the security reset from the document level to the folder level. Does anyone know if there is a document set security folder method as well as to be able to obtain the object reference from the folder that the document is filed in and set the object reference for the security folder for that document? I would appreciate any assistance.
Thanks,
FileNet has 4 security levels for each Instance.
https://www.ibm.com/support/knowledgecenter/en/SSNW2F_5.2.0/com.ibm.p8.security.doc/p8psa007.htm
Default Instance Security - is a preset of ALC that applies to each new instance (but not for created yet, because preset becomes to its own ACL)
Inherited from a parent container (Folder) - if inheritance applied at the relationship level.
Inherited from Security Template by applying Security Policy
Own (documents) ACL
The authorization process is calculation of the result permission by applying all ACL (own and inherited).
So if you need change (reset) security for set of documents you have few ways to do this:
If you need add allow (or deny is needed) permissions to somebody for these documents you can manually add new access permission to the root folder which contains all that documents and apply this record to all child objects. It will work only if documents or folders under the root does not have Deny records (because Deny overwrites Allow)
You can select all those documents by Query and apply bulk modification script (handler) and set exactly needed ACL for each document or clear it.
https://www.ibm.com/support/knowledgecenter/SSNW2F_5.2.0/com.ibm.p8.ce.admin.tasks.doc/p8pcc193.htm
I added a sharepoint file browser to my app using MS Graph API to enumerate document libraries/folder/files. When selecting a file I get a driveitem id, a drive id and a webUrl (and of course many other properties).
I would like to store a reference to the selected file in a safe way: If a file is moved to another library (on same site collection) or renamed, the reference should still be valid.
I guess for office type files, I could use the webUrl, because it is a durable link and does not change. For other file types, a file can be identified by combination of driveid and itemid and queried in graph api like
https://graph.microsoft.com/v1.0/sites/{my_site}/drives/{drive-id}/items/{item-id}
If I rename a file, the item id is not changed. That's great.
If I move a file to another library, the item id is also not changed, but the drive id changes. I didn't find a way to query for a drive id across all drives on a site collection. Is it possible? Or is my approch wrong?
If the document id feature was enabled on the site collection, I could probably use this id to identify a file. But I cannot guarantee that (and I also don't know how to search by document id in Graph API).
P.S. If there is a better way to access files by id in CSOM, I could also use this instead of Graph API...
I got users and roles. Access to certain parts of the the content is denied in the ftls but I got the following problem:
I want prevent users from sharing pdf links.
These are formed like this:
http://localhost:8080/dam/jcr:c383c3c-a27a-4baf-856f-265baaf02142/mozillasecure.pdf
In the dam workspace I have two folders pdf and pdfsecure I want the pdfs in the pdf to be downloadable for all roles and the ones in the pdfsecure folder to be denied for ie. anonymous role..
How can I accomplish that?
Note: I thought about extending the DamURI2RepositoryMapping.java but I couldnt see it through, please help...
Is this a trick question? :)
Simply set content permission for anonymous role to "deny" on pdfsecure and subnodes via security app. Make sure to set it directly on public instance (author and public have different anonymous role configuration so you don't want to activate that).
Setting permission on the content level, in difference from setting it at URI level, makes sure content is not accessible via any URI.
HTH,
Jan
I am using Outlook REST API V2 (https://msdn.microsoft.com/en-us/office/office365/api/mail-rest-operations)
Is there a way to determine the root parent folder of a message without making subsequent requests to get the parent of the parent of the parent, etc.. of the message folder?
In my case I would like to know if a message is "deleted", by finding out if the message is anywhere under the DeletedItems hierarchy.
Related to this - Is there a way to get all messages under a folder regardless of where in the sub-folders of the folder the message is, without making separate requests to traverse the sub-folders hierarchy?
Thanks for your time to anyone willing to help :)
No, there isn't any direct way by just looking at the message entities. You could sync the mail folder hierarchy down locally to your client, then essentially construct a list of IDs for the Deleted Items and any folders under it, then compare IDs in your message list. You'd have to be sure to keep the folder hierarchy table on your client in sync.
No, there is no deep traversal. If you get the /messages collection from a folder, it's only immediate children. If you get /me/messages, it's messages from all folders in the mailbox (which is more than what you're asking I think).
Suppose there's a top-secret list (inherits its permissions from its parent) that contains records that were created earlier by different users. There are several groups with rights to administer, read, write-constrainted.
There is a group of authors of top-secret items. Author can only create a 'secret-item'. But the item shouldn't be viewed by other participants of the group (Authors).
I can't access/change site programmatically. And I'm curious how come I do this manually.
First, keep in mind that you cannot do "top-secret" in SharePoint. The site collection administrator will always have access to all content.
Manually, there are two features that come close to your request:
under advanced options in the list settings: user can only read/write his/her own items
under the same advanced options: activate approval. Content in draft state will remain hidden (except from approvers and site owners)
In addition to the answers from #Christophe, you can also modify the permissions of individual List Items.
If you were able to make programmatic changes, I would suggest attaching an ItemAdded event receiver to a custom Content Type named "Top Secret." But in this case, the permissions changes can be made as a manual step after adding the item.
The risk, of course, is if the author forgets to change the permissions, changes the permissions incorrectly, or changes the permissions very slowly (allowing others to see it before permissions are changed).
For more information on changing the permissions of a List Item, see Break permission inheritance on a folder, document, or list item.