Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Anchor
top
top

In This Topic

Table of Contents
maxLevel2

...

 

Default Authorization

By default a plugin does not define any authorization which means that all components contained by the plugin can be used by anyone at any time (unless a component is licensed and the application server on which it is installed does not have the proper license). This is normally done during development and is not recommended in a live situation.

 

Back to Top

 

...

Permission Category

In XperienCentral, a plugin may define zero or more permissions. A permission is a fine-grained definition of a particular operation on one or more objects. Assigning the permission to a role grants that role the particular permission. A permission must always be positive - it grants particular rights and never denies rights.

...

The first step in creating custom authorization is to define the permission categories. A permission category has the following properties:

 

PropertyPurpose
Value

A unique identifier for the permission category.

labelId

ID of the label in messages_<language>_<country>.properties containing the translation of the name of the permission category in the supported language(s).

showAsComponent

Indicates whether this permission category appears in the web initiative configuration panel of the Workspace. If it is visible, the plugin as a whole can be enabled/disabled per web initiative.

 

After creating an instance of the permission category and setting its properties, use setPermissionCategory on the component definition to assign the category to a component definition. If you reuse the same permission category for another component, you should set the permission category only once. If you define the permission category twice, this will result in a conflict. For example, to define a permission category for a “Plugin Management console” panel, you would use the following:

...

When the plugin is deployed, the permission categories defined in each component definition contained by the plugin are installed or updated automatically. When defining and using permission categories, be sure that they conform to the development guidelines (G050 and G051 in particular).

 

Back to Top

 

...

Anchor
permissions
permissions
Permissions

A permission grants a role the rights to perform a particular operation on one or more objects. This is a definition that can be interpreted in many ways, and the permission itself does not define the exact operation it grants permission for and the object on which the operation operates. It is the software itself using the permission that defines what rights the permission provides.

A permission consists of the following properties:

 

Property
Purpose
value

Unique identifier for the permission.

labelID

ID of the label in messages_<language>_<country>.properties containing the translation of the name of the permission in the supported language(s).

permissionCategory

The permission category to which the permission belongs.

 

To instantiate permissions invoke the constructor of PermissionImpl. The value, labelId and permissionCategory are input arguments of the constructor.  The permissions defined in each permission category of the plugin are installed or updated automatically when the plugin is deployed. When defining and using permissions, be sure that they conform to the development guidelines (G052 and G053 in particular).

 

Back to Top

 

...

Permission Groups

Because of the fine-grained definition of permissions, assigning them to the proper roles can sometimes be difficult. The default XperienCentral application itself already contains over 70 separate permissions and this amount will only grow in the future or when you deploy additional plugins. For ease of use, the concept of a permission group was introduced. A permission group is nothing more than a collection of permissions. Instead of assigning individual permissions to a role, it is also possible to assign a permission group to a role, thus implicitly assigning a collection of permissions to the role.

Permissions defined in a plugin can be added to such a permission group using the method setPermissionsForPermissionGroup on the component definition. XperienCentral defines five different permission groups:

 

Permission group ID
Purpose
CASUAL_USER_PERMISSION_GROUP

Permission group for casual users

EDITOR_PERMISSION_GROUP

Permission group for editors

MAIN_EDITOR_PERMISSION_GROUP

Permission group for main editors

APPLICATION_MANAGER_PERMISSION_GROUP

Permission group for Application managers

DEVELOPER_EDITOR_PERMISSION_GROUP

Permission group for developers

 

The class nl.gx.webmanager.wcb.WCBConstants contains the identifiers for these groups. The code example below shows how to add a collection of permissions to a permission group:

...

When the plugin is deployed, the permissions are automatically added to the permission group and thus implicitly to all roles assigned to this permission group. This way even a plugin that defines restricted access can become available to users automatically without manual intervention.

 

Back to Top

 

...

Using Permissions

To use permissions in your code you first have to define a dependency with the Authorization service. The Authorization service provides a method checkAccess which takes the permission’s value as an input argument in order to check whether the current user has the specific permission. Depending on the result of this call a particular piece of software will or will not be invoked.

...

When using permissions, be sure that they conform to the development guidelines (G052 and G053 in particular).

 

Back to Top

 

...

Element Permission

For element components, the element itself is created and deleted by the XperienCentral framework rather than the controller contained by the element component itself. While create and delete authorization checks would typically be programmed in a Java class of the plugin, for element components this is done differently.

...