[opencms-dev] Role structure findings
Pere Torrodellas
ptorrodellas at fihoca.com
Thu Oct 20 12:47:48 CEST 2005
As some of you may have noted from my last messages to this very helpful
mail list, I have been having problems with code not having the right
permissions to invoke some OpenCms functions.
As examples that may help others:
- To get the list of the WebUsers, the code has to be run by a user that is
a member of a group with "SYSTEM_USER" role.
- To be able to change the password of a WebUser, the code has to be run by
a user that is a member of a group with "ACCOUNT_MANAGER" role.
Otherwise, you get a CmsRoleViolationException.
My goal is to know what groups can invoke what OpenCms functions, and to
define a user that can perform the above without being, if possible, a
member of the Administrators group that can do everything.
I looked and asked for information about this, but got no results other than
the CmsRole class javadoc, so I wrote a short procedure to ask the CmsRole
class itself, and the result, for anyone interested, is listed below.
As you can see, there is no way to be able to change a WebUser password with
a user that is not an Admintrator (please correct me if I'm wrong). In my
opinion this is unconvenient because it prevents a WebUser from changing
his/her own password, which is a pretty common function in any Web with
access control.
A check to ensure that a user does not attempt to change someone else
password would be enough, and would allow to do this without having to
switch to a user with way too many other (not needed) permissions.
Any comment or correction to all this will be much appreciated.
Pere
**** OpenCms Role structure ****
Role: ADMINISTRATOR RoleGroup: Administrators
Role: PROJECT_MANAGER RoleGroup: Projectmanagers
Parent role: ADMINISTRATOR
Role: MODULE_MANAGER RoleGroup: Administrators
Parent role: ADMINISTRATOR
Role: RESOURCE_TYPE_MANAGER RoleGroup: Administrators
Parent role: ADMINISTRATOR
Parent role: MODULE_MANAGER
Role: WORKPLACE_USER RoleGroup: Users
Parent role: ADMINISTRATOR
Role: ACCOUNT_MANAGER RoleGroup: Administrators
Parent role: ADMINISTRATOR
Role: EXPORT_DATABASE RoleGroup: Administrators
Parent role: ADMINISTRATOR
Role: IMPORT_DATABASE RoleGroup: Administrators
Parent role: ADMINISTRATOR
Role: DEVELOPER RoleGroup: Administrators
Parent role: ADMINISTRATOR
Role: SCHEDULER_MANAGER RoleGroup: Administrators
Parent role: ADMINISTRATOR
Role: SEARCH_MANAGER RoleGroup: Administrators
Parent role: ADMINISTRATOR
Role: VFS_MANAGER RoleGroup: Administrators
Parent role: ADMINISTRATOR
Role: HISTORY_MANAGER RoleGroup: Administrators
Parent role: ADMINISTRATOR
Role: PROPERTY_MANAGER RoleGroup: Administrators
Parent role: ADMINISTRATOR
Role: ROOT_FOLDER_ACCESS RoleGroup: Administrators
Parent role: ADMINISTRATOR
Role: WORKPLACE_MANAGER RoleGroup: Administrators
Parent role: ADMINISTRATOR
Parent role: MODULE_MANAGER
Parent role: DEVELOPER
Role: SYSTEM_USER RoleGroup: Users
Parent role: ADMINISTRATOR
Parent role: WORKPLACE_USER
Parent role: PROJECT_MANAGER
Parent role: DEVELOPER
More information about the opencms-dev
mailing list