[opencms-dev] Role structure findings

Pere Torrodellas ptorrodellas at fihoca.com
Thu Oct 20 12:47:48 CEST 2005 

As some of you may have noted from my last messages to this very helpful
mail list, I have been having problems with code not having the right
permissions to invoke some OpenCms functions.

As examples that may help others:

- To get the list of  the WebUsers, the code has to be run by a user that is
a member of a group with "SYSTEM_USER" role.
- To be able to change the password of a WebUser, the code has to be run by
a user that is a member of a group with "ACCOUNT_MANAGER" role.

Otherwise, you get a CmsRoleViolationException.

My goal is to know what groups can invoke what OpenCms functions, and to
define a user that can perform the above without being, if possible, a
member of the Administrators group that can do everything.

I looked and asked for information about this, but got no results other than
the CmsRole class javadoc, so I wrote a short procedure to ask the CmsRole
class itself, and the result, for anyone interested, is listed below.

As you can see, there is no way to be able to change a WebUser password with
a user that is not an Admintrator (please correct me if I'm wrong). In my
opinion this is unconvenient because it prevents a WebUser from changing
his/her own password, which is a pretty common function in any Web with
access control.

A check to ensure that a user does not attempt to change someone else
password would be enough, and would allow to do this without having to
switch to a user with way too many other (not needed) permissions.

Any comment or correction to all this will be much appreciated.

Pere

**** OpenCms Role structure ****

Role: ADMINISTRATOR RoleGroup: Administrators

Role: PROJECT_MANAGER RoleGroup: Projectmanagers
    Parent role: ADMINISTRATOR

Role: MODULE_MANAGER RoleGroup: Administrators
    Parent role: ADMINISTRATOR

Role: RESOURCE_TYPE_MANAGER RoleGroup: Administrators
    Parent role: ADMINISTRATOR
    Parent role: MODULE_MANAGER

Role: WORKPLACE_USER RoleGroup: Users
    Parent role: ADMINISTRATOR

Role: ACCOUNT_MANAGER RoleGroup: Administrators
    Parent role: ADMINISTRATOR

Role: EXPORT_DATABASE RoleGroup: Administrators
    Parent role: ADMINISTRATOR

Role: IMPORT_DATABASE RoleGroup: Administrators
    Parent role: ADMINISTRATOR

Role: DEVELOPER RoleGroup: Administrators
    Parent role: ADMINISTRATOR

Role: SCHEDULER_MANAGER RoleGroup: Administrators
    Parent role: ADMINISTRATOR

Role: SEARCH_MANAGER RoleGroup: Administrators
    Parent role: ADMINISTRATOR

Role: VFS_MANAGER RoleGroup: Administrators
    Parent role: ADMINISTRATOR

Role: HISTORY_MANAGER RoleGroup: Administrators
    Parent role: ADMINISTRATOR

Role: PROPERTY_MANAGER RoleGroup: Administrators
    Parent role: ADMINISTRATOR

Role: ROOT_FOLDER_ACCESS RoleGroup: Administrators
    Parent role: ADMINISTRATOR

Role: WORKPLACE_MANAGER RoleGroup: Administrators
    Parent role: ADMINISTRATOR
    Parent role: MODULE_MANAGER
    Parent role: DEVELOPER

Role: SYSTEM_USER RoleGroup: Users
    Parent role: ADMINISTRATOR
    Parent role: WORKPLACE_USER
    Parent role: PROJECT_MANAGER
    Parent role: DEVELOPER

More information about the opencms-dev mailing list