Restrict Workflow for Certain Folders and Groups - BloomReach Experience - Open Source CMS
07-01-2019

Restrict Workflow for Certain Folders and Groups

This page describes the recommended method for disabling the folder workflow (add folder, add document, rename, etc.) for certain folders and groups. A simple but realistic use case would be that we have a top level folder created by an editor and we don’t want authors to be able to modify that folder.

If you just want to restrict what document types a folder can contain, see  Control the Allowed Document Types in a Folder.

The workflow we're interested in lives under node  /hippo:configuration/hippo:workflows/threepane/folder and for this example let's assume that the folder  /content/documents/applications/, and all its child folders, shouldn’t expose this workflow to authors. 

Disabling the workflow could be done via security domains configuration (by changing the security domain in  /hippo:configuration/hippo:domains/workflow/frontend-workflow so the aforementioned workflow node is not anymore available for authors). However, this applies globally in the CMS, i.e. to all folders, so usually is not desirable.

A better approach exists, providing for finer control of the access to the workflow. The approach takes advantage of the fact that the workflow allows you to specify the minimum privileges a user must have in order to be elligible to access it. This is done on the workflow node, by adding the attribute hippo:privileges.

In Bloomreach Experience Manager, a user can have different privileges depending on which node they are accessing. This is specified via security domains, where we can decide what privilege to assign based on the path of the node the user is navigating under. To come back to our example, it should be clear now what we need to do: 

For the folder nodes where we don't want the user to access the workflow, we give to them a privilege that simply is not sufficient for the workflow to be enabled.

1. Specify what privilege is sufficient

The  hippo:author privilege seems suitable since we do  want the authors to be able to access the workflow in general. We'll then make sure the authors don't  get this privilege for any folders we want to disable the workflow in. So first step, we add attribute  hipposys:privileges with value hippo:author to  /hippo:configuration/hippo:workflows/threepane/folder:

/hippo:configuration/hippo:workflows/threepane/folder:
  hipposys:classname: org.hippoecm.repository.standardworkflow.FolderWorkflowImpl
  hipposys:display: Workflow on folders (authors)
  hipposys:nodetype: hippostd:folder
  hipposys:privileges: hippo:author

2. Modify security domains

By default the authors get the  hippo:author privilege for all hippo:document type nodes (including folders). This is assigned in domain /hippo:configuration/hippo:domains/hippodocuments. There we can see that an authrole is assigning the  author role to group  authors for any node that matched the criteria defined in the domainrules under   /hippo:configuration/hippo:domains/hippodocuments/hippo-document. Assigning the  author role enables the workflow, therefore we'd like to avoid giving this privilege if the user is navigating under any of our workflow-disabled folders. So we need to add a child domainrule to  /hippo:configuration/hippo:domains/hippodocuments/hippo-document to exclude our folders.

This can be done easily by copying an existing one, for instance copy the domainrule /hippo:configuration/hippo:domains/hippodocuments/hippo-document/nodetype-hippo-document under the same location, rename it to exclude-my-folders and change the following attributes to these values:

hipposys:facet -> "jcr:path"

hipposys:type -> "Reference"

hipposys:value -> "/content/documents/applications"

hipposys:equals -> false

/hippo:configuration/hippo:domains/hippodocuments/hippo-document:
  /exclude-my-folders:
    jcr:primaryType: hipposys:facetrule
    hipposys:facet: jcr:path
    hipposys:type: Reference
    hipposys:value: /content/documents/applications
    hipposys:equals: false
    hipposys:filter: false

This will effectively remove our folder and its children from this domain, so our users won't get any privilege at all for those folders, so no access at all. We must fix this of course, and this takes us to the last step.

3. Create a new security domain only for our special folders

  • Copy the whole domain  /hippo:configuration/hippo:domains/hippodocuments into a new one (rename it as well)
  • Navigate to the child domainrule named  exclude-my-folders and rename it to include-my-folders 
  • On this domainrule, change the attribute  hipposys:equals to true
  • Change the authrole in the domain to give readonly role (it was author role) to the authors group
/hippo:configuration/hippo:domains/hippodocuments-readonly/hippo-document:
  /include-my-folders:
    jcr:primaryType: hipposys:facetrule
    hipposys:facet: jcr:path
    hipposys:type: Reference
    hipposys:value: /content/documents/applications
    hipposys:equals: true
    hipposys:filter: false
/hippo:configuration/hippo:domains/hippodocuments-readonly:
  /hippo:authrole:
    jcr:primaryType: hipposys:authrole
    hipposys:groups: hippo:author
    hipposys:role: readonly

Now you have a domain that assigns the  readonly role to authors when they navigate under your workflow-disabled folders. Since they don't have  author role anymore, the workflow won't be enabled.

Did you find this page helpful?
How could this documentation serve you better?
On this page
    Did you find this page helpful?
    How could this documentation serve you better?