Roles
Roles define sets of privileges (aka what), which can be granted to users, groups or a userrole (aka who), in security domains (aka where).
Role configuration
Roles are stored in the repository under path /hippo:configuration/hippo:roles where the name of the role node defines the role name.
The role privileges are stored in the hipposys:privileges property. Roles also can include or imply other roles through multi-value property hipposys:roles.
The roles themselves are used and referenced by security domains authroles.
Node type definitions
hipposys:role
[hipposys:role] > nt:base - hipposys:system (boolean) - hipposys:privileges (string) multiple - hipposys:roles (string) multiple - hipposys:description (string) - hipposys:jcrread (boolean) // not used - hipposys:jcrwrite (boolean) // not used - hipposys:jcrremove (boolean) // not used
|
Name |
Type |
Required |
Description |
|---|---|---|---|
|
node name |
String |
yes |
The name of the role |
|
hipposys:system |
boolean | no | Indicator if the role is protected and not allowed to be modified or deleted |
| hipposys:privileges | String | no | The custom or JCR standard privileges to be granted through this role. All standard provided roles are marked and projected as system roles. |
| hipposys:roles | String | no | Other roles implied by this role |
| hipposys:description | String | no | A description of the role |
hipposys:rolefolder
[hipposys:rolefolder] > nt:base + * (hipposys:role) = hipposys:role
Example role configuration
/hippo:configuration:
/hippo:roles:
/author:
jcr:primaryType: hipposys:role
hipposys:privileges: [ jcr:read, hippo:author ]
/editor:
jcr:primaryType: hipposys:role
hipposys:privileges: [ hippo:editor ]
hipposys:roles: [ author ]
/myrole:
jcr:primaryType: hipposys:role
hipposys:privileges: [ hippo:rest ]
hipposys:roles: [ editor ]
Default provided roles and privileges
|
Role |
Privileges |
Implied roles |
|
author |
jcr:read, hippo:author |
|
|
editor |
hippo:editor |
author |
|
admin |
jcr:all, hippo:admin |
editor |
|
readonly |
jcr:read |
|
|
readwrite |
jcr:read, jcr:write |
|
|
modify |
jcr:read, jcr:modifyProperties, |
|
|
channel-viewer |
hippo:channel-viewer |
|
|
channel-webmaster |
hippo:channel-webmaster |
readwrite, channel-viewer |
|
channel-admin |
hippo:channel-admin |
channel-webmaster |
|
project-viewer |
hippo:project-viewer |
readonly |
|
project-editor |
hippo:project-editor |
readwrite, project-viewer |
|
project-admin |
hippo:project-admin |
project-editor |
|
targeting-viewer |
hippo:targeting-viewer |
|
|
targeting-editor |
hippo:targeting-editor |
readwrite, targeting-viewer |
|
index-export |
index:export |
|
|
restuser |
hippo:rest |