Adding a dedicated security domain to allow users to (only) modify their own user node.

We need to restore the ability for users to allow them to (for example) change their own password.

This requires modify access on only the user its own node, excluding the ability to delete that node.

We currently only have 2 roles readwrite (granting jcr:write) and admin (granting jcr:all) which both imply the right to also delete the qualified node(s).

A new and finer grained role is needed to restrict and exclude the jcr:deleteNode privilege which is included/implied with both jcr:write and jcr:all.

The new modify role will grant the following jcr privileges:

• jcr:read
• jcr:modifyProperties
• jcr:addChildNodes
• jcr:removeChildNodes

With this role, a new "modify-user" security domain will be added as follows:

    /hippo:configuration/hippo:domains/modify-user:
      jcr:primaryType: hipposys:domain
      /self:
        jcr:primaryType: hipposys:domainrule
        /match-nodename-with-username:
          jcr:primaryType: hipposys:facetrule
          hipposys:equals: true
          hipposys:facet: nodename
          hipposys:filter: false
          hipposys:type: Name
          hipposys:value: __user__
        /type-hippo-user:
          jcr:primaryType: hipposys:facetrule
          hipposys:equals: true
          hipposys:facet: nodetype
          hipposys:filter: false
          hipposys:type: Name
          hipposys:value: hipposys:user
      /modify:
        jcr:primaryType: hipposys:authrole
        hipposys:groups: [editor, author]
        hipposys:role: modify

And, because the new modify role also grants jcr:read, the same "/self" domain rule currently defined in the "default-read" domain no longer is needed (effectively moved into the "modify-user" domain.