Details
-
New Feature
-
Status: Closed
-
Normal
-
Resolution: Fixed
-
None
-
None
-
None
Description
With the introduction of federated domainfolders in REPO-2242, securing the access to the now multiple domainfolders itself has become much harder 
The intend is that security administration users with the xm-security-manager userrole should all have readonly access and readwrite to those (also) having the xm-security-application-manager userrole.
But because these federated domainfolders can be 'anywhere', setting-up pre-defined domainrules no longer is possible (because we don't know their parent paths and thus also cannot provide implicit read access to those parent paths).
However, the proper solution is relatively easy, and a direction we want/need to implement more and more anyway, by providing a dedicated API/service hiding the access which then simply can use a system session under the covers (and thus no longer needs setting up domainrules).
Thus: this new DomainsManager service, provided through the RepositorySecurityManager (see also REPO-2253).
The main (only) use-case currently is within the CMS admin perspective, and the current provided API is therefore, for now, rather simple and basic.
The DomainsManager provides administrative (crud) domain management, limited to only hipposys:authrole children of an existing hipposys:domain.
The corresponding changes to adapt and use the DomainsManager, instead of direct read/write JCR operations, will be done through issue CMS-12065.
Attachments
Issue Links
- includes
-
-
- Closed
-