Privilege Management : Mapping Privileges to Items
The following table allows to identify which items will be affected by the invididual built in privileges.
Note: the term regular is used on contrast to protected items that are written using special API calls and thus mandate special privileges or are maintained by the system only and cannot be modified by the API consumer.
Read
| Privilege | Affected Items |
|---|---|
| rep:readNodes | all nodes except for access control content |
| rep:readProperties | all properties except for access control content |
| jcr:readAccessControl | all items defining access control content (see below) |
Writing Properties
| Privilege | Affected Items |
|---|---|
| rep:addProperties | creation of new regular properties |
| rep:alterProperties | changing existing regular properties |
| rep:removeProperties | removing existing regular properties |
Writing Nodes
| Privilege | Affected Items |
|---|---|
| jcr:addChildNodes | granted on parent to create new regular child nodes |
| jcr:removeChildNodes | granted on parent to remove regular child nodes |
| rep:removeNode | required to be granted on regular nodes for removal |
| jcr:nodeTypeManagement | explicitly setting or modifying node type information on a regular (non-protected) node; affected properties are jcr:primaryType, jcr:mixinTypes |
Access Control Management
| Privilege | Affected Items |
|---|---|
| jcr:readAccessControl | all items defining access control content [1] |
| jcr:modifyAccessControl | all items defining access control content [1] |
| rep:privilegeManagement | implementation specific; in Oak everything below /jcr:system/rep:privileges |
Other Session and Workspace Operations
| Privilege | Affected Items |
|---|---|
| jcr:versionManagement | all items defining version content [2] |
| jcr:lockManagement | Properties jcr:lockIsDeep, jcr:lockOwner |
| jcr:lifecycleManagement | jcr:lifecyclePolicy, jcr:currentLifecycleState |
| jcr:retentionManagement | implementation specific, in Jackrabbit 2.x the following properties: rep:hold, rep:retentionPolicy, Oak: NA |
| rep:userManagement | all items defining user/group content [3] |
| rep:indexDefinitionManagement | implementation specific; in Oak trees starting with an oak:index node |
Repository Operations
| Privilege | Affected Items |
|---|---|
| jcr:namespaceManagement | implementation specific; in Oak everything below /jcr:system/rep:namespaces |
| jcr:nodeTypeDefinitionManagement | implementation specific; in Oak everything below /jcr:system/jcr:nodeTypes |
| rep:privilegeManagement | implementation specific; in Oak everything below /jcr:system/rep:privileges |
| jcr:workspaceManagement | NA |
Annotations
[1] In Oak reading/writing nodes with the following node types provided by the implementations present: rep:Policy, rep:ACL, rep:ACE, rep:GrantACE, rep:DenyACE, rep:Restrictions and rep:CugPolicy and all protected items defined therein.
See Default Access Control Management and Managing Access Control with CUG, respectively.
[2] Granting jcr:versionManagement privilege at a given versionable node will allow writing items through JCR version management API which writes below /jcr:system/jcr:versionStorage, /jcr:system/jcr:activities, /jcr:system/jcr:configurations and the following properties both in the storage(s) and with the versionable node: jcr:activity, jcr:activityTitle, jcr:baseVersion, jcr:childVersionHistory, jcr:configuration, jcr:copiedFrom, jcr:frozenMixinTypes, jcr:frozenPrimaryType, jcr:frozenUuid, jcr:isCheckedOut, jcr:mergeFailed, jcr:predecessors,jcr:successors,jcr:root,jcr:versionableUuid, jcr:versionHistory
[3] in Oak creating nodes with the following primary types: rep:User, rep:SystemUser, rep:Group, rep:Impersonatable, rep:Members, rep:MemberReferences, rep:MemberReferencesList, rep:Password and all protected properties defined therein