Permission Control Issue

[smallredville]

Hello All,

Correct me if i am wrong while describing my problem here.

I have just got one issue related to permissions control.

For a livelink item, how can i give access permissions(such as SEE, EDIT..) to a user without using GUI features of adding permissions of user and groups page. I need this fucntionality to be happen in runtime.

For example:

UserA belong to GroupA (GroupA by defualt only have SEE, SEE contents)

So by default UserA will get the permissions of SEE and SEE contents(inherit from parent).

Now i want to add USERA in a livelink item lets say a new folder item, but without going to function menu -> permissions -> then assign permission, i want to give the user permission for that folder and assigning the permision in RUNTIME. hope i cleared the confusion.

Which function in livelink is updating the permissions for a user for any specific livelink item?

Please if any one can describe more about permission masking would be g8 help. I am not getting the logic behind the permission number logic, how it generates in DtreeACl table.

Quick help would be hightly appriciated

One small question - Is there any possibilty that we can assign an user with permissions of SEE, ADD, DELETE (But no EDIT, MODIFY Funtionality) ? It may be tricky but any suggestion on this would be again double highly appriciated!!

Cheers
Smallredville

 

[appnair]

I am not sure if I understand this correctly,howver I will explain how livelink permissions control & ACL's work.

Every Object for simplicity a Folder has these many permissions by default
Owner-This is by design the user who logged in and created the item.This may have any permissions such as S,SC,M etc etc
Group-The group to which the folder is assigned designed so that it is the knowledge manager group
World -Or Public Access
System-The System that is not shown in GUI.

then below this line you start adding the other groups you want.So if there was nothing added beloe the line in dtreeacl you will find four rows.For faster deciphering the permissions is cracked using bit arithmetic which is standard programming practice .In oscript we can check if the bit contains the "See" bit.This can also be done in LAPI.Also for your understanding if you look at one row with sqlserver or oracle both these languages understand bitwise arithmetic.Once you understand it using lapi,ws or oscript all you want to do is create your object which as you rightly say will have inherited the perms.You can or the user who does it (probably a program) if it has user administration privs can change this and update it at runtime without any problem.

This java code shows you how I revoke a user privilege.The code is pretty old but should work.At the minimum you need a sseeion and a UAPI object or DAPI object to manipulate I beleive

http://communities.opentext.com/communities/llisapi.dll/open/2324624

Well, if I called the wrong number, why did you answer the phone?
James Thurber, New Yorker cartoon caption, June 5, 1937

Certified OT Developer and probably certfiable,Livelink ECM Champion 2008

 

[appnair]

sorry I posted code for updating a user's privilge.You really want something that does GetObjectRights and setObjectRights
I will see if I have any samples.Should not be difficult.

Well, if I called the wrong number, why did you answer the phone?
James Thurber, New Yorker cartoon caption, June 5, 1937

Certified OT Developer and probably certfiable,Livelink ECM Champion 2008

 

[smallredville]

Hi Appnair,

I am 100% agree with your views on permission level in livelnk. Actually what i want is to fix this below scenario:

I have one own created livelink item..lets say Forum, inside forum i have another item..lets say forumZone, now in this forumZone i have created 3 logical roles, i.e Host, participant and guest. Please note that these roles are not physical groups in livelink unlike default group, in another word these are not livelink objects. These roles fields are created under forumZone for only forum members to discuss the forum. Now the main point, inside forumzone i have a one link or feature to add livelink users and include them in one of the logical ROLES. Now inside forumZone i can add different livelink items also..lets say Agenda, Documents, URL, Notes, Now each Role have options to ADD, EDIT and DELETE checkboxes for each livelink items inside forumzone. Now this is the actual case and fucntionality of the forumzone module.

Now big one, when Admin added a USERA inside forumzone, Admin have to assign a role to USERA, lets say Admin have assign him Guest. Now there is another link which opens RolePrivilege page which shows all the permission checkboxes for each roles. So now admin is giving the logical permisions to each roles. Admin have given permission to GUEST role, that Guest can only ADD the agenda item but can not EDIT and DELETE the agenda item. Now since USERA is from Default group, and default group has the permissions of only SEE and SEE contents.

So when USERA logged in and when he gone inside forumzone, and then he went inside agenda item , so when USERA browsed the agenda item, the ADD button should come, but its not coming because i think USERA is inheriting the permissions from default group which only having SEE and SEEcontents permission.

So my question is how can we modify or update the permission of Agenda item such that when USERA will logged in, instead of fetching his permision from parent lets say default group, agenda item must show the permissions like EDIT or ADD or DELETE button depending upon the ROLES permission, the USERA belongs to.

I know its bit tricky, and also very confusing, but really a challenging issue. See here in my below code, when i open the Role privilege where i can set or assign the roles permission, this below function is calling which updates the roles permissions (NOT USER PERMISSION). Now here my problem is to set/update the user permissions in runtime, in the same time the ROLES permision are assigned for each livelink item, if only the user is in same ROLE.

THis application is purely in O Script: See below what i am doing to solve it,

Here is the function which calling another fucntion:

1. function void RolePrivileges2( \
Dynamic parm )

Assoc extendedData
Assoc result
Assoc rolePrivileges

Object prgCtx = parm.prgCtx
Dynamic request = parm.request
Dynamic response = parm.response

Assoc data = response.Data
Assoc err = parm.response.error
Boolean ok = TRUE
DAPINODE node = request.Node
Object dbConnect = prgCtx.fDbConnect
Object llnode = .LLNode() // My customization


echo(parm.request.node.Pname)

result = .LLNode().IsNodeEditable( prgCtx, node )

ok = ._IsNotError( prgCtx.fDBConnect, result, err )

if ok
result = llnode.RolePrivilegesGet( prgCtx, node )

ok = ._IsNotError( prgCtx.fDBConnect, result, err )

if ok
rolePrivileges = result.RolePrivileges

result = llnode.RolePrivilegesSetFromRequest( prgCtx, request, rolePrivileges, llnode) // My customization

ok = ._IsNotError( dbConnect, result, response )

if ok && result.Changed

extendedData = node.pExtendedData

extendedData.RolePrivileges = result.RolePrivileges
node.pExtendedData = extendedData

result = llnode.NodeUpdate( node )

ok = ._IsNotError( dbConnect, result, response )
end
end
end

// Redirect to the correct location.

if ok
result = ._SetLocation( prgCtx, request, response, .fOpenCmdName )

ok = ._IsNotError( dbConnect, result, err )
end
end

You can see above that its calling the function RolePrivilegesSetFromRequest(Note that i am passing llnode as 4th parameter in this function)


2.

function Assoc RolePrivilegesSetFromRequest( \
Object prgCtx, \
Dynamic request,\
Assoc rolePrivileges,\
Object llnode ) // My customization

Assoc moduleAssoc
Assoc roleAssoc
Assoc rtnval
Assoc aNewPerms
Assoc child

Dynamic apiError

Integer enabled
Integer role
Integer permission
Integer iCount // My customization

List modules
List privileges
List rolePermissionsList // My customization
List roles

String errMsg
String module
String privilege
String savedRolePrivileges

Boolean ok = TRUE
Boolean changed = FALSE


List childNodesList = DAPI.ListSubNodes(request.node); // My customization


savedRolePrivileges = Str.ValueToString( rolePrivileges )

modules = Assoc.Keys( rolePrivileges )

for module in modules

moduleAssoc = rolePrivileges.( module )

roles = Assoc.Keys( moduleAssoc )

for role in roles

roleAssoc = moduleAssoc.( role )

privileges = Assoc.Keys( roleAssoc )

for privilege in privileges

if ( Str.CmpI( privilege, "view" ) == 0 )

// Do nothing.

elseif ( Str.CmpI( module, "slideshowmodule" ) == 0 ) && ( Str.CmpI( privilege, "edit" ) == 0 )

// Do nothing.


else
enabled = ( IsFeature( request, Str.Format( '%1_%2_%3', module, role, privilege ) ) ) ? 1 : 0

if ( (rolePrivileges.( module ).( role ).( privilege ) = enabled) == 1 )

// My customization ------------
if ( privilege == "add" )

aNewPerms = Assoc.CreateAssoc()

aNewPerms.See = true
aNewPerms.SeeContent = true
aNewPerms.Create = true


Assoc permUpdateAssoc = Assoc.CreateAssoc()

permUpdateAssoc.Type = $LLIApi.UpdateRightReplace
permUpdateAssoc.PermType = DAPI.PERMTYPE_USER
permUpdateAssoc.RightId = request.node.pId
permUpdateAssoc.Permissions = $LLIAPI.NodeUtil.PermAssocToMask( aNewPerms )

rolePermissionsList = List.SetAdd(rolePermissionsList, permUpdateAssoc)
end

if ( privilege == "addnotes" )

aNewPerms = Assoc.CreateAssoc()

aNewPerms.See = true
aNewPerms.SeeContent = true
aNewPerms.Create = true


Assoc permUpdateAssoc = Assoc.CreateAssoc()

permUpdateAssoc.Type = $LLIApi.UpdateRightReplace
permUpdateAssoc.PermType = DAPI.PERMTYPE_USER
permUpdateAssoc.RightId = request.node.pId
permUpdateAssoc.Permissions = $LLIAPI.NodeUtil.PermAssocToMask( aNewPerms )

rolePermissionsList = List.SetAdd(rolePermissionsList, permUpdateAssoc)
end
if ( privilege == "edit" )

aNewPerms = Assoc.CreateAssoc()

aNewPerms.See = true
aNewPerms.SeeContent = true
aNewPerms.Modify = true
aNewPerms.EditAttr = true

Assoc permUpdateAssoc = Assoc.CreateAssoc()

permUpdateAssoc.Type = $LLIApi.UpdateRightReplace
permUpdateAssoc.PermType = DAPI.PERMTYPE_USER
permUpdateAssoc.RightId = request.node.pId
permUpdateAssoc.Permissions = $LLIAPI.NodeUtil.PermAssocToMask( aNewPerms )

rolePermissionsList=List.SetAdd(rolePermissionsList, permUpdateAssoc)
end

if ( privilege == "delete" )

aNewPerms = Assoc.CreateAssoc()

aNewPerms.See = true
aNewPerms.SeeContent = true
aNewPerms.DeleteVer = true
aNewPerms.Delete = true

Assoc permUpdateAssoc = Assoc.CreateAssoc()

permUpdateAssoc.Type = $LLIApi.UpdateRightReplace
permUpdateAssoc.PermType = DAPI.PERMTYPE_USER
permUpdateAssoc.RightId = request.node.pId
permUpdateAssoc.Permissions = $LLIAPI.NodeUtil.PermAssocToMask( aNewPerms )

rolePermissionsList = List.SetAdd(rolePermissionsList, permUpdateAssoc)
end
end
end
// My customization---------------------------------------
end
end
end

// My customization -------------------------

llnode.NodeRightsUpdate(request.node, rolePermissionsList);

if (childNodesList != 0)
for iCount = 1 to 5
llnode.NodeRightsUpdate(childNodesList[iCount], rolePermissionsList);
end
end
// My customization-----------------------
changed = Str.CmpI( Str.ValueToString( rolePrivileges ), savedRolePrivileges ) != 0

if IsUndefined( rtnval.OK )
rtnval.OK = ok
rtnval.ErrMsg = errMsg
rtnval.ApiError = apiError

rtnval.Changed = changed
rtnval.RolePrivileges = RolePrivileges
end

return rtnval
end

NOte that here it is calling NodeUpdateRights function (This fucntion is a parent function which can be overridden by sub items or sub nodes) which updates the permission i think so i am also calling this fucntion.

Now here everything is running but not able to achieve what i want. The permissions are not able to update.

Can you please look at my code, in which part i am giving wrong statment or guide me what shall i do?


Please also explain what is RIGHTID and PERMTYPE???

Cheers
smallredville

 

[ggriffit]

sounds like you are doing something similar to the difference between Documents and Projects in terms of permissions, have you looked at how that kind of thing works ?

Greg Griffiths
Livelink Certified Developer & ECM Global Star Champion 2005 & 2006

http://www.greggriffiths.org/livelink/

 

[smallredville]

Bingo..!! Yes you are right..! I am trying to replicate the projects roles features in my forumzone module. But the big difference between these 2 are;in Projects Livelink item, the roles defined are actual physical groups which are created automatically when some new livelink user has been added in the project or project meeting. But in forumzone, the roles are totally logical group which are dont exist as a object, but the livelink users which are livelink objects can be added to a forumzone ROLES. So the point is, how to handle this situation?

 

[ggriffit]

why not do the same thing Projects does then ? you can add users to the groups as you could to your "role" concept ?

Greg Griffiths
Livelink Certified Developer & ECM Global Star Champion 2005 & 2006

http://www.greggriffiths.org/livelink/

 

[smallredville]

hi greg, i am agree with your approach, but my customers dont want that kind of grouping and all. they rather interested in logical groups and then implement the permissions. Due to some performance factor they would like to use roles as logical group and accordingly setting up the permission for the node and users. any more suggestion as how to achieve this?

cheers
SRV

 

[appnair]

Please also explain what is RIGHTID and PERMTYPE

RIGHTID is the ID in KUAF which is represnted in dtreeacl.
Foreignkey in dtreeacl to id in kuaf

If 1234 is a id in kuaf his type=0 and deleted=0
If 1234 is put on an objects ACL dtrreacl will have 1234 as rightid.

Same implemenetation for groups as well as well as project roles.

PERMTYPE is the DAPI.PERMTYPE_USER constant that is represented for User,Group,PA,or System may evaluate to 1,2,3,4 column is called acltype

so by looking at dtreacl the code is able to understand on line acltype=1 is the user who is the rightid (who is the user) what is the permissions(1677215) has all bits re on so the GUI fills S,SC........EP.

Then it goes into its extemely complex calculation of is he logged in id have the highest of the permissions in any of the groups/other groups and then we see the ubiquitous function menu come up with all those things we can do.

Do you want any code that converts 1677215 to see if any bit are on.I can't find anything off hand but I can check

But simply a node will have acltypes 1 thru 4 no choice athere and then then DAPI.PERMTYPE_ACL those are the ones that we add.

Projects create groups on the fly to handle the coordinator & memebers I ma not sure if guests are handled by groups or not.Create a simple project and take its dataid and search in kuaf for two new groups you will see what I am talking about and why a project driven (unchecked livelink) tends o run very slow




Well, if I called the wrong number, why did you answer the phone?
James Thurber, New Yorker cartoon caption, June 5, 1937

Certified OT Developer and probably certfiable,Livelink ECM Champion 2008