Metadata Security element
The goal of the Security element is to set security for each form elements.
There's a a configuration parameter named "property.group.element.default.access" when is set to true all the metadata fields are shown to the users, when false none of the metadata fields are shown.
Sample scenarios:
- When property.group.element.default.access is enabled all the metadata fields are shown by default. In this scenario have sense using revokeUser and revokeRole.
- When property.group.element.default.access is disabled all the metadata fields are not shown by default. In this scenario have sense using grantUser and grantRole.
For more information about this parameter go to Administration > Configuration parameters .
Remember the members or administrator role ( usuarlly ROLE_ADMIN) are not affected by this kind of restrictions.
The Security element can only be used in combination with other fields:
- Metadata Checkbox field
- Metadata Input field
- Metadata Select field
- Metadata Suggestbox field
- Metadata TextArea field
Available child security elements:
| name | Description |
|---|---|
|
grantUser |
Set access to a user. |
|
grantRole |
Set access to the members of the role. |
|
revokeUser |
Revoke access to a user. |
|
revokeRole |
Revoke access to the members of the role. |
Basic grant example
- Grant access to a field to a specific user: only testUser user is able to accessing the metadata field named okp:consulting.input1. The defaultAccess property is set to revoke, so no regular user will be able to see this property.
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE property-groups PUBLIC "-//OpenKM//DTD Property Groups 3.10//EN"
"http://www.openkm.com/dtd/property-groups-3.10.dtd">
<property-groups>
<property-group label="Consulting" name="okg:consulting">
<input label="Input label" name="okp:consulting.input1" defaultAccess="revoke">
<grantUser name="testUser"/>
</input>
<separator label="Separator label" name="okp:consulting.separator" />
<input label="Input label" name="okp:consulting.input2" />
</property-group>
</property-groups>Administrator (users with ROLE_ADMIN role) will see always all fields.
Basic revoke example
Revoke action has priority over the grant action.
- Revoke access to a field to a specific user: the user testUser do not have access to the metadata field named okp:consulting.input1, the other users what have access to the metadata group still have access to it. The defaultAccess property is not present, so it's using the default policy which is "grant" that means that all users will be able to see the property, unless there is a child revokeUser tag to exclude users.
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE property-groups PUBLIC "-//OpenKM//DTD Property Groups 3.10//EN"
"http://www.openkm.com/dtd/property-groups-3.10.dtd">
<property-groups>
<property-group label="Consulting" name="okg:consulting">
<input label="Input label" name="okp:consulting.input1">
<revokeUser name="testUser"/>
</input>
<separator label="Separator label" name="okp:consulting.separator" />
<input label="Input label" name="okp:consulting.input2" />
</property-group>
</property-groups>Administrator (users with ROLE_ADMIN role) will see always all fields.
