Metadata Security element
The goal of the Security element is to set security for each form element.
There's a configuration parameter named "property.group.element.default.access" which, when set to true, shows all the metadata fields to users; when false, none of the metadata fields are shown.
Sample scenarios:
- When property.group.element.default.access is enabled, all the metadata fields are shown by default. In this scenario it makes sense to use revokeUser and revokeRole.
- When property.group.element.default.access is disabled, all the metadata fields are not shown by default. In this scenario it makes sense to use grantUser and grantRole.
For more information about this parameter, go to Administration > Configuration parameters.
Remember that members or the administrator role (usually ROLE_ADMIN) are not affected by these kinds of restrictions.
The Security element can only be used in combination with other fields:
- Metadata Checkbox field
- Metadata Input field
- Metadata Select field
- Metadata Suggestbox field
- Metadata TextArea field
Available child security elements:
| name | Description |
|---|---|
|
grantUser |
Set access for a user. |
|
grantRole |
Set access for members of the role. |
|
revokeUser |
Revoke access for a user. |
|
revokeRole |
Revoke access for members of the role. |
Basic grant example
- Grant access to a field to a specific user: only testUser is able to access the metadata field named okp:consulting.input1. The defaultAccess property is set to revoke, so no regular user will be able to see this property.
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE property-groups PUBLIC "-//OpenKM//DTD Property Groups 3.10//EN"
"http://www.openkm.com/dtd/property-groups-3.10.dtd">
<property-groups>
<property-group label="Consulting" name="okg:consulting">
<input label="Input label" name="okp:consulting.input1" defaultAccess="revoke">
<grantUser name="testUser"/>
</input>
<separator label="Separator label" name="okp:consulting.separator" />
<input label="Input label" name="okp:consulting.input2" />
</property-group>
</property-groups>Administrators (users with the ROLE_ADMIN role) will always see all fields.
Basic revoke example
The revoke action has priority over the grant action.
- Revoke access to a field for a specific user: the user testUser does not have access to the metadata field named okp:consulting.input1, while the other users who have access to the metadata group still have access to it. The defaultAccess property is not present, so the default policy ("grant") is used. That means that all users will be able to see the property unless there is a child revokeUser tag to exclude users.
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE property-groups PUBLIC "-//OpenKM//DTD Property Groups 3.10//EN"
"http://www.openkm.com/dtd/property-groups-3.10.dtd">
<property-groups>
<property-group label="Consulting" name="okg:consulting">
<input label="Input label" name="okp:consulting.input1">
<revokeUser name="testUser"/>
</input>
<separator label="Separator label" name="okp:consulting.separator" />
<input label="Input label" name="okp:consulting.input2" />
</property-group>
</property-groups>Administrators (users with the ROLE_ADMIN role) will always see all fields.
