Metadata Security element
The goal of the Security element is to set security for each form element.
There's a configuration parameter named "property.group.element.default.access" that, when it is set to true, shows all the metadata fields to users; when it is set to false, none of the metadata fields are shown.
Sample scenarios:
- When property.group.element.default.access is enabled, all the metadata fields are shown by default. In this scenario, it makes sense to use revokeUser and revokeRole.
- When property.group.element.default.access is disabled, none of the metadata fields are shown by default. In this scenario, it makes sense to use grantUser and grantRole.
For more information about this parameter, go to Administration > Configuration parameters.
Remember that members and the administrator role (usually ROLE_ADMIN) are not affected by these kinds of restrictions.
The Security element can only be used in combination with other fields:
- Metadata Checkbox field
- Metadata Input field
- Metadata Select field
- Metadata Suggestbox field
- Metadata TextArea field
Available child security elements:
| name | Description |
|---|---|
|
grantUser |
Sets access for a user. |
|
grantRole |
Sets access for members of a role. |
|
revokeUser |
Revokes access for a user. |
|
revokeRole |
Revokes access for members of a role. |
Basic grant example
- Grant access to a field to a specific user: only testUser user is able to access the metadata field named okp:consulting.input1. The defaultAccess property is set to revoke, so no regular user will be able to see this property.
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE property-groups PUBLIC "-//OpenKM//DTD Property Groups 3.10//EN"
"http://www.openkm.com/dtd/property-groups-3.10.dtd">
<property-groups>
<property-group label="Consulting" name="okg:consulting">
<input label="Input label" name="okp:consulting.input1" defaultAccess="revoke">
<grantUser name="testUser"/>
</input>
<separator label="Separator label" name="okp:consulting.separator" />
<input label="Input label" name="okp:consulting.input2" />
</property-group>
</property-groups>Administrators (users with the ROLE_ADMIN role) will always see all fields.
Basic revoke example
Revoke action has priority over the grant action.
- Revoke access to a field for a specific user: the user testUser does not have access to the metadata field named okp:consulting.input1, while other users who have access to the metadata group still have access to it. The defaultAccess property is not present, so the default policy ("grant") is used, which means that all users will be able to see the property unless there is a child revokeUser tag to exclude users.
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE property-groups PUBLIC "-//OpenKM//DTD Property Groups 3.10//EN"
"http://www.openkm.com/dtd/property-groups-3.10.dtd">
<property-groups>
<property-group label="Consulting" name="okg:consulting">
<input label="Input label" name="okp:consulting.input1">
<revokeUser name="testUser"/>
</input>
<separator label="Separator label" name="okp:consulting.separator" />
<input label="Input label" name="okp:consulting.input2" />
</property-group>
</property-groups>Administrators (users with the ROLE_ADMIN role) will always see all fields.
