Alfresco folder permissions

I’m currently working on a project to create Electronic Personal Folders (EPFs) within Alfresco on behalf of our HR partners.

Content will include things like contracts, leave requests etc

The brief is to automate the creation of the folders and make sure the permissions for the folder and sub-folders are correctly set.

A manager should be able to see all of their folder plus the folders of their staff, while an employee should be only able to see their folder.

The script processes a CSV that is created from one of our HR systems and calls a custom Alfresco web script, this creates a top level folder which has the Payroll number as the name and the job description/employee name as the title. Underneath this it creates the sub folders (Pay, leave, etc) and applies relevant permissions to all the folders, e.g. Leave is read/write by the manager but read-only by the employee.

This ‘creation’ script is part one, it will be called to initially create the (EPFs) for the current employees and there after on any new employees.

Part two of the script building will take a CSV of employees (also containing their line manager) and then make sure their EPFs have the correct permissions, this means that if an employee changes role their old line manager won’t be able to see their documents. It also has the added benefit of resetting any ‘temporary’ access that may have been added to the folder structure, e.g. ‘audit staff’.

One thing I’ve learnt (the hard way) is that when applying permissions within Alfresco is to make sure the username case is correct.. Doh..
Such a simple oversight has caused so many problems.
In this example I’ve removed the inherited permissions so the ‘everyone’ group doesn’t have ‘consumer’ rights to view the folder, this leaves me with a blank canvas of permissions.
I then check to see if the manager has an Active Directory account because we have connected our Alfresco system to our Active Directory, if they don’t have an AD account then they won’t be viewing the folder.
If they do then all I have to do is set the permissions with ‘Contribute’ rights, e.g. read+write and then the all important .save() method…

employeeRelationsFolder.setInheritsPermissions(false);
if(ItManagerFlag){
employeeRelationsFolder.setPermission("Contributor",manager);
employeeRelationsFolder.save();
}

I ran the script and it created 14,700+ top level employee folders along with the subfolders, applied the permissions and lots of development logging on both sides (script and alfresco) in around 3 hours, not bad me thinks. This was on a one box head unit, local database (replicated in realtime to external box) and a SAN attached repository.

Part of the project involves creating a custom aspect along with a rules adding the payroll number to each document.
Onward and upward..

Leave a Reply

Your email address will not be published. Required fields are marked *