Technical Articles
CMIS ACL concept for DMS/CMS in Cloud Foundry
In this blog post, I would like to share how Access Control Lists is used to control the access to documents and folders as described in the CMIS standard.
Backgroud:
There is already services available related to document and attachment services in S/4 HANA and document management service in the SAP Cloud platform environment(Business Technology Platform). Older service(document service) in SAP Cloud Neo platform may be retiring soon and DMS service in Cloud foundry is the successor.
And if any one wants to integrate document management integration and repository option in my fiori application using Reuse UI by following link.
Even few blogs are there for the same —
Even if any one wants to integrate this app to CAP application then below is link —
https://blogs.sap.com/2020/10/23/integrating-sap-document-management-in-cap-application/
Git repo — if any one want to directly use —
https://github.com/mahesh0431/CommunityDMAdmin
This Blog Post:
In this blog post I will try to cover ACL part for DMS which uses a reuse UI5 component from document management service.
There can be two scenario, one this app could be used as Admin app with Admin UI which is mentioned in above post, second this app could be integrated to any portal service(Launchpad service now in CF) and user can see the relevant documents and folders.
This can be achieve using implementing the ACL on user and user group using role collection.
ACL view is available in the Properties view of each document and folder level. ACL view shows all the ACLs present in the underlying CMIS repository.
There are different ACLs are supported by Document Management Service which is mentioned in below link —
There are two ways to implement this functionality —
1.) Manually using UI Admin app.
2.) Using API’s.
Manually
Below is DMS UI app look like —
To implement manually in UI Admin first step which is mandatory, is to set the property showACLView : true in componentUsgaes of Manifest.json as below —
Which will enable access control tab in Admin app. which can be view by clicking on i which is infront of all folders —
Access control tab —
For a repository, the initial settings for the root folder are:
- The ACL contains one ACE for the {sap:builtin}everyone principal with the cmis:all permission. With these settings, all principals have full control over the root folder.
- Without specific ACL settings, all documents and folders possess an ACL with one ACE for the built-in principal {sap:builtin}everyone with the cmis:all permission that grants all users unrestricted access.
These are the permission which can can be given to any principals–
Details of these permission can be seen in below linlk–
These permission should be assigned to principal and principal is nothing but user or group of users which can be created using role collections assigning to ACL.
Role collections are sets of authorizations that are suitable for distinct user groups. You want to assign these role collections to your documents and folders.
Procedure to assign —
Once these are in placed than folder and document will be visible only based on permission is given to group of users.
If any one want to create Role collection than can follow below link —
For assigning the users or user groups to role collection —
https://help.sap.com/viewer/65de2977205c403bbc107264b8eccf4b/Cloud/en-US/c5766765bda74ad59fe656977c8fa4d6.html
Note: The origin key tells you in which identity provider the user is stored. You can find it in .
For second way which is using API, below is the link which is useful —
http://docs.oasis-open.org/cmis/CMIS/v1.1/errata01/os/CMIS-v1.1-errata01-os-complete.html#x1-3670001
Let me know your thought about the post.
Regards,
Abhijeet Kankani
Awesome Abhijeet Kankani , thanks for sharing, will try this out soon..
Hello Sir,
I want to make one of the folder public, restriction less when fetching from the rest api, that is getting the document with auth token ? Is that possible, can you let us know