Skip to Content
Technical Articles
Author's profile photo Abhijeet Kankani

CMIS ACL concept for DMS/CMS in Cloud Foundry

In this blog post, I would like to share how Access Control Lists is used to control the access to documents and folders as described in the CMIS standard.

 

Backgroud:

 

There is already services available related to document and attachment services in S/4 HANA and document management service in the SAP Cloud platform environment(Business Technology Platform). Older service(document service) in SAP Cloud Neo platform may be retiring soon and DMS service in Cloud foundry is the  successor.

And if any one wants to integrate document management integration and repository option in my fiori application using Reuse UI by following link.

https://help.sap.com/viewer/f6e70dd4bffa4b65965b43feed4c9429/Cloud/en-US/2c99a03a2b7e42d5be44a7ef07c5f917.html

Even few blogs are there for the same —

https://blogs.sap.com/2020/10/22/integrating-sap-cp-document-management-service-ui-in-the-fiori-app/comment-page-1/

https://blogs.sap.com/2021/04/08/consumption-of-reuse-ui-from-sap-document-management-service-in-sap-fiori-application/comment-page-1/

Even if any one wants to integrate this app to CAP application then below is link —

https://blogs.sap.com/2020/10/23/integrating-sap-document-management-in-cap-application/

Git repo —  if any one want to directly use —

https://github.com/mahesh0431/CommunityDMAdmin

This Blog Post:

In this blog post I will try to cover ACL part for DMS which uses a reuse UI5 component from document  management service.

There can  be two scenario, one this app could be used as Admin app with Admin UI which is mentioned in above post, second this app could be integrated to any portal service(Launchpad service now in CF) and user can see the relevant documents and folders.

This can be achieve using implementing the ACL on user and user group using role collection.

ACL view is available in the Properties view of each document and folder level. ACL view shows all the ACLs present in the underlying CMIS repository.

There are different ACLs are supported by Document Management Service which is mentioned in below link —

https://help.sap.com/viewer/f6e70dd4bffa4b65965b43feed4c9429/Cloud/en-US/01fb63bce6354c8d94ce27effae4341d.html

There are two ways to implement this functionality —

1.) Manually using UI Admin app.

2.) Using API’s.

Manually

Below is DMS UI app look like —

To implement manually in UI Admin first step which is mandatory, is to set the property showACLView : true in componentUsgaes of Manifest.json as below —

 

 

Which will enable access control tab in Admin app. which can be view by clicking on i which is infront of all folders —

 

Access control tab —

 

For a repository, the initial settings for the root folder are:

  • The ACL contains one ACE for the {sap:builtin}everyone principal with the cmis:all permission. With these settings, all principals have full control over the root folder.
  • Without specific ACL settings, all documents and folders possess an ACL with one ACE for the built-in principal {sap:builtin}everyone with the cmis:all permission that grants all users unrestricted access.

 

These are the permission which can can be given to any principals–

 

Details of these permission can be seen in below linlk–

https://help.sap.com/viewer/f6e70dd4bffa4b65965b43feed4c9429/Cloud/en-US/01fb63bce6354c8d94ce27effae4341d.html

These permission should be assigned to principal and principal is nothing but user or group of users which can be created using role collections assigning to ACL.

Role collections are sets of authorizations that are suitable for distinct user groups. You want to assign these role collections to your documents and folders.

Procedure to assign

  1. Open an internal repository and Choose i icon, Access Control  Edit.
  2. Enter the principals to add a role collection in the following format and choose Add.
    Add a prefix ~GROUP~ as it’s before the Role Collection that you configured in SAP BTP Cockpit.
    Example

    If you’ve created a role collection as HiringManagers and you need to add group principal in the Access Control, then add in the format ~GROUP~HiringManagers.

    Note: Role collection name is case-sensitive and it doesn’t support space character.

  3. In the Permission list, pick the access that you want to provide.
  4. Choose Save.

Once these are in placed than folder and document will be visible only based on permission is given to group of users.

If any one want to create Role collection than can follow below link —

https://help.sap.com/viewer/65de2977205c403bbc107264b8eccf4b/Cloud/en-US/4b20383efab341f181becf0a947a5498.html

For assigning the users or user groups to role collection —

https://help.sap.com/viewer/65de2977205c403bbc107264b8eccf4b/Cloud/en-US/c5766765bda74ad59fe656977c8fa4d6.html

Note: The origin key tells you in which identity provider the user is stored. You can find it in Security  Trust Configuration.

For second way which is using API, below is the link which is useful —

http://docs.oasis-open.org/cmis/CMIS/v1.1/errata01/os/CMIS-v1.1-errata01-os-complete.html#x1-3670001

Let me know your thought about the post.

 

Regards,

Abhijeet Kankani

 

Assigned tags

      1 Comment
      You must be Logged on to comment or reply to a post.
      Author's profile photo Mahesh Kumar Palavalli
      Mahesh Kumar Palavalli

      Awesome Abhijeet Kankani , thanks for sharing, will try this out soon..