Object ACLs

Questions, comments, discussions. Over time certain topics might be moved to their own category.
Post Reply
Posts: 3
Joined: Thu Jun 02, 2022 3:15 pm

Object ACLs

Post by mroy »

I'm trying to determine how object level ACLs work.

For example, I have made sure that no roles contain the attach/remove tagging permissions. I've confirmed that this works by checking the tag menu from a document with a non-admin user and seeing that there is no option to add/remove tags.

Then I add an ACL to an individual tag and add the Attach/Remove Tag permissions. What does this mean exactly? It seems like these permissions don't do anything, as after adding them to a role that my user has, the user still cannot add or remove those tags. What I would like for it to do is give me a way to restrict individual tags to specific roles.

Likewise on workflows, if I remove the "transition" permission from all users and then add the "transition" permission to an ACL for specific transitions, what does that exactly mean?

I suspect that the object ACLs in this case pertain only to that object itself, eg I could create a tag that only specific roles can edit or delete, but as long as a user has the "attach" or "remove" tags permission for a document then they are able to attach and remove ANY tag.

Maybe this is an XY problem and there is an easier way to do what I'm after. My goal is to ultimately have a "Submitter" group and a "Reviewer" group. Submitters should be allowed to create a document and then at a later date run the "submit" transition on a workflow. The workflow then goes to a "Review" state with two possible transitions "Approve" or "Reject". These transitions should be accessible to only users of the Reviewer group to prevent a user from approving their own documents. Maybe the answer is to have state actions that trigger on entry to add and remove the transition permission?

I was also hoping to have an "Approved" and "Draft" and "Reivew" tag. When the document enters the corresponding state it adds the tag and removes the old tag. But this breaks if the user can just freely add the "Approved" tag whenever they want.

Thanks for any help!
Post Reply