Re: [cmis-comment] Should "object-only" be implemented in applyACL, and how?

[David Choy <david.choy500@gmail.com>]

Hi linzhixing,

Thank you for your question on ACL inheritance.

First, please take note of the following:

• Access control mechanism varies from repository to repository. To provide a common framework that can accommodate different access control behaviors, CMIS supports a simple access control model but allows a variety of repository-specific access control behaviors to show through.
• CMIS only specifies an interoperability interface. It is not a system design manual for a repository implementation.
• V0.62c is a very early draft that is obsolete and has no bearing on CMIS v1.0 and v1.1. Please do not use it to interpret the current versions.
  

Now, on ACL inheritance:

Many repositories support ACL inheritance, which is a convenient way to specify access control for many applications. ACL inheritance typically leverages a repository's data model and expands an ACL's sphere of control from one object to another by following a relationship defined between the two objects. Since data model varies from repository to repository, so does ACL inheritance. CMIS does not define an ACL inheritance model because it does not expect a repository to alter its existing ACL inheritance model to comply. However, CMIS does allow the effect of a repository's ACL inheritance to show through. There is simply no "CMIS ACL inheritance". Through CMIS, a user can only apply ACL/ACE "directly" to an object. The management of a repository's ACL inheritance can only be done through a non-CMIS interface. If you want to support ACL inheritance for your system, you should not look to CMIS for guidance. There is none. Your requirement should come from your users, not from CMIS. If you do not have a requirement for ACL inheritance, you do not need to implement it to be CMIS compliant.

Yes, an ACE applied in "objectOnly" mode is not inherited by other objects as described in the specification.
If you do not want to support "objectOnly" for the applyACL service, you can disallow the "objectOnly" setting in your applyACL implementation.

Regards,

David Choy

On Mon, Apr 22, 2013 at 1:10 AM, Tomoyuki Hayashi <tomoyuki.hayashi@aegif.jp> wrote:

Hi,

I'm a bit confused with the interpretation of the behavior of CMIS ACL inheritance.

As far as I see, which object should be inherited by an object and how its permissions are inherited are out of CMIS specs, it's a repository-specific matter. CMIS only says each ACE is calculated in a "direct / non-direct" way.

• applyACL method can holds "object-only"parameter. Does it mean that an ACE which is applied by "object-only" mode is not inherited to other objects even when these objects are under the inheritance relationship, like descendants? If so, I need to hold a inheritance flag on each ACE on an object besides inheritance relationship between objects. Am I right in this understanding?
• Both ACL capabilities and applyACL's parameters have "object only" / "propagate" value. CMIS spec says ACL capabilities "propagate" includes the support for "object only" (2.1.12.3). Does it mean if I want to  permit my repository to propagate ACL along the inheritance relationship it is also required to implement "object-only" ACL calculation? 
• • If possible, I just want to implement only "propagate" mode and switching on / off of the inheritance without implementing "object-only" mode. For example, suppose that a parent object's ACE(which includes local ACEs and other ACEs inherited from the ancestor) are all inherited to children, there is no room for "object-only" mode. ACEs to be inherited are all or nothing. Can I do that in compliance with CMIS? In fact, Alfresco does not support "object-only", only does "propagate" and implements the inheritance flag out of CMIS.  https://forums.alfresco.com/forum/developer-discussions/alfresco-api/cmis-acl-06212012-0622
  • I found the ancient description about "object-only" and "propagate" at CMIS Domain Model v0.62c (http://xml.coverpages.org/CMIS-PartI-DomainModel-V062c.pdf).  It tells that in "object-only" mode the repository is able to “break” the dependency for non-direct ACEs when requested by the client. It may cause a bit conflict about my understanding about object's inheritance and ACE's "object-only" mode.
• applyACL method needs ACE parameters which can hold a "direct" flag. When I add / update an ACE, should I also reflect its direct flag as specified by the input? I suppose the direct flag is just for output, not for input, and it is decided after calculation of ACL based on inheritance(and maybe "object-only" flag on each ACE). CMIS seems not to say so clearly…

As I'm developing a CMIS server product from scratch, I have not yet existing ACL inheritance implementation which is to be covered by CMIS, and so I want to adjust it to CMIS specs as possible.  

Regards,

linzhixing.