I have an use case that requires additional roles (8 in total) based on the assumption that permissions (e.g. Content permissions) can be individually combined to form a new role. The goal is to support very detailed control in a project team (from project owner to client, outsourced consultants etc.) like in the following table:
| Consumer | Contributor | Collaborator | Manager | Custom Role 1 (extends a Consumer) | Custom Role N (extends a Contributor) |
Add comment | no | yes | yes | yes | yes | yes |
Edit comment | no | yes | yes | yes | yes | yes |
Some permission | no | yes | yes | yes | no | no |
Based on the other posts in the forum, it is pretty clear that one cannot just define the roles with any combination of permissions like saying "Custom Role 1 can do everything what a Consumer can, but it also can comment while the Custom Role N cannot do something a Contributor can".
Trying to figure out how to implement this I have come to some conclusions:
- You can define any number of additional roles within permissionDefinitions.xml and sitePermissionDefinitions.xml but assigned permissions will not work out of the box without major customization of the Alfresco that will know how to handle new roles and permissions.
- You cannot revoke permissions (e.g. role that extends a Contributor and revokes some of its permissions).
I have also noticed topics where it is being said that implementing dynamic authority is not the most efficient solution.
What is the most appropriate way to support such use case, if any?
Also, is there any way to define a role without any permission at all (not even read)?