Message-ID: <409054515.2932.1485851316548.JavaMail.confluence@ip-10-127-227-164>
Subject: Exported From Confluence
MIME-Version: 1.0
Content-Type: multipart/related; 
	boundary="----=_Part_2931_578828004.1485851316547"

------=_Part_2931_578828004.1485851316547
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Content-Location: file:///C:/exported.html

<html xmlns:o=3D'urn:schemas-microsoft-com:office:office'
      xmlns:w=3D'urn:schemas-microsoft-com:office:word'
      xmlns:v=3D'urn:schemas-microsoft-com:vml'
      xmlns=3D'urn:w3-org-ns:HTML'>
<head>
    <meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3Dutf-8=
">
    <title>Permissions</title>
    <!--[if gte mso 9]>
    <xml>
        <o:OfficeDocumentSettings>
            <o:TargetScreenSize>1024x640</o:TargetScreenSize>
            <o:PixelsPerInch>72</o:PixelsPerInch>
            <o:AllowPNG/>
        </o:OfficeDocumentSettings>
        <w:WordDocument>
            <w:View>Print</w:View>
            <w:Zoom>90</w:Zoom>
            <w:DoNotOptimizeForBrowser/>
        </w:WordDocument>
    </xml>
    <![endif]-->
    <style>
                <!--
        @page Section1 {
            size: 8.5in 11.0in;
            margin: 1.0in;
            mso-header-margin: .5in;
            mso-footer-margin: .5in;
            mso-paper-source: 0;
        }

        td {
            page-break-inside: avoid;
        }

        tr {
            page-break-after: avoid;
        }

        div.Section1 {
            page: Section1;
        }

        /* Confluence print stylesheet. Common to all themes for print medi=
a */
/* Full of !important until we improve batching for print CSS */

@media print {
    #main {
        padding-bottom: 1em !important; /* The default padding of 6em is to=
o much for printouts */
    }

    body {
        font-family: Arial, Helvetica, FreeSans, sans-serif;
        font-size: 10pt;
        line-height: 1.2;
    }

    body, #full-height-container, #main, #page, #content, .has-personal-sid=
ebar #content {
        background: #fff !important;
        color: #000 !important;
        border: 0 !important;
        width: 100% !important;
        height: auto !important;
        min-height: auto !important;
        margin: 0 !important;
        padding: 0 !important;
        display: block !important;
    }

    a, a:link, a:visited, a:focus, a:hover, a:active {
        color: #000;
    }

    #content h1,
    #content h2,
    #content h3,
    #content h4,
    #content h5,
    #content h6 {
        font-family: Arial, Helvetica, FreeSans, sans-serif;
        page-break-after: avoid;
    }

    pre {
        font-family: Monaco, "Courier New", monospace;
    }

    #header,
    .aui-header-inner,
    #navigation,
    #sidebar,
    .sidebar,
    #personal-info-sidebar,
    .ia-fixed-sidebar,
    .page-actions,
    .navmenu,
    .ajs-menu-bar,
    .noprint,
    .inline-control-link,
    .inline-control-link a,
    a.show-labels-editor,
    .global-comment-actions,
    .comment-actions,
    .quick-comment-container,
    #addcomment {
        display: none !important;
    }

    .comment .date::before {
        content: none !important; /* remove middot for print view */
    }

    h1.pagetitle img {
        height: auto;
        width: auto;
    }

    .print-only {
        display: block;
    }

    #footer {
        position: relative !important; /* CONF-17506 Place the footer at en=
d of the content */
        margin: 0;
        padding: 0;
        background: none;
        clear: both;
    }

    #poweredby {
        border-top: none;
        background: none;
    }

    #poweredby li.print-only {
        display: list-item;
        font-style: italic;
    }

    #poweredby li.noprint {
        display: none;
    }

    /* no width controls in print */
    .wiki-content .table-wrap,
    .wiki-content p,
    .panel .codeContent,
    .panel .codeContent pre,
    .image-wrap {
        overflow: visible !important;
    }

    /* TODO - should this work? */
    #children-section,
    #comments-section .comment,
    #comments-section .comment .comment-body,
    #comments-section .comment .comment-content,
    #comments-section .comment p {
        page-break-inside: avoid;
    }

    #page-children a {
        text-decoration: none;
    }

    /**
     hide twixies

     the specificity here is a hack because print styles
     are getting loaded before the base styles. */
    #comments-section.pageSection .section-header,
    #comments-section.pageSection .section-title,
    #children-section.pageSection .section-header,
    #children-section.pageSection .section-title,
    .children-show-hide {
        padding-left: 0;
        margin-left: 0;
    }

    .children-show-hide.icon {
        display: none;
    }

    /* personal sidebar */
    .has-personal-sidebar #content {
        margin-right: 0px;
    }

    .has-personal-sidebar #content .pageSection {
        margin-right: 0px;
    }
}
-->
    </style>
</head>
<body>
    <h1>Permissions</h1>
    <div class=3D"Section1">
        <p>Permissions in "Platform stack" is one of the most advance permi=
ssions systems around, allowing you to define very fine grained rights for =
your Editor-, Anonymous-, Member-, ... &nbsp;Users.</p>
<h2 id=3D"Permissions-Overview">Overview</h2>
<p>In the Permission system by default a user does not have access to anyth=
ing, to give them access, they need to inherit Roles, typically assigned to=
 the User Group they belong to.</p>
<h2 id=3D"Permissions-Model">Model</h2>
<h3 id=3D"Permissions-Roles">Roles</h3>
<p>First part of the Permission model is the Roles, and they consists of th=
e following parts:</p>
<pre>RoleLimitation *- RoleAssignment &gt;- Role -&lt; Policy -*&lt; Limita=
tion</pre>
<ul>
<li>A role assignment can optionally have a limitation, <span style=3D"colo=
r: rgb(128,128,128);">role limitation examples: </span><a href=3D"/display/=
EZP/SubtreeLimitation">SubTreeLimitation</a><span style=3D"color: rgb(128,1=
28,128);"> or </span><a href=3D"/display/EZP/SectionLimitation">SectionLimi=
tation</a></li>
<li>A role can have several assignments, <span style=3D"color: rgb(128,128,=
128);">role example: Editor, Member, ProSubscriber, ..</span></li>
<li>A role consists of several policies, <span style=3D"color: rgb(128,128,=
128);">policy example: content/read/*, content/edit/* (where * refers to fu=
ll access, aka no limitation)</span></li>
<li>A policy consists optionally of several limitations, <span style=3D"col=
or: rgb(128,128,128);">limitation example:</span><a href=3D"/display/EZP/Co=
ntentTypeLimitation">ContentTypeLimitation</a>,<a href=3D"/display/EZP/Sect=
ionLimitation">SectionLimitation</a>,<a href=3D"/display/EZP/OwnerLimitatio=
n">OwnerLimitation</a>,<a href=3D"/display/EZP/Limitations+reference">...</=
a></li>
</ul>
<h3 id=3D"Permissions-Users">Users</h3>
<p>Second second part of the model is Users and User Groups:</p>
<pre>User -*&lt; UserGroup</pre>
<ul>
<li>A user can be member of several user groups<span style=3D"color: rgb(12=
8,128,128);">, user group examples: Administrator Users, Member Users, ProS=
ubscriber&nbsp;Users</span></li>
</ul>
<h3 id=3D"Permissions-Roleassignments">Role assignments</h3>
<p>Last part on the permission model is the fact that RoleAssignments can b=
e assigned to both User <span style=3D"color: rgb(0,0,0);"><strong><em>or</=
em></strong></span> UserGroup:</p>
<pre>User - RoleAssignment - UserGroup</pre>
<ul>
<li>A role assignment can be assigned to either a user <em>or</em> user gro=
up</li>
</ul>
<div class=3D"confluence-information-macro confluence-information-macro-inf=
ormation">
<p class=3D"title">Best Practice</p>
<span class=3D"aui-icon aui-icon-small aui-iconfont-info confluence-informa=
tion-macro-icon"></span>
<div class=3D"confluence-information-macro-body">
<p>Best practice is to avoid assigning Roles to Users directly, and instead=
 make sure you model your content <em>(types, structure, sections, ..)</em>=
 in a way that can be reflected in generic roles. Besides being much easier=
 to manage and keep on top of security wise, this also makes sure your syst=
em performs best. <em>The more Role assignments and complex policies you ad=
d for a given user, the more complex the search/load queries powering the w=
hole CMS will be, as they always take Permissions into account.</em></p>
</div>
</div>
<h2 id=3D"Permissions-Extensibility">Extensibility</h2>
<p>Two parts of the Permissions system is extensible from a programatic per=
spective: Policies and Limitations</p>
<ul>
<li>Policies: <a href=3D"/display/EZP/Custom+policies">Custom policies can =
be added for use in your own code</a>, <span style=3D"color: rgb(128,128,12=
8);">custom policy example comment/create</span></li>
<li><a href=3D"/display/EZP/Limitations+reference">Limitations</a>: You can=
 extend existing policies, and hence extend the permissions of the CMS, <sp=
an style=3D"color: rgb(128,128,128);">example could be adding SubscriptionL=
imitation to content/read policy</span></li>
</ul>
<p>&nbsp;</p>
<p>Further reading:&nbsp;<a href=3D"/display/EZP/Limitations+reference">Lim=
itations reference</a></p>
<p>&nbsp;</p>
<p>&nbsp;</p>
    </div>
</body>
</html>
------=_Part_2931_578828004.1485851316547--