How to give Organization Administration Permissions to a Role, for Users that don't belong to this Organization?

2
votes

I'm using Liferay 6.1 and I want to change Permissions for individual Organizations in such a way that those Organizations can be managed by a UserX with RoleX who doesn't belong to that Organization OrgA.

In particular:

  • I'd like to make OrgA viewable and updatable by RoleX in Control Panel->Users and Organizations form
  • UserX can add new Organizations and Users
  • UserX belongs to RoleX BUT NOT to OrgA (so I think Organization scoped roles will not be helpful).

I'd like to do it programmatically.

What I've tried so far:

  • created RoleX and gave it the following permissions:

    • to access Control Panel->Users and Organizations (portlet 125)

    • OrgA, scope 4 (individual):

      ActionKeys.VIEW, ActionKeys.UPDATE, ActionKeys.ASSIGN_USER_ROLES, ActionKeys.DELETE, ActionKeys.MANAGE_USERS

    • OrgA's group, with Scope 4: 

      ActionKeys.ASSIGN_MEMBERS, ActionKeys.ASSIGN_USER_ROLES,
ActionKeys.CONFIGURE_PORTLETS, ActionKeys.DELETE,
ActionKeys.MANAGE_ANNOUNCEMENTS, ActionKeys.MANAGE_LAYOUTS,
ActionKeys.UPDATE, ActionKeys.VIEW, ActionKeys.VIEW_MEMBERS

Users with RoleX can access the Users and Organizations form in Control Panel, but they can see only their own Organization AND NOT OrgA.

How can I give the permissions to view and manage also OrgA?

Thanks

1
javaliferayuser-permissionsrbac

1 Answers

2
votes

Finally I was able to accomplish that modifying Resource Permissions for RoleX and modifying the init users_admin portlet jsp file, both using a Hook Plugin.

The main problem was that Liferay is not using ResourcePermissions to enable Organization management beyond organizations the user belongs to.

In particular in portal-trunk/portal-web/docroot/html/portlet/users_admin/init.jsp there are few lines of code enabling it only for the Company Admin Role:

else if (permissionChecker.isCompanyAdmin()) {
    filterManageableGroups = false;
    filterManageableOrganizations = false;
    filterManageableUserGroups = false;
}

So I added the following lines to init.jsp (you can use init-ext.jsp in the hook) to enable it also for RoleX:

if (MyUtils.isRoleX()) {
    filterManageableGroups = false;
    filterManageableOrganizations = false;
    filterManageableUserGroups = false;
}

In this way the database query is not going to filter Organizations, Users and Groups.

The second step is to define permissions to Add, Update, Manage, etc.. Users and Organizations and to access the portlet in the control panel.

This was pretty straightforward using a startup action hook and the ResourcePermisssionLocalService API:

private static final String[] ORGANIZATION_ENTRY_ACTION_IDS = new String[] {
            ActionKeys.VIEW, ActionKeys.UPDATE, ActionKeys.ASSIGN_USER_ROLES,
            ActionKeys.DELETE, ActionKeys.MANAGE_USERS };

    private static final String[] ORGANIZATION_CUSTOM_FIELDS_ENTRY_ACTION_IDS = new String[] {
            ActionKeys.VIEW, ActionKeys.UPDATE };

    public static final String[] ORGANIZATION_MODEL_ACTION_IDS = new String[] {
            ActionKeys.ASSIGN_MEMBERS, ActionKeys.ASSIGN_USER_ROLES,
            ActionKeys.DELETE, ActionKeys.MANAGE_ANNOUNCEMENTS,
            ActionKeys.UPDATE, ActionKeys.VIEW, ActionKeys.MANAGE_USERS,
            ActionKeys.MANAGE_SUBORGANIZATIONS };

    public static final String[] ORGANIZATION_GROUP_ENTRY_ACTION_IDS = new String[] {
            ActionKeys.ASSIGN_MEMBERS, ActionKeys.ASSIGN_USER_ROLES,
            ActionKeys.UPDATE, ActionKeys.VIEW, ActionKeys.VIEW_MEMBERS };

    private static final String[] PORTAL_ACTION_IDS = new String[] {
            ActionKeys.ADD_USER, ActionKeys.ADD_ORGANIZATION,
            ActionKeys.VIEW_CONTROL_PANEL };

    private static final String[] USERS_ORG_ADMIN_ACTION_IDS = new String[] { ActionKeys.ACCESS_IN_CONTROL_PANEL };

... omissis ... 

        ResourcePermissionLocalServiceUtil.setResourcePermissions(companyId,
                Organization.class.getName(),
                ResourceConstants.SCOPE_GROUP_TEMPLATE, "0", CiUtils
                        .getRoleX().getPrimaryKey(),
                ORGANIZATION_MODEL_ACTION_IDS);

        // ORGANIZATION MODEL COMPANY PERMISSIONS
        ResourcePermissionLocalServiceUtil.setResourcePermissions(companyId,
                Organization.class.getName(), ResourceConstants.SCOPE_COMPANY,
                Long.toString(companyId),
                CiUtils.getRoleX().getPrimaryKey(),
                ORGANIZATION_MODEL_ACTION_IDS);

        // PORTAL (portlet 90) PERMISSIONS
        ResourcePermissionLocalServiceUtil.setResourcePermissions(companyId,
                "90", ResourceConstants.SCOPE_COMPANY,
                Long.toString(companyId),
                CiUtils.getRoleX().getPrimaryKey(),
                PORTAL_ACTION_IDS);

        // USER_ORG_ADMINS PORTLET (125) PERMISSIONS
        ResourcePermissionLocalServiceUtil.setResourcePermissions(companyId,
                "125", ResourceConstants.SCOPE_COMPANY,
                Long.toString(companyId),
                CiUtils.getRoleX().getPrimaryKey(),
                USERS_ORG_ADMIN_ACTION_IDS);

and for each Organization:

ResourcePermissionLocalServiceUtil.setResourcePermissions(organization.getCompanyId(),
                            Organization.class.getName(),   ResourceConstants.SCOPE_INDIVIDUAL, Long                    .toString(organization.getPrimaryKey()),
                                MyUtils.getRoleX().getPrimaryKey(),
                                ORGANIZATION_ENTRY_ACTION_IDS);
        long groupId = organization.getGroupId();

        ResourcePermissionLocalServiceUtil.setResourcePermissions(
                    organization.getCompanyId(),Group.class.getName(), ResourceConstants.SCOPE_INDIVIDUAL,Long.toString(groupId),
                    MyUtils.getRoleX().getPrimaryKey(),
                    ORGANIZATION_GROUP_ENTRY_ACTION_IDS);

Hope this can help someone else.