You are viewing limited content. For full access, please sign in.

Question

Question

Workflow SDK script to remove explicit permissions.

Security Workflow SDK Ideas
Updated March 1
asked on July 25, 2014

Has anyone written a script they would like to share that removes all explicit permissions from an entry so that all that is left are the inherited permissions? For simplicity I don't want to have to specify the Trustee when removing the rights. I just want to "remove all" explicitly granted rights. Thanks.

0 0

Answer

APPROVED ANSWER SELECTED ANSWER
replied on July 30, 2014 Show version history

Zachary,

I appreciate your response and suggestions. I see that the utility you mention could have some value in a Laserfiche Administrator's toolbox but it won't work for my needs because it is a manually operated utility. I need a workflow activity that can be applied to a single entry to wipe out its explicitly defined permissions. I would like to use this activity prior to defining new permissions in the workflow.

 

Your idea to iterate all users and/or groups while calling the "Assign Rights" activity is not an option for our environment because the number of users and groups in our environment. This would be a very inefficient process. I do appreciate the idea though.

 

I have found in the Laserfiche SDK 9.0 .NET documentation a method that will reset permissions and apply newly defined ones. EntrySecurity. ResetAccessRule Method (EntryAccessRule). It works very well. I do still wish there was a method of resetting explicit permissions on an entry without specifying any new permissions. If you want the script to just reset EntryAccessRules without applying a new one you could always add ES.RemoveAccessRule(EAR); after the line ES.ResetAccessRule(EAR); basically wiping out all access rules including the one you were required to specify in the ResetAccessRule method.

 

EntryInfo EI = Entry.GetEntryInfo(EID, mySess);
EntrySecurity ES = EI.GetAccessControl();
EntryAccessRule EAR = new EntryAccessRule(new AccountReference("Campus A Managers", mySess), EntryRights.Read, EntryAccessScope.ThisEntry, System.Security.AccessControl.AccessControlType.Allow);
ES.ResetAccessRule(EAR);
EI.SetAccessControl(ES);
EI.Save();

 

Perhaps you could make this an official feature request to make this a new workflow activity or enhance the "Assign Rights" activity to not require a trustee when resetting permissions to inherited ones only.

5 0
replied on October 10, 2023

I just ran into a case where I needed to do the same thing. Turns out you can pass in an *empty* EntrySecurity object to SetAccessControl, to wipe all existing ACLs from the folder. That is:

folderInfo.SetAccessControl(new EntrySecurity());

1 0
replied on October 16, 2023

Thanks for the heads up on this!  I will try it out on entry access as well and that will make the code much more efficient to remove all security.

0 0
replied on March 1

Fantastic!

0 0

Replies

replied on August 6, 2014

Well, I'm glad to see you found a solution that works. Thank you for posting the code that solved the problem; I'm sure others will find it useful in the future. I'll make sure the developers see your request for a more robust "Assign Rights" activity.

1 0
replied on August 6, 2014

Zachary, thanks for passing the request along to the development team. Laserfiche hit a home-run with answers.laserfiche.com. It is one of many ways Laserfiche as a company is always looking to empower their user community.

2 0
replied on May 25, 2016

Thanks for the code snippet. I was able to reuse it for a similar requirement. Like Brandon suggested, the ability to remove all explicit permissions would be great. The above method requires us to know / have an account that will always exist (or you have to resort to hardcoding).

1 0
replied on October 11, 2016

A BIG thanks to Brandon for passing along this code.  I thought I'd share the version of it that worked for me as this was a requirement for doing Cumulative folders for student records where you have students constantly changing classrooms across a large district.  

We decided to add our Laserfiche group that handles all Repository Administration ("Repository Admins") for the necessary part of removing all other access as that group will always exist and will always have access to everything.  We also added the part that removes the "Repository Admins" group just to keep things clean.  

Thanks again Brandon!!!smiley

    using Laserfiche.RepositoryAccess;

    public class Script1 : RAScriptClass100
    {
        protected override void Execute()
        {
            EntryInfo docInfo = (EntryInfo)this.BoundEntryInfo;
            EntrySecurity docSec = docInfo.GetAccessControl();
            EntryAccessRule tempAccess = new EntryAccessRule(new AccountReference("Repository Admins", this.RASession), EntryRights.Read, EntryAccessScope.ThisEntry, System.Security.AccessControl.AccessControlType.Allow);
            docSec.ResetAccessRule(tempAccess);
            docInfo.SetAccessControl(docSec);
            docInfo.Save();
            EntryAccessRule clearAccess = new EntryAccessRule(new AccountReference("Repository Admins", this.RASession), EntryRights.Read, EntryAccessScope.ThisEntry, System.Security.AccessControl.AccessControlType.Allow);
            docSec.RemoveAccessRuleAll(clearAccess);
            docInfo.SetAccessControl(docSec);
            docInfo.Save();
        }
    }

 

1 0
replied on July 30, 2014

Workflow has an activity called "Assign Rights" that can remove entry access rights from an entry. Using a "Find Group" and "For Each User" activity, Workflow could iterate through all applicable users and remove all explicit entry access rights. This thread discusses it in a little more detail. Building the process in Workflow instead of scripting it would make it easier to maintain and debug.

 

We also have a utility available for download on the solution exchange that does what you're looking to do. It's a little old and uses LFSO, but it looks very close to on the mark. I suggest taking a look at it. 

0 0
You are not allowed to follow up in this post.

Sign in to reply to this post.

Details
Related Posts
Loading ...