Has anyone written a script they would like to share that removes all explicit permissions from an entry so that all that is left are the inherited permissions? For simplicity I don't want to have to specify the Trustee when removing the rights. I just want to "remove all" explicitly granted rights. Thanks.
Question
Question
Workflow SDK script to remove explicit permissions.
Answer
Zachary,
I appreciate your response and suggestions. I see that the utility you mention could have some value in a Laserfiche Administrator's toolbox but it won't work for my needs because it is a manually operated utility. I need a workflow activity that can be applied to a single entry to wipe out its explicitly defined permissions. I would like to use this activity prior to defining new permissions in the workflow.
Your idea to iterate all users and/or groups while calling the "Assign Rights" activity is not an option for our environment because the number of users and groups in our environment. This would be a very inefficient process. I do appreciate the idea though.
I have found in the Laserfiche SDK 9.0 .NET documentation a method that will reset permissions and apply newly defined ones. EntrySecurity. ResetAccessRule Method (EntryAccessRule). It works very well. I do still wish there was a method of resetting explicit permissions on an entry without specifying any new permissions. If you want the script to just reset EntryAccessRules without applying a new one you could always add ES.RemoveAccessRule(EAR); after the line ES.ResetAccessRule(EAR); basically wiping out all access rules including the one you were required to specify in the ResetAccessRule method.
EntryInfo EI = Entry.GetEntryInfo(EID, mySess); EntrySecurity ES = EI.GetAccessControl(); EntryAccessRule EAR = new EntryAccessRule(new AccountReference("Campus A Managers", mySess), EntryRights.Read, EntryAccessScope.ThisEntry, System.Security.AccessControl.AccessControlType.Allow); ES.ResetAccessRule(EAR); EI.SetAccessControl(ES); EI.Save();
Perhaps you could make this an official feature request to make this a new workflow activity or enhance the "Assign Rights" activity to not require a trustee when resetting permissions to inherited ones only.
I just ran into a case where I needed to do the same thing. Turns out you can pass in an *empty* EntrySecurity object to SetAccessControl, to wipe all existing ACLs from the folder. That is:
folderInfo.SetAccessControl(new EntrySecurity());
Thanks for the heads up on this! I will try it out on entry access as well and that will make the code much more efficient to remove all security.
Fantastic!
Replies
Well, I'm glad to see you found a solution that works. Thank you for posting the code that solved the problem; I'm sure others will find it useful in the future. I'll make sure the developers see your request for a more robust "Assign Rights" activity.
Thanks for the code snippet. I was able to reuse it for a similar requirement. Like Brandon suggested, the ability to remove all explicit permissions would be great. The above method requires us to know / have an account that will always exist (or you have to resort to hardcoding).
A BIG thanks to Brandon for passing along this code. I thought I'd share the version of it that worked for me as this was a requirement for doing Cumulative folders for student records where you have students constantly changing classrooms across a large district.
We decided to add our Laserfiche group that handles all Repository Administration ("Repository Admins") for the necessary part of removing all other access as that group will always exist and will always have access to everything. We also added the part that removes the "Repository Admins" group just to keep things clean.
Thanks again Brandon!!!
using Laserfiche.RepositoryAccess; public class Script1 : RAScriptClass100 { protected override void Execute() { EntryInfo docInfo = (EntryInfo)this.BoundEntryInfo; EntrySecurity docSec = docInfo.GetAccessControl(); EntryAccessRule tempAccess = new EntryAccessRule(new AccountReference("Repository Admins", this.RASession), EntryRights.Read, EntryAccessScope.ThisEntry, System.Security.AccessControl.AccessControlType.Allow); docSec.ResetAccessRule(tempAccess); docInfo.SetAccessControl(docSec); docInfo.Save(); EntryAccessRule clearAccess = new EntryAccessRule(new AccountReference("Repository Admins", this.RASession), EntryRights.Read, EntryAccessScope.ThisEntry, System.Security.AccessControl.AccessControlType.Allow); docSec.RemoveAccessRuleAll(clearAccess); docInfo.SetAccessControl(docSec); docInfo.Save(); } }
Workflow has an activity called "Assign Rights" that can remove entry access rights from an entry. Using a "Find Group" and "For Each User" activity, Workflow could iterate through all applicable users and remove all explicit entry access rights. This thread discusses it in a little more detail. Building the process in Workflow instead of scripting it would make it easier to maintain and debug.
We also have a utility available for download on the solution exchange that does what you're looking to do. It's a little old and uses LFSO, but it looks very close to on the mark. I suggest taking a look at it.