The solution I came up with in order to configure and enable a new role in previously existing sites is as follows.
- Configure the new role, e.g. as it's explained here: https://wiki.alfresco.com/wiki/Custom_Permissions_in_Share
- Create a new sub-group authority under the desired site group. You can do it from the 'Groups' utility in the administration console, using REST API or the JavaScript API .
- Add the new sub-group authority to the
APP.SHARE
and remove it fromAPP.DEFAULT
. - Configure appropriate permissions on site's root folder. In other words, the new role must be granted to the new sub-group.
Note: I haven't confirmed it, but the third step might be optional. I think the only benefit of this would be to have new sub-groups properly arrange exactly the same way that Alfresco does internally.
I have created the following JavaScript snippet that can be easily run and modified on the go by using the JavaScript console admin tool (https://addons.alfresco.com/addons/javascript-console). This could be useful if you need to enable a new role in multiple existing sites.
var siteName = "my-site-id";
var newRoleName = "CustomConsumer";
var newRoleSubGroupName = "site_" + siteName + "_" + newRoleName;
var newRoleSubGroupFullName = "GROUP_" + newRoleSubGroupName;
/************************************************************/
/** Creation of the sub-group that represents the new role **/
/************************************************************/
logger.log("Starting sub-group creation");
// Get the site group object
var siteGroup = groups.getGroup("site_" + siteName);
// Create the sub-group
var newRoleSubGroup = siteGroup.createGroup(newRoleSubGroupName, newRoleSubGroupName);
logger.log("Sub-group creation done");
/**************************************************/
/** Setup the appropriate zones to the sub-group **/
/**************************************************/
logger.log("Setting up appropriate zones to the sub-group");
var shareZonesAdd = Packages.java.lang.Class.forName("java.util.HashSet").newInstance();
shareZonesAdd.add(Packages.org.alfresco.service.cmr.security.AuthorityService.ZONE_APP_SHARE);
var shareZonesRemove = Packages.java.lang.Class.forName("java.util.HashSet").newInstance();
shareZonesRemove.add(Packages.org.alfresco.service.cmr.security.AuthorityService.ZONE_APP_DEFAULT);
var ctx = Packages.org.springframework.web.context.ContextLoader.getCurrentWebApplicationContext();
var authorityService = ctx.getBean("authorityService");
var permissionGroup = authorityService.addAuthorityToZones(newRoleSubGroupFullName, shareZonesAdd);
var permissionGroup = authorityService.removeAuthorityFromZones(newRoleSubGroupFullName, shareZonesRemove);
logger.log("Zones setup done");
/*******************************************************/
/** Setup the appropriate permissions fo the new role **/
/*******************************************************/
var nodes = search.xpathSearch('/app:company_home/st:sites/cm:' + siteName);
for (var i = 0; i < nodes.length; i++)
{
logger.log("Setting new 'Content Expert' role permissions...");
nodes[i].setPermission(newRoleName, newRoleSubGroupFullName);
logger.log("Permissions folder successfully set");
}
IMPORTANT: bear in mind that as Andreas Steffan is pointing out, you also might have to deal with group life-cycle, invitation process, workflows etc. so beware by using this solution!
EDIT:
The solution explained here might work too, but I haven't tried: http://blog.abstractive.ca/2012/12/custom-share-role-breaks-existing-sites-solution/