Home > Nuxeo Platform User Documentation > Managing Your Nuxeo Application > Managing Access Rights
Nuxeo Platform User Documentation

Managing Access Rights

Updated: October 16, 2020

Only users with management rights can manage the access rights of a space.

Managing access rights means granting or denying access rights in a space. The access rights management screen is available as a sub-tab in the Manage tab of the space.

The access rights management sub-tab is accessible composed of three parts:

  1. The Inherited rights part displays rights that were granted or denied in a parent space.
  2. The Local rights part displays the rights that were granted or denied in the current space.
  3. The form to grant access rights in the current space.

Rights Prioritization

The access rights available are:

Right Actions in workspaces Actions in sections
Read Consult content Comment documents Annotate documents Tag documents Consult content Comment documents Annotate documents Tag documents
Write Create documents Edit documents Add / remove relations Start a workflow + Remove actions + Version actions + Read actions Create sections Publish documents Approve document publishing Unpublish documents + Read actions + Remove actions
Manage Manage access rights Set alerts to other users Apply a preset look on documents Manage deleted documents + Write actions + Read actions Manage access rights Set alerts to other users Apply a preset look on documents Manage deleted documents + Write actions + Read actions
Remove Delete documents (this permission is included in Write right)
The Remove permission is mainly intended to be denied, so as to restrict the actions available to users with "Write" permission.
Delete sub-sections (this permission is included in Write right)
The "Remove" permission is intended to be denied, so as to restrict the actions available to users with "Write" permission.
Can ask for publishing   Submit documents for publishing  

As you can see, some rights include more permissions than others, and sometimes include other rights. That's the case for "Write", that includes "Remove". Beside the fact that some rights are stronger than others, you should be aware, when you set up rights on a space, that some rights have priority over others:

  • Local rights have priority over inherited rights
  • Granted rights have priority over denied rights

There is no precedence of users rights over groups rights or the other way around.

Granting Access Rights

To grant access rights:

  1. Click on the Manage tab of the space. The Access Rights sub-tab is displayed.
  2. In the form, type the username of the user you want to grant rights to. To give access rights to a group, type the group's name. The names of the users or groups corresponding to the typed characters are automatically displayed as you type.
  3. Click on the user you want to give access rights to.
  4. Select the right to grant in the Permission drop down list.
  5. Click on the Add permission button. The user and its rights are displayed in the Local Rights part of the screen.
  6. Save local rights modification by clicking on the Save local rights button. Local rights are saved and applied.

Removing a User from Local Rights

If you want to refuse rights to a user, and that these rights have been granted in the current space, you can remove the user from the local rights.

To remove a user from the local rights:

  1. Click on the Manage tab of the space. The Access Rights sub-tab is displayed.
  2. In the Local Rights part of the screen, check the box corresponding to the user you want to remove.
  3. Click on the Remove permission(s) button. The user is removed from the Local Rights table.
  4. Save local rights modification by clicking on the Save local rights button. Local rights are saved and applied.

Blocking Rights Inheritance

The rights that are granted or denied in a space are applied to the space's content, including its sub-spaces. You thus have the same rights in the sub-spaces as in the parent space. That is called rights inheritance.

You can block this inheritance. It enables you to block the access of a sub-workspace to the workspace's users, for instance, or to deeply modify the access rights in the sub-workspace.

To block rights inheritance:

  1. Click on the Manage tab of the space of which you want to the access rights. The Access Rights sub-tab is displayed.
  2. Check the box Block permissions inheritance located under the Inherited Rights table. The inherited rights table is not displayed anymore.
    You are added in the list of the local rights, like the administrators group.
    In the Access Rights tab of the possible sub-spaces, a group Everyone is denied all rights.
    You can now grant access rights to users.

Denying Access Rights

In a default configuration, it is not possible to deny access rights. It can however be enabled by a system administrator, using the nuxeo.security.allowNegativeACL parameter in the nuxeo.conf file.

If a user has inherited rights that you don't want him to have in the current space, you can then deny him these rights. If you want to deny access rights to a large number of users, block rights inheritance and give access rights only to the users you want to be able to access the workspace or section.

To deny access rights:

  1. Click on the Manage tab of the space. The Access Rights sub-tab is displayed.
  2. In the form, type the username of the user you want to grant rights to. To deny access rights to a group, type the group's name. The usernames corresponding to the typed characters are automatically displayed.
  3. Click on the user you want to deny rights to.
  4. Select Deny in the Action drop down list.
  5. Select the right to deny in the Permission drop down list.
  6. Click on the Add permission button. The user is displayed in the Local rights form. The denied rights is displayed in the Denied permissions column.
  7. Save local rights modification by clicking on the Save local rights button. Local rights are saved and applied.
Want to add your own access rights?