Applying permissions on workflow

Hello all,

I have a workflow that translates content when clicking on a button being rendered in the document form editor. I look at the workflow configuration which I believe it’s associated to that button at /hippo:configuration/hippo:workflows/translations-workflow and see the following:

/translations-workflow:
  jcr:primaryType: hipposys:workflowcategory
  jcr:mixinTypes: ['hippo:translated']
  /translations-workflow:
    jcr:primaryType: frontend:workflow
    hipposys:classname: com.bloomreach.cms.translations.repository.workflow.TranslationsRequestWorkflowImpl
    hipposys:display: Translation Workflow
    hipposys:nodetype: hippo:handle
    hipposys:privileges: ['hippo:author']
    hipposys:subtype: hippo:document
    /frontend:renderer:
      jcr:primaryType: frontend:plugin
      plugin.class: com.bloomreach.cms.translations.frontend.plugin.TranslationsRequestWorkflowPlugin
    /hipposys:types:
      jcr:primaryType: hipposys:types

If I change hipposys:privileges value to hippo:admin I manage to make it visible only to admin accounts (as they have that privilege associated in their group (via the admin role that contains the hippo:admin privilege).

The issue I’m having is that I need to make that button only visible to a special type of editors. I wanted to try to achieve this using userroles but the configuration node shown above only recognizes hipposys:privileges property (not userroles nor roles). Is there a way to achieve this?

Hey Pedro_Gutierrez,

Could you create a separate group for the “special type of editors”? They can have the same permissions as editors but also be giving the priviledges to translations-workflow. Would this work for you?

Thank you for your response.

That is exactly what I was trying to achieve. :slightly_smiling_face:

We currently have a viewer group, an editor group (with author and editor privileges because these users create/edit content and also publish/unpublish it) and, of course, the reserved admin group.

I wanted to create an extra group or extra userrole to have “special editors” who can access that workflow but only them.

The problem I’m facing is that I don’t know what are the right types of privileges to use. One of the uses is that I think that the list of privileges available are not documented. There is a reference in the documentation that has the list of standard privileges coming from jcr (jcr:read, jcr:write, etc). But I can’t see the list of the ones that belong to bloomreach (hippo:admin, hippo:rest…).

I was considering to create one privilege of my own (that is why I was tring userrole approach) but that doesn’t seem feasible (or I haven’t find the way to do it).

Would you know where to find the list of privileges that come from bloomreach?
Or maybe if I could create one of my own?

I was also exploring a way to do this via domain rules but I’m a bit lost there at the moment.

The default userroles have short descriptions that can be seen in a compact view by navigating in the CMS > Settings > brXM User Management > Userroles. Essentially, the security domains are comprised of facets on the nodes providing certain permissions. I would recommend trying something simple to get accustomed to the domain definitions. (e.g. restricting access to a content folder)

You can add new userroles or customize the existing userroles. They should be related to a security domain that determines which permissions the users will have on specific nodes within the JCR.

You can read more about security domains here: Security Domains - Bloomreach Experience Manager (PaaS/Self-Hosted) - The Fast and Flexible Headless CMS

And definitions for userroles here:

And best of all, walkthroughs for common use cases in definition of custom permissions:

in addition to @Nicholas_Pavao answer, you can also go to cms/console and check for node permissions via Node top menu.