Can be permission removed for particular user?

toropok · October 30, 2024, 11:14am

Hi there

Is there any way to constrain or partially remove permissions for particular user account?

Let's say for particular user with Publisher role remove permission for Transition: Publish?

fredvd · October 30, 2024, 12:35pm

No, this is not possible in standard Plone its security modell.

espenmn · October 30, 2024, 3:26pm

Maybe you could make a new workflow and 'check for something'.
Maybe make a new group that can 'Publish' (or use that group to 'check : can not publish' ?

I assume you could also have a 'guard' and check if 'user is xx' (but that does not sound like a good idea)

toropok · October 31, 2024, 2:18am

I was just looking is there any shortcut to achieve that. Thanks for help!

jensens · October 31, 2024, 1:06pm

If it is about blocking the transition only: Each transitions has 4 kinds of guards. Permission is one. Others are roles, groups or expressions. With an expression you are very flexible to exclude specific users.

https://productsdcworkflow.readthedocs.io/en/latest/narrative/Guards.html
https://productsdcworkflow.readthedocs.io/en/latest/narrative/Expressions.html

fredvd · October 31, 2024, 10:01pm

Ah briliant. Yes in this particular workflow case you can use the transition guards.

I do wonder if this is not an IA and local sharing roles misunderstanding.

OP want to remove the publishing permission, but you do that by not giving that user the Publishing Role.

If the user in question has the Global Publisher role, remove it there and only give him the role in a section of the site tree or even only some particular items.

Create groups for users that need for example edit and publish marketing materials (marketing team). Then set a local sharing role for the marketing folder for that group. If you need to subdivide the roles further, create a marketing_editors and marketing_publishing group that have the equivalent separated roles set on the relevant site sections. And assign the ussrs to their relevant groups

That’s how the roles users groups system work for high level authorisarion.

Permission are low level implementing on a matrix of roles you eventually get on an item and the workflow state of that item.

And there you have indeed the workflow transition guards as another control. Where the transitions through the states change the set of permission each role has on that item.

Concrete example: when an item goes to publish, the edit permission is removed for all roles except for ‘end editor’ to prevent normal editors making post publish changes.

Yes we have quite an advanced system here that works out of the box but is very flexible.

Hope this very dense summary helps. We had a workflow training at a conference once. maybe it’s on thraining still available under old trainings.