A.3. default-permission-values.xml
Files of this type are used in CUBA before version 7.2, or in migrated projects that kept the legacy method of calculating effective permissions as described in the Legacy Roles and Permissions section. |
Default permission values are used when no role defines an explicit value for permission target. It is necessary mostly for denying roles: without this file the user with a denying role by default doesn’t have access to mainWindow screen and to filter screens.
The file should be created in the core
module.
The file location is specified in the cuba.defaultPermissionValuesConfig application property. If this property is not defined in the application, the default cuba-default-permission-values.xml
file will be used.
XML schema is available at http://schemas.haulmont.com/cuba/default-permission-values.xsd.
The file has the following structure:
default-permission-values
- the root element, which has only one nested element - permission
.
permission
- the permission itself: it determines the object type and the permission imposed on it.
permission
has three attributes:
-
target
- permission object: determines the specific object the permission is imposed on. The format of the attribute depends on the permission type: for screens - theid
of the screen, for entity operations - the entityid
with the operation type, for example,target="sec$Filter:read"
, and so on. -
value
- permission value. Can be0
or1
(denied or allowed, respectively). -
type
- the type of permission object:-
10
- screen, -
20
- entity operation, -
30
- entity attribute, -
40
- application-specific permission, -
50
- UI component.
-
For example:
<?xml version="1.0" encoding="UTF-8"?>
<default-permission-values xmlns="http://schemas.haulmont.com/cuba/default-permission-values.xsd">
<permission target="dynamicAttributesConditionEditor" value="0" type="10"/>
<permission target="dynamicAttributesConditionFrame" value="0" type="10"/>
<permission target="sec$Filter:read" value="1" type="20"/>
<permission target="cuba.gui.loginToClient" value="1" type="40"/>
</default-permission-values>