A.3. default-permission-values.xml

Files of this type are used in CUBA before version 7.2, or in migrated projects that kept the legacy method of calculating effective permissions as described in the Legacy Roles and Permissions section.

Default permission values are used when no role defines an explicit value for permission target. It is necessary mostly for denying roles: without this file the user with a denying role by default doesn’t have access to mainWindow screen and to filter screens.

The file should be created in the core module.

The file location is specified in the cuba.defaultPermissionValuesConfig application property. If this property is not defined in the application, the default cuba-default-permission-values.xml file will be used.

The file has the following structure:

default-permission-values - the root element, which has only one nested element - permission.

permission - the permission itself: it determines the object type and the permission imposed on it.

permission has three attributes:

  • target - permission object: determines the specific object the permission is imposed on. The format of the attribute depends on the permission type: for screens - the id of the screen, for entity operations - the entity id with the operation type, for example, target="sec$Filter:read", and so on.

  • value - permission value. Can be 0 or 1 (denied or allowed, respectively).

  • type - the type of permission object:

    • 10 - screen,

    • 20 - entity operation,

    • 30 - entity attribute,

    • 40 - application-specific permission,

    • 50 - UI component.

For example:

<?xml version="1.0" encoding="UTF-8"?>
<default-permission-values xmlns="http://schemas.haulmont.com/cuba/default-permission-values.xsd">
    <permission target="dynamicAttributesConditionEditor" value="0" type="10"/>
    <permission target="dynamicAttributesConditionFrame" value="0" type="10"/>
    <permission target="sec$Filter:read" value="1" type="20"/>
    <permission target="cuba.gui.loginToClient" value="1" type="40"/>
</default-permission-values>