Permissions

Set the default permission checker class used by com.liferay.portal.security.permission.PermissionCheckerFactory to check permissions for actions on objects. This class can be overriden with a custom class that implements com.liferay.portal.security.permission.PermissionChecker.

Examples:

permissions.checker=com.liferay.portal.security.permission.SimplePermissionChecker
permissions.checker=com.liferay.portal.security.permission.AdvancedPermissionChecker

Set the algorithm used to check permissions for a user. This is useful so that you can optimize the search for different databases. See com.liferay.portal.service.impl.PermissionLocalServiceImpl.

Algorithms 1 through 4 are essentially the same but make calls in different orders depending on how the database is optimized and how the portal permissions are used. Algorithm 5 moves to a completely role based permissions check for better performance. Permissions by users are no longer supported, yet it uses the same table structure as algorithms 1-4.

Algorithm 6 is the current algorithm for Liferay 6 and above. It supports role based permissions like algorithm 5, but does so by using only one table and bitwise operations. This makes it perform far better than the other algorithms.

Examples:

permissions.user.check.algorithm=1
permissions.user.check.algorithm=2
permissions.user.check.algorithm=3
permissions.user.check.algorithm=4
permissions.user.check.algorithm=5
permissions.user.check.algorithm=6

Set the default permissions list filter class. This class must implement com.liferay.portal.kernel.security.permission.PermissionsListFilter. This is used if you want to filter the list of permissions before it is actually persisted. For example, if you want to make sure that all users who create objects never have the UPDATE action, then you can filter that list and remove any permissions that have the UPDATE action before it is persisted.

permissions.list.filter=com.liferay.portal.security.permission.PermissionsListFilterImpl

Set this to true to configure permission caching to block. See the property ehcache.blocking.cache.allowed for more information.

permissions.object.blocking.cache=false

Configure this threshold to indicate when to use the custom SQL finder to check resource permissions.

permissions.role.resource.permission.query.threshold=10

The permissions cache uses a thread local map to store the most frequently accessed items to lower the number of queries to the underlying cache. Set the maximum map size to 0 to disable the thread level cache.

permissions.thread.local.cache.max.size=100

Set this to true to enable inline SQL permission checks.

permissions.inline.sql.check.enabled=true

Set this to true to use permission checking when reading custom attributes by default.

permissions.custom.attribute.read.check.by.default=true

Set this to true to use permission checking when writing custom attributes by default.

permissions.custom.attribute.write.check.by.default=true

Set the following to true to automatically check the view permission on parent categories or folders when checking the permission on a specific item.

For example, if set to true, to be able to have access to a document, a user must have the view permission on the document’s folder and all its parent folders. Or, to have access to a comment, a user must have the view permission on the comments’s category and all its parent categories.

permissions.view.dynamic.inheritance=true

Set the following to true to enable propagation of permissions between models.

For example, when setting the permissions on a a specific Wiki node, if you assign a role a permission (e.g. DELETE), then the assignment of that permission is also propagated to all Wiki pages that belong to that Wiki node.

The actual logic of how permissions are propagated among models is specified per portlet. See liferay-portlet.xml’s use of the element permission-propagator.

permissions.propagation.enabled=false