The customer is using an Admin user to create custom hierarchical security groups with security marks. Security controls are then being assigned to specific groups or users using the custom security marks. Then on a collaboration site the Admin user then uses the “Classify” action to classify content in the document library. Now any group or user with the correct security clearance has access to the classified content. Groups or users that have the correct security clearance for accessing the content and also have site roles that include the “write access” permission, have the ability to use the “Edit Classification” action to remove the security clearance from the content. They are also able to add back the same security clearance to the content. From the customer’s perspective this undermines the function of classifying content.
Steps to Reproduce:
- As an Admin user login to Alfresco and go to “Admin Tools”.
- Under “Tools” and then “Security Controls” select “Configure”.
- Select “Create Security Group”, enter the name IT and select “Hierarchical”.
- Click on the new Security Group and add a new security mark called ACCESS.
- Next under “Security Controls” click on “Assign”.
- Hover over a user’s name, such as jsmith and click on “Set Security Controls”.
- Click on the ACCESS security mark and then “Apply”.
- On a collaboration site, Test, add the user, jsmith, as a site member with role “Collaborator”.
- Go to the document library of the Test site, hover over a folder, select “More” and then “Classify”.
- Locate the IT Security Group and ACCESS security mark, select it and then click on “Classify”. The folder will now be labeled with the ACCESS security mark.
- Login to Alfresco with the jsmith user.
- Go to the Test site document library and hover over the folder from above, select “More” and then “Edit Classification”.
- Click on the ACCESS security mark to remove it and then “Save”.
- The folder no longer has the ACCESS label and all site users are able to view the folder and content contained in it.
Observed Behavior: All collaboration site roles with the “write access” permission and the required security clearance for content are able to use the “Edit Classification” action to remove the security classification from the content.
Expected Behavior: Only users with Admin credentials should be able to remove the security classification from content.