RM-2123 Give clearance to the admin and system users.

Make sure this is executed as a patch and also bootstrapped into a clean
system using the BootstrapImporterModuleComponent.

Also restrict access to the classification levels (via the get API) to
only the levels that the user has clearance to.

+review RM

git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/modules/recordsmanagement/HEAD@104376 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261

rm-server/config/alfresco/module/org_alfresco_module_rm/classified-content-context.xml

@@ -41,6 +41,7 @@
          class="org.alfresco.module.org_alfresco_module_rm.classification.ClassificationServiceImpl"
          parent="baseService" init-method="init">
       <property name="classificationServiceBootstrap" ref="classificationServiceBootstrap"/>
+      <property name="securityClearanceService" ref="securityClearanceService"/>
    </bean>
 
    <bean id="ClassificationService" class="org.springframework.aop.framework.ProxyFactoryBean">

rm-server/config/alfresco/module/org_alfresco_module_rm/module-context.xml

@@ -23,6 +23,7 @@
       <property name="nodeService" ref="nodeService" />
       <property name="modulePatchExecuter" ref="rm.modulePatchExecuter" />
       <property name="recordContributorsGroupBootstrapComponent" ref="recordContributorsGroupBootstrapComponent"/>
+      <property name="clearancesForSpecialUsersBootstrapComponent" ref="clearancesForSpecialUsersBootstrapComponent"/>
       <property name="moduleId" value="org_alfresco_module_rm"/>
       <property name="name" value="org_alfresco_module_rm_bootstrapData"/>
       <property name="description" value="Bootstrap records management data"/>
@@ -39,12 +40,21 @@
       </property>
    </bean>
 
-	<!-- Record contributors group bootstrap component -->
+   <!-- Record contributors group bootstrap component -->
-	<bean id="recordContributorsGroupBootstrapComponent"
+   <bean id="recordContributorsGroupBootstrapComponent"
-          class="org.alfresco.module.org_alfresco_module_rm.bootstrap.RecordContributorsGroupBootstrapComponent">
+         class="org.alfresco.module.org_alfresco_module_rm.bootstrap.RecordContributorsGroupBootstrapComponent">
-       <property name="authorityService" ref="AuthorityService" />
+      <property name="authorityService" ref="AuthorityService" />
-       <property name="authenticationUtil" ref="rm.authenticationUtil"/>
+      <property name="authenticationUtil" ref="rm.authenticationUtil"/>
-    </bean>
+   </bean>
+
+   <!-- Clearances for special users bootstrap component -->
+   <bean id="clearancesForSpecialUsersBootstrapComponent"
+         class="org.alfresco.module.org_alfresco_module_rm.bootstrap.ClearancesForSpecialUsersBootstrapComponent">
+      <property name="authenticationUtil" ref="rm.authenticationUtil"/>
+      <property name="personService" ref="PersonService"/>
+      <property name="nodeService" ref="NodeService"/>
+      <property name="classificationServiceBootstrap" ref="classificationServiceBootstrap"/>
+   </bean>
 
    <!--  Bootstrap the message property files -->
    <bean id="org_alfresco_module_rm_resourceBundles" class="org.alfresco.i18n.ResourceBundleBootstrapComponent">

rm-server/config/alfresco/module/org_alfresco_module_rm/patch/rm-patch-context.xml

@@ -4,34 +4,35 @@
 <beans>
 
    <!--  rm module patch executer -->
-   <bean id="rm.modulePatchExecuter" parent="module.baseComponent" class="org.alfresco.module.org_alfresco_module_rm.patch.ModulePatchExecuterImpl">   
+   <bean id="rm.modulePatchExecuter" parent="module.baseComponent" class="org.alfresco.module.org_alfresco_module_rm.patch.ModulePatchExecuterImpl">
       <property name="moduleId" value="org_alfresco_module_rm"/>
       <property name="description" value="RM patch executer"/>
       <property name="sinceVersion" value="2.2"/>
       <property name="executeOnceOnly" value="false"/>
-      <property name="moduleSchema" value="1012"/>      
+      <property name="moduleSchema" value="2001"/>
-      <property name="attributeService" ref="AttributeService" />   
+      <property name="attributeService" ref="AttributeService" />
       <property name="dependsOn">
-      	<list>
+         <list>
-      	   <ref bean="org_alfresco_module_rm_bootstrapData" />
+            <ref bean="org_alfresco_module_rm_bootstrapData" />
-      	</list>
+         </list>
-      </property> 
+      </property>
    </bean>
-   
+
    <!-- rm module patch parent bean -->
    <bean id="rm.parentModulePatch" abstract="true" init-method="init">
       <property name="moduleId" value="org_alfresco_module_rm"/>
       <property name="fixesFromSchema" value="0"/>
       <property name="modulePatchExecuter" ref="rm.modulePatchExecuter"/>
-      <property name="transactionService" ref="transactionService"/>     
+      <property name="transactionService" ref="transactionService"/>
    </bean>
-   
+
    <!-- import patch implementations -->
-   
+
    <import resource="classpath:alfresco/module/org_alfresco_module_rm/patch/rm-patch-v20-context.xml"/>
    <import resource="classpath:alfresco/module/org_alfresco_module_rm/patch/rm-patch-v21-context.xml"/>
    <import resource="classpath:alfresco/module/org_alfresco_module_rm/patch/rm-patch-v22-context.xml"/>
    <import resource="classpath:alfresco/module/org_alfresco_module_rm/patch/rm-patch-v23-context.xml"/>
+   <import resource="classpath:alfresco/module/org_alfresco_module_rm/patch/rm-patch-v30-context.xml"/>
 
    <!-- compatibility beans -->
 

rm-server/config/alfresco/module/org_alfresco_module_rm/patch/rm-patch-v30-context.xml

@@ -0,0 +1,17 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<!DOCTYPE beans PUBLIC '-//SPRING//DTD BEAN//EN' 'http://www.springframework.org/dtd/spring-beans.dtd'>
+
+<beans>
+
+   <!-- RM v3.0 Patches -->
+
+   <bean id="rm.clearancesForSpecialUsers"
+         parent="rm.parentModulePatch"
+         class="org.alfresco.module.org_alfresco_module_rm.patch.v30.RMv30ClearancesForSpecialUsers">
+      <property name="description" value="Provide security clearance to the admin and system users."/>
+      <property name="fixesToSchema" value="1012"/>
+      <property name="targetSchema" value="2001"/>
+      <property name="bootstrapComponent" ref="clearancesForSpecialUsersBootstrapComponent"/>
+   </bean>
+
+</beans>

rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/bootstrap/BootstrapImporterModuleComponent.java

@@ -40,9 +40,11 @@ public class BootstrapImporterModuleComponent extends ImporterModuleComponent
 
     /** module patch executer */
     private ModulePatchExecuter modulePatchExecuter;
-    
+
     /** record contributors group bootstrap component */
     private RecordContributorsGroupBootstrapComponent recordContributorsGroupBootstrapComponent;
+    /** Clearances for special users bootstrap component. */
+    private ClearancesForSpecialUsersBootstrapComponent clearancesForSpecialUsersBootstrapComponent;
 
     /**
      * @param nodeService   node service
@@ -57,8 +59,8 @@ public class BootstrapImporterModuleComponent extends ImporterModuleComponent
      */
     public void setModulePatchExecuter(ModulePatchExecuter modulePatchExecuter)
     {
-		this.modulePatchExecuter = modulePatchExecuter;
+        this.modulePatchExecuter = modulePatchExecuter;
-	}
+    }
 
     /**
      * @param recordContributorsGroupBootstrapComponent record contributors group bootstrap component
@@ -67,7 +69,16 @@ public class BootstrapImporterModuleComponent extends ImporterModuleComponent
     {
         this.recordContributorsGroupBootstrapComponent = recordContributorsGroupBootstrapComponent;
     }
-    
+
+    /**
+     * @param clearancesForSpecialUsersBootstrapComponent The bootstrap component that give the admin and system users
+     *            the maximum clearance.
+     */
+    public void setClearancesForSpecialUsersBootstrapComponent(ClearancesForSpecialUsersBootstrapComponent clearancesForSpecialUsersBootstrapComponent)
+    {
+        this.clearancesForSpecialUsersBootstrapComponent = clearancesForSpecialUsersBootstrapComponent;
+    }
+
     /**
      * Need to check whether this module has already been executed.
      *
@@ -80,9 +91,10 @@ public class BootstrapImporterModuleComponent extends ImporterModuleComponent
         if (!nodeService.exists(nodeRef))
         {
             super.executeInternal();
-            
+
-            // bootstrap the record contributors group
+            // Bootstrap creation of initial data.
             recordContributorsGroupBootstrapComponent.createRecordContributorsGroup();
+            clearancesForSpecialUsersBootstrapComponent.createClearancesForSpecialUsers();
 
             // init module schema number
             modulePatchExecuter.initSchemaVersion();

rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/bootstrap/ClearancesForSpecialUsersBootstrapComponent.java

@@ -0,0 +1,67 @@
+/*
+ * Copyright (C) 2005-2015 Alfresco Software Limited.
+ *
+ * This file is part of Alfresco
+ *
+ * Alfresco is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * Alfresco is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
+ */
+package org.alfresco.module.org_alfresco_module_rm.bootstrap;
+
+import java.io.Serializable;
+
+import org.alfresco.module.org_alfresco_module_rm.classification.ClassificationServiceBootstrap;
+import org.alfresco.module.org_alfresco_module_rm.classification.model.ClassifiedContentModel;
+import org.alfresco.module.org_alfresco_module_rm.patch.v30.RMv30ClearancesForSpecialUsers;
+import org.alfresco.module.org_alfresco_module_rm.util.AuthenticationUtil;
+import org.alfresco.service.cmr.repository.NodeRef;
+import org.alfresco.service.cmr.repository.NodeService;
+import org.alfresco.service.cmr.security.PersonService;
+
+/**
+ * Provide the highest clearance to the admin and system users. This needs to be run once (either bootstrapped into a
+ * fresh system, or as part of an upgrade in {@link RMv30ClearancesForSpecialUsers}) per installation.
+ *
+ * @author tpage
+ */
+public class ClearancesForSpecialUsersBootstrapComponent implements ClassifiedContentModel
+{
+    private AuthenticationUtil authenticationUtil;
+    private NodeService nodeService;
+    private PersonService personService;
+    private ClassificationServiceBootstrap classificationServiceBootstrap;
+
+    public void setAuthenticationUtil(AuthenticationUtil authenticationUtil) { this.authenticationUtil = authenticationUtil; }
+    public void setNodeService(NodeService nodeService) { this.nodeService = nodeService; }
+    public void setPersonService(PersonService personService) { this.personService = personService; }
+    public void setClassificationServiceBootstrap(ClassificationServiceBootstrap classificationServiceBootstrap) { this.classificationServiceBootstrap = classificationServiceBootstrap; }
+
+    /**
+     * Give the admin and system users the maximum clearance.
+     */
+    public void createClearancesForSpecialUsers()
+    {
+        // Ensure the classification levels are loaded before this patch runs. (Nb. This will result in the
+        // classification service bootstrap method being called twice on the start-up that includes this call).
+        classificationServiceBootstrap.onBootstrap(null);
+
+        Serializable mostSecureLevel = classificationServiceBootstrap.getClassificationLevelManager()
+                    .getMostSecureLevel().getId();
+        String systemUserName = authenticationUtil.getSystemUserName();
+        NodeRef system = personService.getPerson(systemUserName);
+        nodeService.setProperty(system, PROP_CLEARANCE_LEVEL, mostSecureLevel);
+        String adminUserName = authenticationUtil.getAdminUserName();
+        NodeRef admin = personService.getPerson(adminUserName);
+        nodeService.setProperty(admin, PROP_CLEARANCE_LEVEL, mostSecureLevel);
+    }
+}

rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/classification/ClassificationService.java

@@ -34,7 +34,8 @@ import org.alfresco.module.org_alfresco_module_rm.classification.ClassificationS
 public interface ClassificationService
 {
     /**
-     * Returns an immutable list of the defined classification levels.
+     * Returns an immutable list of the defined classification levels visible to the current user.
+     *
      * @return classification levels in descending order from highest to lowest
      *         (where fewer users have access to the highest classification levels
      *         and therefore access to the most restricted documents).

rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/classification/ClassificationServiceImpl.java

@@ -40,13 +40,12 @@ public class ClassificationServiceImpl extends ServiceBaseImpl
     private ClassificationLevelManager levelManager;
     /** The classification reasons currently configured in this server. */
     private ClassificationReasonManager reasonManager;
+    private SecurityClearanceService securityClearanceService;
     private ClassificationServiceBootstrap classificationServiceBootstrap;
 
     public void setNodeService(NodeService service) { this.nodeService = service; }
-    public void setClassificationServiceBootstrap(ClassificationServiceBootstrap classificationServiceBootstrap)
+    public void setSecurityClearanceService(SecurityClearanceService securityClearanceService) { this.securityClearanceService = securityClearanceService; }
-    {
+    public void setClassificationServiceBootstrap(ClassificationServiceBootstrap classificationServiceBootstrap) { this.classificationServiceBootstrap = classificationServiceBootstrap; }
-        this.classificationServiceBootstrap = classificationServiceBootstrap;
-    }
 
     /** Store the references to the classification level and reason managers in this class. */
     public void init()
@@ -78,8 +77,8 @@ public class ClassificationServiceImpl extends ServiceBaseImpl
         {
             return Collections.emptyList();
         }
-        // FIXME Currently assume user has highest security clearance, this should be fixed as part of RM-2112.
+        SecurityClearance securityClearance = securityClearanceService.getUserSecurityClearance();
-        ClassificationLevel usersLevel = levelManager.getMostSecureLevel();
+        ClassificationLevel usersLevel = securityClearance.getClearanceLevel().getHighestClassificationLevel();
         return restrictList(levelManager.getClassificationLevels(), usersLevel);
     }
 

rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/patch/v30/RMv30ClearancesForSpecialUsers.java

@@ -0,0 +1,48 @@
+/*
+ * Copyright (C) 2005-2015 Alfresco Software Limited.
+ *
+ * This file is part of Alfresco
+ *
+ * Alfresco is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * Alfresco is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
+ */
+package org.alfresco.module.org_alfresco_module_rm.patch.v30;
+
+import org.alfresco.module.org_alfresco_module_rm.bootstrap.ClearancesForSpecialUsersBootstrapComponent;
+import org.alfresco.module.org_alfresco_module_rm.patch.AbstractModulePatch;
+
+/**
+ * Patch to provide the highest clearance to the admin and system users.
+ *
+ * @author tpage
+ */
+public class RMv30ClearancesForSpecialUsers extends AbstractModulePatch
+{
+    private ClearancesForSpecialUsersBootstrapComponent bootstrapComponent;
+
+    public void setBootstrapComponent(ClearancesForSpecialUsersBootstrapComponent bootstrapComponent)
+    {
+        this.bootstrapComponent = bootstrapComponent;
+    }
+
+    /**
+     * Give the admin and system users the maximum clearance.
+     *
+     * @see org.alfresco.module.org_alfresco_module_rm.patch.AbstractModulePatch#applyInternal()
+     */
+    @Override
+    public void applyInternal()
+    {
+        bootstrapComponent.createClearancesForSpecialUsers();
+    }
+}

rm-server/test/java/org/alfresco/module/org_alfresco_module_rm/test/util/BaseRMTestCase.java

@@ -30,7 +30,8 @@ import org.alfresco.module.org_alfresco_module_rm.audit.RecordsManagementAuditSe
 import org.alfresco.module.org_alfresco_module_rm.capability.CapabilityService;
 import org.alfresco.module.org_alfresco_module_rm.capability.RMPermissionModel;
 import org.alfresco.module.org_alfresco_module_rm.classification.ClassificationService;
-import org.alfresco.module.org_alfresco_module_rm.classification.ContentClassificationService;
+import org.alfresco.module.org_alfresco_module_rm.classification.ContentClassificationService;
+import org.alfresco.module.org_alfresco_module_rm.classification.SecurityClearanceService;
 import org.alfresco.module.org_alfresco_module_rm.dataset.DataSetService;
 import org.alfresco.module.org_alfresco_module_rm.disposition.DispositionSchedule;
 import org.alfresco.module.org_alfresco_module_rm.disposition.DispositionService;
@@ -163,6 +164,7 @@ public abstract class BaseRMTestCase extends RetryingTransactionHelperTestCase
     protected InplaceRecordService inplaceRecordService;
     protected RelationshipService relationshipService;
     protected ClassificationService classificationService;
+    protected SecurityClearanceService securityClearanceService;
     protected ContentClassificationService contentClassificationService;
 
     /** test data */
@@ -404,6 +406,7 @@ public abstract class BaseRMTestCase extends RetryingTransactionHelperTestCase
         inplaceRecordService = (InplaceRecordService) applicationContext.getBean("InplaceRecordService");
         relationshipService = (RelationshipService) applicationContext.getBean("RelationshipService");
         classificationService = (ClassificationService) applicationContext.getBean("ClassificationService");
+        securityClearanceService = (SecurityClearanceService) applicationContext.getBean("SecurityClearanceService");
         contentClassificationService = (ContentClassificationService) applicationContext.getBean("ContentClassificationService");
     }
 

rm-server/unit-test/java/org/alfresco/module/org_alfresco_module_rm/bootstrap/BootstrapImporterModuleComponentUnitTest.java

@@ -34,7 +34,7 @@ import org.mockito.Mock;
 
 /**
  * Bootstrap importer module component unit test
- * 
+ *
  * @author Roy Wetherall
  * @since 2.3
  */
@@ -42,16 +42,17 @@ public class BootstrapImporterModuleComponentUnitTest extends BaseUnitTest
 {
     /** RM config node */
     private static final NodeRef configNodeRef = new NodeRef(StoreRef.STORE_REF_WORKSPACE_SPACESSTORE, "rm_config_folder");
-    
+
     /** mocks */
-    @Mock(name="importer")                                  private ImporterBootstrap                           mockedImporter;
+    @Mock(name="importer")                                    private ImporterBootstrap                           mockedImporter;
-    @Mock(name="modulePatchExecuter")                       private ModulePatchExecuter                         mockedModulePatchExecuter;
+    @Mock(name="modulePatchExecuter")                         private ModulePatchExecuter                         mockedModulePatchExecuter;
-    @Mock(name="recordContributorsGroupBootstrapComponent") private RecordContributorsGroupBootstrapComponent   mockedRecordContributorsGroupBootstrapComponent;
+    @Mock(name="recordContributorsGroupBootstrapComponent")   private RecordContributorsGroupBootstrapComponent   mockedRecordContributorsGroupBootstrapComponent;
-    
+    @Mock(name="clearancesForSpecialUsersBootstrapComponent") private ClearancesForSpecialUsersBootstrapComponent mockedClearancesForSpecialUsersBootstrapComponent;
+
     /** importer */
     @InjectMocks
     private BootstrapImporterModuleComponent importer;
-    
+
     /**
      * Given that the system has already been bootstraped
      * When I try and boostrap the system
@@ -62,16 +63,16 @@ public class BootstrapImporterModuleComponentUnitTest extends BaseUnitTest
     {
         // config node exists
         doReturn(true).when(mockedNodeService).exists(configNodeRef);
-        
+
         // boostrap
         importer.executeInternal();
-        
+
         // not bootstraped
         verify(mockedImporter, never()).bootstrap();
         verify(mockedModulePatchExecuter, never()).initSchemaVersion();
         verify(mockedRecordContributorsGroupBootstrapComponent, never()).createRecordContributorsGroup();
     }
-    
+
     /**
      * Given that the system has not been bootstraped
      * When I try and bootstrap the system
@@ -82,13 +83,13 @@ public class BootstrapImporterModuleComponentUnitTest extends BaseUnitTest
     {
         // config node does not exist
         doReturn(false).when(mockedNodeService).exists(configNodeRef);
-        
+
         // boostrap
         importer.executeInternal();
-        
+
         // not bootstraped
         verify(mockedImporter, times(1)).bootstrap();
         verify(mockedModulePatchExecuter, times(1)).initSchemaVersion();
-        verify(mockedRecordContributorsGroupBootstrapComponent, times(1)).createRecordContributorsGroup();        
+        verify(mockedRecordContributorsGroupBootstrapComponent, times(1)).createRecordContributorsGroup();
     }
 }

rm-server/unit-test/java/org/alfresco/module/org_alfresco_module_rm/bootstrap/ClearancesForSpecialUsersBootstrapComponentUnitTest.java

@@ -0,0 +1,82 @@
+/*
+ * Copyright (C) 2005-2015 Alfresco Software Limited.
+ *
+ * This file is part of Alfresco
+ *
+ * Alfresco is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * Alfresco is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
+ */
+package org.alfresco.module.org_alfresco_module_rm.bootstrap;
+
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.verify;
+import static org.mockito.Mockito.when;
+import static org.mockito.MockitoAnnotations.initMocks;
+
+import org.alfresco.module.org_alfresco_module_rm.classification.ClassificationLevel;
+import org.alfresco.module.org_alfresco_module_rm.classification.ClassificationLevelManager;
+import org.alfresco.module.org_alfresco_module_rm.classification.ClassificationServiceBootstrap;
+import org.alfresco.module.org_alfresco_module_rm.classification.model.ClassifiedContentModel;
+import org.alfresco.module.org_alfresco_module_rm.util.AuthenticationUtil;
+import org.alfresco.service.cmr.repository.NodeRef;
+import org.alfresco.service.cmr.repository.NodeService;
+import org.alfresco.service.cmr.security.PersonService;
+import org.junit.Before;
+import org.junit.Test;
+import org.mockito.InjectMocks;
+import org.mockito.Mock;
+
+/**
+ * Unit tests for {@link ClearancesForSpecialUsersBootstrapComponent}.
+ *
+ * @author tpage
+ */
+public class ClearancesForSpecialUsersBootstrapComponentUnitTest implements ClassifiedContentModel
+{
+    @InjectMocks ClearancesForSpecialUsersBootstrapComponent clearancesForSpecialUsersBootstrapComponent;
+    @Mock AuthenticationUtil mockAuthenticationUtil;
+    @Mock PersonService mockPersonService;
+    @Mock NodeService mockNodeService;
+    @Mock ClassificationServiceBootstrap mockClassificationServiceBootstrap;
+
+    @Before public void setUp()
+    {
+        initMocks(this);
+    }
+
+    /** Check that the system and admin users get assigned the provided clearance. */
+    @Test public void testCreateClearancesForSpecialUsers()
+    {
+        // Allow the classification level id to be found.
+        ClassificationLevel level = new ClassificationLevel("id", "displayLabelKey");
+        ClassificationLevelManager mockClassificationLevelManager = mock(ClassificationLevelManager.class);
+        when(mockClassificationLevelManager.getMostSecureLevel()).thenReturn(level);
+        when(mockClassificationServiceBootstrap.getClassificationLevelManager()).thenReturn(mockClassificationLevelManager);
+
+        // Set up the admin and system users.
+        when(mockAuthenticationUtil.getSystemUserName()).thenReturn("system");
+        NodeRef system = new NodeRef("system://node/");
+        when(mockPersonService.getPerson("system")).thenReturn(system);
+        when(mockAuthenticationUtil.getAdminUserName()).thenReturn("admin");
+        NodeRef admin = new NodeRef("admin://node/");
+        when(mockPersonService.getPerson("admin")).thenReturn(admin);
+
+        // Call the method under test.
+        clearancesForSpecialUsersBootstrapComponent.createClearancesForSpecialUsers();
+
+        verify(mockNodeService).setProperty(system, PROP_CLEARANCE_LEVEL, "id");
+        verify(mockNodeService).setProperty(admin, PROP_CLEARANCE_LEVEL, "id");
+        // Check that the classification levels were loaded.
+        verify(mockClassificationServiceBootstrap).onBootstrap(null);
+    }
+}