[maven-release-plugin][skip ci] prepare release 23.3.0.55

ACS-6931 Re-enable Veracode SAST Scan (#2690 )
ACS-6931 Re-enable Veracode SAST Scan
2025-09-10 14:11:58 +00:00 · 2024-06-19 10:27:44 +00:00 · 2024-06-19 11:51:40 +02:00 · 2024-06-18 07:43:10 +00:00 · 2024-06-18 07:43:08 +00:00 · 2024-06-18 08:07:03 +01:00
44 changed files with 1479 additions and 581 deletions
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -74,58 +74,56 @@ jobs:
      - name: "Clean Maven cache"
        run: bash ./scripts/ci/cleanup_cache.sh

-#  SEE: ACS-6931 Currently times out after an hour. TO BE RESTORED after resolving the issue with Veracode Support.
-#
-#  veracode_sast:
-#    name: "Pipeline SAST Scan"
-#    runs-on: ubuntu-latest
-#    needs: [prepare]
-#    if: >
-#      (github.ref_name == 'master' || startsWith(github.ref_name, 'release/') || github.event_name == 'pull_request') &&
-#      github.actor != 'dependabot[bot]' &&
-#      !contains(github.event.head_commit.message, '[skip tests]') &&
-#      !contains(github.event.head_commit.message, '[force')
-#    steps:
-#      - uses: actions/checkout@v4
-#      - uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v1.35.2
-#      - uses: Alfresco/alfresco-build-tools/.github/actions/free-hosted-runner-disk-space@v1.35.2
-#      - uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v1.35.2
-#      - uses: Alfresco/alfresco-build-tools/.github/actions/github-download-file@v5.6.0
-#        with:
-#          token: ${{ secrets.BOT_GITHUB_TOKEN }}
-#          repository: "Alfresco/veracode-baseline-archive"
-#          file-path: "alfresco-community-repo/alfresco-community-repo-baseline.json"
-#          target: "baseline.json"
-#      - name: "Build"
-#        timeout-minutes: ${{ fromJSON(env.GITHUB_ACTIONS_DEPLOY_TIMEOUT) }}
-#        run: |
-#          bash ./scripts/ci/init.sh
-#          bash ./scripts/ci/build.sh
-#      - name: "Run SAST Scan"
-#        uses: veracode/Veracode-pipeline-scan-action@v1.0.10
-#        with:
-#          vid: ${{ secrets.VERACODE_API_ID }}
-#          vkey: ${{ secrets.VERACODE_API_KEY }}
-#          file: "packaging/war/target/alfresco.war"
-#          fail_build: true
-#          project_name: alfresco-community-repo
-#          issue_details: true
-#          veracode_policy_name: Alfresco Default
-#          summary_output: true
-#          summary_output_file: results.json
-#          summary_display: true
-#          baseline_file: baseline.json
-#      - name: Upload scan result
-#        if: success() || failure()
-#        run: zip readable_output.zip results.json
-#      - name: Upload Artifact
-#        if: success() || failure()
-#        uses: actions/upload-artifact@v3
-#        with:
-#          name: Veracode Pipeline-Scan Results (Human Readable)
-#          path: readable_output.zip
-#      - name: "Clean Maven cache"
-#        run: bash ./scripts/ci/cleanup_cache.sh
+  veracode_sast:
+    name: "Pipeline SAST Scan"
+    runs-on: ubuntu-latest
+    needs: [prepare]
+    if: >
+      (github.ref_name == 'master' || startsWith(github.ref_name, 'release/') || github.event_name == 'pull_request') &&
+      github.actor != 'dependabot[bot]' &&
+      !contains(github.event.head_commit.message, '[skip tests]') &&
+      !contains(github.event.head_commit.message, '[force')
+    steps:
+      - uses: actions/checkout@v4
+      - uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v1.35.2
+      - uses: Alfresco/alfresco-build-tools/.github/actions/free-hosted-runner-disk-space@v1.35.2
+      - uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v1.35.2
+      - uses: Alfresco/alfresco-build-tools/.github/actions/github-download-file@v5.6.0
+        with:
+          token: ${{ secrets.BOT_GITHUB_TOKEN }}
+          repository: "Alfresco/veracode-baseline-archive"
+          file-path: "alfresco-community-repo/alfresco-community-repo-baseline.json"
+          target: "baseline.json"
+      - name: "Build"
+        timeout-minutes: ${{ fromJSON(env.GITHUB_ACTIONS_DEPLOY_TIMEOUT) }}
+        run: |
+          bash ./scripts/ci/init.sh
+          bash ./scripts/ci/build.sh
+      - name: "Run SAST Scan"
+        uses: veracode/Veracode-pipeline-scan-action@v1.0.16
+        with:
+          vid: ${{ secrets.VERACODE_API_ID }}
+          vkey: ${{ secrets.VERACODE_API_KEY }}
+          file: "packaging/war/target/alfresco.war"
+          fail_build: true
+          project_name: alfresco-community-repo
+          issue_details: true
+          veracode_policy_name: Alfresco Default
+          summary_output: true
+          summary_output_file: results.json
+          summary_display: true
+          baseline_file: baseline.json
+      - name: Upload scan result
+        if: success() || failure()
+        run: zip readable_output.zip results.json
+      - name: Upload Artifact
+        if: success() || failure()
+        uses: actions/upload-artifact@v3
+        with:
+          name: Veracode Pipeline-Scan Results (Human Readable)
+          path: readable_output.zip
+      - name: "Clean Maven cache"
+        run: bash ./scripts/ci/cleanup_cache.sh

  pmd_scan:
    name: "PMD Scan"
--- a/amps/ags/pom.xml
+++ b/amps/ags/pom.xml
@@ -7,7 +7,7 @@
   <parent>
      <groupId>org.alfresco</groupId>
      <artifactId>alfresco-community-repo-amps</artifactId>
-      <version>23.3.0.43</version>
+      <version>23.3.0.55</version>
   </parent>

   <modules>
--- a/amps/ags/rm-automation/pom.xml
+++ b/amps/ags/rm-automation/pom.xml
@@ -7,7 +7,7 @@
   <parent>
      <groupId>org.alfresco</groupId>
      <artifactId>alfresco-governance-services-community-parent</artifactId>
-      <version>23.3.0.43</version>
+      <version>23.3.0.55</version>
   </parent>

   <modules>
--- a/amps/ags/rm-automation/rm-automation-community-rest-api/pom.xml
+++ b/amps/ags/rm-automation/rm-automation-community-rest-api/pom.xml
@@ -7,7 +7,7 @@
   <parent>
      <groupId>org.alfresco</groupId>
      <artifactId>alfresco-governance-services-automation-community-repo</artifactId>
-      <version>23.3.0.43</version>
+      <version>23.3.0.55</version>
   </parent>

   <build>
--- a/amps/ags/rm-community/pom.xml
+++ b/amps/ags/rm-community/pom.xml
@@ -7,7 +7,7 @@
   <parent>
      <groupId>org.alfresco</groupId>
      <artifactId>alfresco-governance-services-community-parent</artifactId>
-      <version>23.3.0.43</version>
+      <version>23.3.0.55</version>
   </parent>

   <modules>
--- a/amps/ags/rm-community/rm-community-repo/.env
+++ b/amps/ags/rm-community/rm-community-repo/.env
@@ -1,3 +1,3 @@
-SOLR6_TAG=2.0.10
+SOLR6_TAG=2.0.11-A6
 POSTGRES_TAG=15.4
 ACTIVEMQ_TAG=5.18.3-jre17-rockylinux8
--- a/amps/ags/rm-community/rm-community-repo/pom.xml
+++ b/amps/ags/rm-community/rm-community-repo/pom.xml
@@ -8,7 +8,7 @@
   <parent>
      <groupId>org.alfresco</groupId>
      <artifactId>alfresco-governance-services-community-repo-parent</artifactId>
-      <version>23.3.0.43</version>
+      <version>23.3.0.55</version>
   </parent>

   <properties>
--- a/amps/ags/rm-community/rm-community-rest-api-explorer/pom.xml
+++ b/amps/ags/rm-community/rm-community-rest-api-explorer/pom.xml
@@ -7,7 +7,7 @@
    <parent>
        <groupId>org.alfresco</groupId>
        <artifactId>alfresco-governance-services-community-repo-parent</artifactId>
-        <version>23.3.0.43</version>
+        <version>23.3.0.55</version>
    </parent>

    <build>
--- a/amps/pom.xml
+++ b/amps/pom.xml
@@ -7,7 +7,7 @@
    <parent>
        <groupId>org.alfresco</groupId>
        <artifactId>alfresco-community-repo</artifactId>
-        <version>23.3.0.43</version>
+        <version>23.3.0.55</version>
    </parent>

    <modules>
--- a/amps/share-services/pom.xml
+++ b/amps/share-services/pom.xml
@@ -8,7 +8,7 @@
    <parent>
        <groupId>org.alfresco</groupId>
        <artifactId>alfresco-community-repo-amps</artifactId>
-        <version>23.3.0.43</version>
+        <version>23.3.0.55</version>
    </parent>

    <properties>
--- a/core/pom.xml
+++ b/core/pom.xml
@@ -7,7 +7,7 @@
   <parent>
      <groupId>org.alfresco</groupId>
      <artifactId>alfresco-community-repo</artifactId>
-      <version>23.3.0.43</version>
+      <version>23.3.0.55</version>
   </parent>

   <dependencies>
--- a/data-model/pom.xml
+++ b/data-model/pom.xml
@@ -7,7 +7,7 @@
    <parent>
        <groupId>org.alfresco</groupId>
        <artifactId>alfresco-community-repo</artifactId>
-        <version>23.3.0.43</version>
+        <version>23.3.0.55</version>
    </parent>

    <properties>
--- a/data-model/src/main/java/org/alfresco/service/cmr/security/PermissionService.java
+++ b/data-model/src/main/java/org/alfresco/service/cmr/security/PermissionService.java
@@ -2,7 +2,7 @@
 * #%L
 * Alfresco Data model classes
 * %%
- * Copyright (C) 2005 - 2016 Alfresco Software Limited
+ * Copyright (C) 2005 - 2024 Alfresco Software Limited
 * %%
 * This file is part of the Alfresco software. 
 * If the software was purchased under a paid Alfresco license, the terms of 
@@ -78,6 +78,28 @@ public interface PermissionService
     */
    public static final String GUEST_AUTHORITY = "ROLE_GUEST";

+    /**
+     * The dynamic authority for the Admin service account.
+     */
+    String ADMIN_SVC_AUTHORITY = "ROLE_ADMIN_SERVICE_ACCOUNT";
+
+    /**
+     * The dynamic authority for the Collaborator service account.
+     */
+    String COLLABORATOR_SVC_AUTHORITY = "ROLE_COLLABORATOR_SERVICE_ACCOUNT";
+
+    /**
+     * The dynamic authority for the Editor service account.
+     */
+    String EDITOR_SVC_AUTHORITY = "ROLE_EDITOR_SERVICE_ACCOUNT";
+
+    /**
+     * A convenient set of service account authorities to simplify checks
+     * for whether a given authority is a service account authority or not.
+     */
+    Set<String> SVC_AUTHORITIES_SET = Set.of(ADMIN_SVC_AUTHORITY, COLLABORATOR_SVC_AUTHORITY,
+                                             EDITOR_SVC_AUTHORITY);
+
    /**
     * The permission for all - not defined in the model. Repsected in the code.
     */
--- a/mmt/pom.xml
+++ b/mmt/pom.xml
@@ -7,7 +7,7 @@
    <parent>
        <groupId>org.alfresco</groupId>
        <artifactId>alfresco-community-repo</artifactId>
-        <version>23.3.0.43</version>
+        <version>23.3.0.55</version>
    </parent>

    <dependencies>
--- a/packaging/distribution/pom.xml
+++ b/packaging/distribution/pom.xml
@@ -9,6 +9,6 @@
    <parent>
        <groupId>org.alfresco</groupId>
        <artifactId>alfresco-community-repo-packaging</artifactId>
-        <version>23.3.0.43</version>
+        <version>23.3.0.55</version>
    </parent>
 </project>
--- a/packaging/docker-alfresco/pom.xml
+++ b/packaging/docker-alfresco/pom.xml
@@ -7,7 +7,7 @@
    <parent>
        <groupId>org.alfresco</groupId>
        <artifactId>alfresco-community-repo-packaging</artifactId>
-        <version>23.3.0.43</version>
+        <version>23.3.0.55</version>
    </parent>

    <properties>
--- a/packaging/pom.xml
+++ b/packaging/pom.xml
@@ -7,7 +7,7 @@
    <parent>
        <groupId>org.alfresco</groupId>
        <artifactId>alfresco-community-repo</artifactId>
-        <version>23.3.0.43</version>
+        <version>23.3.0.55</version>
    </parent>

    <modules>
--- a/packaging/tests/environment/.env
+++ b/packaging/tests/environment/.env
@@ -1,3 +1,3 @@
-SOLR6_TAG=2.0.10
+SOLR6_TAG=2.0.11-A6
 POSTGRES_TAG=15.4
 ACTIVEMQ_TAG=5.18.3-jre17-rockylinux8
--- a/packaging/tests/pom.xml
+++ b/packaging/tests/pom.xml
@@ -6,7 +6,7 @@
    <parent>
        <groupId>org.alfresco</groupId>
        <artifactId>alfresco-community-repo-packaging</artifactId>
-        <version>23.3.0.43</version>
+        <version>23.3.0.55</version>
    </parent>

    <modules>
--- a/packaging/tests/tas-cmis/pom.xml
+++ b/packaging/tests/tas-cmis/pom.xml
@@ -7,7 +7,7 @@
    <parent>
        <groupId>org.alfresco</groupId>
        <artifactId>alfresco-community-repo-tests</artifactId>
-        <version>23.3.0.43</version>
+        <version>23.3.0.55</version>
    </parent>

    <organization>
--- a/packaging/tests/tas-email/pom.xml
+++ b/packaging/tests/tas-email/pom.xml
@@ -9,7 +9,7 @@
    <parent>
        <groupId>org.alfresco</groupId>
        <artifactId>alfresco-community-repo-tests</artifactId>
-        <version>23.3.0.43</version>
+        <version>23.3.0.55</version>
    </parent>

    <developers>
--- a/packaging/tests/tas-integration/pom.xml
+++ b/packaging/tests/tas-integration/pom.xml
@@ -9,7 +9,7 @@
    <parent>
        <groupId>org.alfresco</groupId>
        <artifactId>alfresco-community-repo-tests</artifactId>
-        <version>23.3.0.43</version>
+        <version>23.3.0.55</version>
    </parent>

    <developers>
--- a/packaging/tests/tas-restapi/pom.xml
+++ b/packaging/tests/tas-restapi/pom.xml
@@ -8,7 +8,7 @@
    <parent>
        <groupId>org.alfresco</groupId>
        <artifactId>alfresco-community-repo-tests</artifactId>
-        <version>23.3.0.43</version>
+        <version>23.3.0.55</version>
    </parent>

    <properties>
--- a/packaging/tests/tas-webdav/pom.xml
+++ b/packaging/tests/tas-webdav/pom.xml
@@ -9,7 +9,7 @@
    <parent>
        <groupId>org.alfresco</groupId>
        <artifactId>alfresco-community-repo-tests</artifactId>
-        <version>23.3.0.43</version>
+        <version>23.3.0.55</version>
    </parent>

    <developers>
--- a/packaging/war/pom.xml
+++ b/packaging/war/pom.xml
@@ -7,7 +7,7 @@
    <parent>
        <groupId>org.alfresco</groupId>
        <artifactId>alfresco-community-repo-packaging</artifactId>
-        <version>23.3.0.43</version>
+        <version>23.3.0.55</version>
    </parent>

    <properties>
--- a/pom.xml
+++ b/pom.xml
@@ -2,7 +2,7 @@
 <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
    <modelVersion>4.0.0</modelVersion>
    <artifactId>alfresco-community-repo</artifactId>
-    <version>23.3.0.43</version>
+    <version>23.3.0.55</version>
    <packaging>pom</packaging>
    <name>Alfresco Community Repo Parent</name>

@@ -51,20 +51,20 @@
        <dependency.alfresco-server-root.version>7.0.1</dependency.alfresco-server-root.version>
        <dependency.activiti-engine.version>5.23.0</dependency.activiti-engine.version>
        <dependency.activiti.version>5.23.0</dependency.activiti.version>
-        <dependency.alfresco-transform-core.version>5.1.2</dependency.alfresco-transform-core.version>
-        <dependency.alfresco-transform-service.version>4.1.2</dependency.alfresco-transform-service.version>
+        <dependency.alfresco-transform-core.version>5.1.3-A3</dependency.alfresco-transform-core.version>
+        <dependency.alfresco-transform-service.version>4.1.3-A2</dependency.alfresco-transform-service.version>
        <dependency.alfresco-greenmail.version>7.0</dependency.alfresco-greenmail.version>
        <dependency.acs-event-model.version>0.0.27</dependency.acs-event-model.version>

        <dependency.aspectj.version>1.9.20.1</dependency.aspectj.version>
        <dependency.spring.version>6.0.19</dependency.spring.version>
-        <dependency.spring-security.version>6.2.2</dependency.spring-security.version>
+        <dependency.spring-security.version>6.3.0</dependency.spring-security.version>
        <dependency.antlr.version>3.5.3</dependency.antlr.version>
        <dependency.jackson.version>2.15.2</dependency.jackson.version>
        <dependency.cxf.version>4.0.2</dependency.cxf.version>
        <dependency.opencmis.version>1.0.0-jakarta-1</dependency.opencmis.version>
        <dependency.webscripts.version>9.0</dependency.webscripts.version>
-        <dependency.bouncycastle.version>1.77</dependency.bouncycastle.version>
+        <dependency.bouncycastle.version>1.78.1</dependency.bouncycastle.version>
        <dependency.mockito-core.version>5.4.0</dependency.mockito-core.version>
        <dependency.assertj.version>3.24.2</dependency.assertj.version>
        <dependency.org-json.version>20231013</dependency.org-json.version>
@@ -85,8 +85,8 @@
        <dependency.truezip.version>7.7.10</dependency.truezip.version>
        <dependency.poi.version>5.2.5</dependency.poi.version>
        <dependency.jboss.logging.version>3.5.0.Final</dependency.jboss.logging.version>
-        <dependency.camel.version>4.0.0</dependency.camel.version> <!-- when bumping this version, please keep track/sync with included netty.io dependencies -->
-        <dependency.netty.version>4.1.96.Final</dependency.netty.version> <!-- must be in sync with camels transitive dependencies, e.g.: netty-common -->
+        <dependency.camel.version>4.0.5</dependency.camel.version> <!-- when bumping this version, please keep track/sync with included netty.io dependencies -->
+        <dependency.netty.version>4.1.110.Final</dependency.netty.version> <!-- must be in sync with camels transitive dependencies, e.g.: netty-common -->
        <dependency.activemq.version>5.18.3</dependency.activemq.version>
        <dependency.apache-compress.version>1.26.0</dependency.apache-compress.version>
        <dependency.awaitility.version>4.2.0</dependency.awaitility.version>
@@ -113,7 +113,7 @@
        <dependency.jakarta-json-path.version>2.9.0</dependency.jakarta-json-path.version>
        <dependency.json-smart.version>2.5.0</dependency.json-smart.version>
        <alfresco.googledrive.version>4.1.0</alfresco.googledrive.version>
-        <alfresco.aos-module.version>3.0.0</alfresco.aos-module.version>
+        <alfresco.aos-module.version>3.1.0-A1</alfresco.aos-module.version>
        <alfresco.api-explorer.version>23.2.0</alfresco.api-explorer.version> <!-- Also in alfresco-enterprise-share -->

        <alfresco.maven-plugin.version>2.2.0</alfresco.maven-plugin.version>
@@ -123,7 +123,7 @@
        <dependency.mysql.version>8.0.30</dependency.mysql.version>
        <dependency.mysql-image.version>8</dependency.mysql-image.version>
        <dependency.mariadb.version>2.7.4</dependency.mariadb.version>
-        <dependency.tas-utility.version>5.0.0</dependency.tas-utility.version>
+        <dependency.tas-utility.version>5.0.1</dependency.tas-utility.version>
        <dependency.rest-assured.version>5.3.2</dependency.rest-assured.version>
        <dependency.tas-email.version>2.0.0</dependency.tas-email.version>
        <dependency.tas-webdav.version>1.21</dependency.tas-webdav.version>
@@ -151,7 +151,7 @@
        <connection>scm:git:https://github.com/Alfresco/alfresco-community-repo.git</connection>
        <developerConnection>scm:git:https://github.com/Alfresco/alfresco-community-repo.git</developerConnection>
        <url>https://github.com/Alfresco/alfresco-community-repo</url>
-        <tag>23.3.0.43</tag>
+        <tag>23.3.0.55</tag>
    </scm>

    <distributionManagement>
@@ -1123,10 +1123,10 @@
                                            <exclude>com.sun.xml.bind</exclude>
                                        </excludes>
                                        <includes>
-                                            <include>org.bouncycastle:bcprov-jdk18on:[1.77,)</include>
-                                            <include>org.bouncycastle:bcmail-jdk18on:[1.77,)</include>
-                                            <include>org.bouncycastle:bcpkix-jdk18on:[1.77,)</include>
-                                            <include>org.bouncycastle:bcutil-jdk18on:[1.77,)</include>
+                                            <include>org.bouncycastle:bcprov-jdk18on:[1.78.1,)</include>
+                                            <include>org.bouncycastle:bcmail-jdk18on:[1.78.1,)</include>
+                                            <include>org.bouncycastle:bcpkix-jdk18on:[1.78.1,)</include>
+                                            <include>org.bouncycastle:bcutil-jdk18on:[1.78.1,)</include>
                                        </includes>
                                    </bannedDependencies>
                                </rules>
--- a/remote-api/pom.xml
+++ b/remote-api/pom.xml
@@ -7,7 +7,7 @@
    <parent>
        <groupId>org.alfresco</groupId>
        <artifactId>alfresco-community-repo</artifactId>
-        <version>23.3.0.43</version>
+        <version>23.3.0.55</version>
    </parent>

    <dependencies>
--- a/repository/pom.xml
+++ b/repository/pom.xml
@@ -7,7 +7,7 @@
    <parent>
        <groupId>org.alfresco</groupId>
        <artifactId>alfresco-community-repo</artifactId>
-        <version>23.3.0.43</version>
+        <version>23.3.0.55</version>
    </parent>

    <dependencies>
--- a/repository/src/main/java/org/alfresco/repo/security/permissions/dynamic/ServiceAccountAuthority.java
+++ b/repository/src/main/java/org/alfresco/repo/security/permissions/dynamic/ServiceAccountAuthority.java
@@ -0,0 +1,83 @@
+/*
+ * #%L
+ * Alfresco Repository
+ * %%
+ * Copyright (C) 2005 - 2024 Alfresco Software Limited
+ * %%
+ * This file is part of the Alfresco software.
+ * If the software was purchased under a paid Alfresco license, the terms of
+ * the paid license agreement will prevail.  Otherwise, the software is
+ * provided under the following open source license terms:
+ *
+ * Alfresco is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * Alfresco is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
+ * #L%
+ */
+package org.alfresco.repo.security.permissions.dynamic;
+
+import java.util.Optional;
+import java.util.Set;
+
+import org.alfresco.repo.serviceaccount.ServiceAccountRegistry;
+import org.alfresco.repo.security.permissions.DynamicAuthority;
+import org.alfresco.repo.security.permissions.PermissionReference;
+import org.alfresco.service.cmr.repository.NodeRef;
+import org.alfresco.util.PropertyCheck;
+import org.springframework.beans.factory.InitializingBean;
+
+/**
+ * This class represents a dynamic authority for service accounts in the system.
+ *
+ * @author Jamal Kaabi-Mofrad
+ */
+public class ServiceAccountAuthority implements DynamicAuthority, InitializingBean
+{
+    private String authority;
+    private ServiceAccountRegistry serviceAccountRegistry;
+
+    public void setAuthority(String authority)
+    {
+        this.authority = authority;
+    }
+
+    public void setServiceAccountRegistry(ServiceAccountRegistry serviceAccountRegistry)
+    {
+        this.serviceAccountRegistry = serviceAccountRegistry;
+    }
+
+    @Override
+    public void afterPropertiesSet() throws Exception
+    {
+        PropertyCheck.mandatory(this, "authority", authority);
+        PropertyCheck.mandatory(this, "serviceAccountRegistry", serviceAccountRegistry);
+    }
+
+    @Override
+    public boolean hasAuthority(NodeRef nodeRef, String userName)
+    {
+        Optional<String> role = serviceAccountRegistry.getServiceAccountRole(userName);
+        return role.isPresent() && role.get().equals(this.getAuthority());
+    }
+
+    @Override
+    public String getAuthority()
+    {
+        return this.authority;
+    }
+
+    @Override
+    public Set<PermissionReference> requiredFor()
+    {
+        return null;
+    }
+}
--- a/repository/src/main/java/org/alfresco/repo/serviceaccount/ServiceAccountRegistry.java
+++ b/repository/src/main/java/org/alfresco/repo/serviceaccount/ServiceAccountRegistry.java
@@ -0,0 +1,61 @@
+/*
+ * #%L
+ * Alfresco Repository
+ * %%
+ * Copyright (C) 2005 - 2024 Alfresco Software Limited
+ * %%
+ * This file is part of the Alfresco software.
+ * If the software was purchased under a paid Alfresco license, the terms of
+ * the paid license agreement will prevail.  Otherwise, the software is
+ * provided under the following open source license terms:
+ *
+ * Alfresco is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * Alfresco is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
+ * #L%
+ */
+package org.alfresco.repo.serviceaccount;
+
+import java.util.Optional;
+import java.util.Set;
+
+/**
+ * A service account registry that allows service accounts to be registered
+ * with their corresponding roles.
+ *
+ * @author Jamal Kaabi-Mofrad
+ */
+public interface ServiceAccountRegistry
+{
+    /**
+     * Registers a service account with its corresponding role.
+     *
+     * @param serviceAccountName The name of the service account to be registered.
+     * @param serviceAccountRole The role of the service account to be registered.
+     */
+    void register(String serviceAccountName, String serviceAccountRole);
+
+    /**
+     * Retrieves the role of a specific service account.
+     *
+     * @param serviceAccountName The name of the service account.
+     * @return An Optional containing the role of the service account if it exists, otherwise an empty Optional.
+     */
+    Optional<String> getServiceAccountRole(String serviceAccountName);
+
+    /**
+     * Retrieves the names of all service accounts.
+     *
+     * @return A set of service account names. If no service accounts are present, an empty set is returned.
+     */
+    Set<String> getServiceAccountNames();
+}
--- a/repository/src/main/java/org/alfresco/repo/serviceaccount/ServiceAccountRegistryImpl.java
+++ b/repository/src/main/java/org/alfresco/repo/serviceaccount/ServiceAccountRegistryImpl.java
@@ -0,0 +1,157 @@
+/*
+ * #%L
+ * Alfresco Repository
+ * %%
+ * Copyright (C) 2005 - 2024 Alfresco Software Limited
+ * %%
+ * This file is part of the Alfresco software.
+ * If the software was purchased under a paid Alfresco license, the terms of
+ * the paid license agreement will prevail.  Otherwise, the software is
+ * provided under the following open source license terms:
+ *
+ * Alfresco is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * Alfresco is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
+ * #L%
+ */
+package org.alfresco.repo.serviceaccount;
+
+import java.util.Locale;
+import java.util.Optional;
+import java.util.Properties;
+import java.util.Set;
+import java.util.concurrent.ConcurrentHashMap;
+import java.util.concurrent.ConcurrentMap;
+
+import org.alfresco.service.cmr.security.PermissionService;
+import org.alfresco.util.PropertyCheck;
+
+import org.apache.commons.lang3.StringUtils;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.beans.factory.InitializingBean;
+
+/**
+ * Processes the <b>alfresco-global</b> properties file and applies a naming convention to distinguish the service
+ * account's name and role.
+ * <p>
+ * The naming convention adheres to the following format:
+ * <p>
+ * <pre>
+ *   {@code
+ *     serviceaccount.role.<service-account-name>=<service-account-role>
+ *   }
+ * </pre>
+ * <p>
+ * Please note, any property with an invalid role value will be disregarded and the corresponding service account
+ * will not be registered.
+ * <p>
+ * For instance, to register a service account named 'custom-app-sa' with the 'Editor' role (which allows it to
+ * update node properties), the following should be defined in the <b>alfresco-global</b> properties file:
+ * <ul>
+ *   <li>serviceaccount.role.custom-app-sa=EDITOR_SERVICE_ACCOUNT</li>
+ *   <li>or</li>
+ *   <li>serviceaccount.role.custom-app-sa=ROLE_EDITOR_SERVICE_ACCOUNT</li>
+ * </ul>
+ *
+ * @author Jamal Kaabi-Mofrad
+ */
+public class ServiceAccountRegistryImpl implements ServiceAccountRegistry, InitializingBean
+{
+    private static final Logger LOGGER = LoggerFactory.getLogger(ServiceAccountRegistryImpl.class);
+
+    public static final String KEY_PREFIX = "serviceaccount.role.";
+
+    private Properties globalProperties;
+    private final ConcurrentMap<String, String> saRoleMap = new ConcurrentHashMap<>();
+
+    public void setGlobalProperties(Properties globalProperties)
+    {
+        this.globalProperties = globalProperties;
+    }
+
+    @Override
+    public void register(String serviceAccountName, String serviceAccountRole)
+    {
+        saRoleMap.put(serviceAccountName, serviceAccountRole);
+        LOGGER.info("Service account '{}' is registered with the role '{}'.", serviceAccountName, serviceAccountRole);
+    }
+
+    @Override
+    public Optional<String> getServiceAccountRole(String serviceAccountName)
+    {
+        return Optional.ofNullable(saRoleMap.get(serviceAccountName));
+    }
+
+    @Override
+    public Set<String> getServiceAccountNames()
+    {
+        return Set.copyOf(saRoleMap.keySet());
+    }
+
+    private void init()
+    {
+        globalProperties.stringPropertyNames()
+                .stream()
+                .filter(key -> key.startsWith(KEY_PREFIX))
+                .forEach(key -> {
+                    String name = key.substring(KEY_PREFIX.length());
+                    if (isNotValidProperty(key, name, "name"))
+                    {
+                        return;
+                    }
+                    String role = globalProperties.getProperty(key);
+                    if (isNotValidProperty(key, role, "role"))
+                    {
+                        return;
+                    }
+                    // Ensure the role is in uppercase and has the prefix
+                    role = role.toUpperCase(Locale.ENGLISH);
+                    role = getRoleWithPrefix(role);
+                    if (!PermissionService.SVC_AUTHORITIES_SET.contains(role))
+                    {
+                        LOGGER.warn("Invalid service account role '{}'. The role is not recognized.", role);
+                        return;
+                    }
+
+                    // Register the service account name with the corresponding role.
+                    register(name, role);
+                });
+    }
+
+    @Override
+    public void afterPropertiesSet() throws Exception
+    {
+        PropertyCheck.mandatory(this, "globalProperties", globalProperties);
+        init();
+    }
+
+    private String getRoleWithPrefix(String saRole)
+    {
+        if (!saRole.startsWith(PermissionService.ROLE_PREFIX))
+        {
+            saRole = PermissionService.ROLE_PREFIX + saRole;
+        }
+        return saRole;
+    }
+
+    private boolean isNotValidProperty(String key, String value, String valueType)
+    {
+        if (StringUtils.isBlank(value))
+        {
+            LOGGER.warn("Invalid service account {} defined in the property '{}'. The {} cannot be an empty string.",
+                        valueType, key, valueType);
+            return true;
+        }
+        return false;
+    }
+}
--- a/repository/src/main/java/org/alfresco/transform/registry/CombinedConfig.java
+++ b/repository/src/main/java/org/alfresco/transform/registry/CombinedConfig.java
@@ -62,6 +62,7 @@ import static org.alfresco.transform.common.RequestParamMap.ENDPOINT_TRANSFORM_C
 */
 public class CombinedConfig extends CombinedTransformConfig
 {
+    public static final String X_ALFRESCO_RETRY_NEEDED_HEADER = "X-Alfresco-Retry-Needed";
    private final Log log;

    private ObjectMapper jsonObjectMapper = new ObjectMapper();
@@ -137,7 +138,7 @@ public class CombinedConfig extends CombinedTransformConfig
                            {
                                int transformCount = transformerCount();
                                configFileFinder.readFile(reader, remoteType+" on "+baseUrl, "json", baseUrl, log);
-                                if (transformCount == transformerCount())
+                                if (transformCount == transformerCount() || response.containsHeader(X_ALFRESCO_RETRY_NEEDED_HEADER))
                                {
                                    successReadingConfig = false;
                                }
--- a/repository/src/main/resources/alfresco/authority-services-context.xml
+++ b/repository/src/main/resources/alfresco/authority-services-context.xml
@@ -143,4 +143,8 @@
        </property>
    </bean>

+    <bean id="serviceAccountRegistry" class="org.alfresco.repo.serviceaccount.ServiceAccountRegistryImpl">
+        <property name="globalProperties" ref="global-properties"/>
+    </bean>
+
 </beans>
--- a/repository/src/main/resources/alfresco/model/permissionDefinitions.xml
+++ b/repository/src/main/resources/alfresco/model/permissionDefinitions.xml
@@ -13,462 +13,487 @@


 <permissions>
-    
+
    <!-- Namespaces used in type references -->
-    
-   <namespaces>
-      <namespace uri="http://www.alfresco.org/model/system/1.0" prefix="sys"/>
-      <namespace uri="http://www.alfresco.org/model/content/1.0" prefix="cm"/>
-   </namespaces>

-   <!--                                                                                   -->
-   <!-- Permission sets link permissions and groups of permissions to types and aspects   -->
-   <!-- defined in the model. Permissions defined against a type apply to all objects     -->
-   <!-- that inherit from that type. Permissions defined against aspects apply to all     -->
-   <!-- objects or only objects that have the aspect applied. For example, the permission -->
-   <!-- to lock an object could apply to any object but the permission to unlock an       -->
-   <!-- object would only apply to objects that have the lockable aspect.                -->
-   <!--                                                                                   -->
-    
-   <!-- =============================================== -->
-   <!-- Base permissions available on all types of node -->
-   <!-- =============================================== -->
-    
-   <permissionSet type="sys:base" expose="all" >
-    
-      <!-- ================= -->
-      <!-- Permission groups -->
-      <!-- ================= -->
-      
-      <!--                                                                                -->
-      <!-- Permission groups are convenient groups of permissions. They may be used in    -->
-      <!-- their own right or as the effective set of permissions. If an authority has    -->
-      <!-- all the permissions that make up a permission group they also have that        -->
-      <!-- permission group even though it has not been explicitly granted.               -->
-      <!--                                                                                -->
+    <namespaces>
+        <namespace uri="http://www.alfresco.org/model/system/1.0" prefix="sys"/>
+        <namespace uri="http://www.alfresco.org/model/content/1.0" prefix="cm"/>
+    </namespaces>

-      <!-- =========== -->    
-      <!-- Full access -->
-      <!-- =========== -->
-    
-      <!--                                                                                -->  
-      <!-- By default this is exposed for all objects unless inherited objects choose to  -->
-      <!-- expose only selected objects at the object level.                              -->
-      <!--                                                                                -->
-      
-      <permissionGroup name="FullControl" expose="true" allowFullControl="true" />
- 
-      <!-- ============================================= -->
-      <!-- Convenient groupings of low level permissions -->
-      <!-- ============================================= -->
-      
-      <permissionGroup name="Read"  expose="true" allowFullControl="false">
-           <includePermissionGroup type="sys:base" permissionGroup="ReadProperties"/>
-           <includePermissionGroup type="sys:base" permissionGroup="ReadChildren"/>
-           <includePermissionGroup type="sys:base" permissionGroup="ReadContent"/>
-      </permissionGroup>
-       
-      <permissionGroup name="Write" expose="true" allowFullControl="false">
-           <includePermissionGroup type="sys:base" permissionGroup="WriteProperties"/>
-           <includePermissionGroup type="sys:base" permissionGroup="WriteContent"/>
-      </permissionGroup>  
-       
-      <permissionGroup name="Delete" expose="true" allowFullControl="false">
-           <includePermissionGroup type="sys:base" permissionGroup="DeleteNode"/>
-           <includePermissionGroup type="sys:base" permissionGroup="DeleteChildren"/>
-      </permissionGroup>
-       
-      <permissionGroup name="AddChildren" expose="true" allowFullControl="false">
-           <includePermissionGroup type="sys:base" permissionGroup="CreateChildren"/>
-           <includePermissionGroup type="sys:base" permissionGroup="LinkChildren"/>
-      </permissionGroup>
-       
-      <permissionGroup name="Execute" allowFullControl="false" expose="false">
-          <includePermissionGroup type="sys:base" permissionGroup="ExecuteContent"/>
-      </permissionGroup>
-       
-      <!-- Groups for low level permissions -->
-       
-      <permissionGroup name="ReadProperties" expose="true" allowFullControl="false" />  
-      <permissionGroup name="ReadChildren" expose="true" allowFullControl="false" />  
-      <permissionGroup name="WriteProperties" expose="true" allowFullControl="false" />  
-      <permissionGroup name="ReadContent" expose="false" allowFullControl="false" />  
-      <permissionGroup name="WriteContent" expose="false" allowFullControl="false" />  
-      <permissionGroup name="ExecuteContent" expose="false" allowFullControl="false" />  
-      <permissionGroup name="DeleteNode" expose="true" allowFullControl="false" />  
-      <permissionGroup name="DeleteChildren" expose="true" allowFullControl="false" />  
-      <permissionGroup name="CreateChildren" expose="true" allowFullControl="false" />  
-      <permissionGroup name="LinkChildren" expose="true" allowFullControl="false" />  
-      <permissionGroup name="DeleteAssociations" expose="true" allowFullControl="false" />  
-      <permissionGroup name="ReadAssociations" expose="true" allowFullControl="false" />  
-      <permissionGroup name="CreateAssociations" expose="true" allowFullControl="false" />  
-      <permissionGroup name="ReadPermissions" expose="true" allowFullControl="false" />  
-      <permissionGroup name="ChangePermissions" expose="true" allowFullControl="false" />  
-    
-      <!-- =========== -->
-      <!-- Permissions -->
-      <!-- =========== -->
-    
-      <!-- The permission to read properties on a node                                    -->
-      <!--                                                                                -->
-      <!-- The properties of a node may ony be read if there is read access to the parent -->
-      <!-- node. ReadChildren access to the parent node is recursive for all nodes from   -->
-      <!-- which the node inherits permissions. Access is required down the permission    -->
-      <!-- tree at all points.                                                           -->
-      <!--                                                                                -->
-      
-      <permission name="_ReadProperties" expose="false" >
-         <grantedToGroup permissionGroup="ReadProperties" />
-         <!-- Commented out parent permission check ...
-         <requiredPermission on="parent" name="_ReadChildren" implies="false"/>
-         -->
-      </permission>
-      
-      <!-- The permission to read the children of a node                                 -->
-      <!--                                                                               -->
-      <!-- This permission is recursive. It requires the same permission is granted to   -->
-      <!-- all of the parent nodes from which this node inherits permissions             -->
-      <!--                                                                               -->
-      
-      <permission name="_ReadChildren" expose="false" >
-         <grantedToGroup permissionGroup="ReadChildren" />
-         <!-- Commented out parent permission check ...
-         <requiredPermission on="parent" name="_ReadChildren" implies="false"/>
-         -->
-      </permission>
-      
-      <!-- The permission to write to the properties of a node                           -->
-      <!--                                                                               -->
-      <!-- This permission includes adding aspects to a node as they are stored as       -->
-      <!-- a property.                                                                   -->
-      <!--                                                                               -->
-      
-      <permission name="_WriteProperties" expose="false" >
-         <grantedToGroup permissionGroup="WriteProperties" />
-         <!-- Commented out parent permission check ...
-         <requiredPermission on="parent" name="_ReadChildren" implies="false"/>
-         -->
-      </permission>
-      
-      <!-- The permission to delete a node                                               -->
-      <!--                                                                               -->
-      <!-- A node can only be deleted if there is delete permission on the node, if the  -->
-      <!-- node is accessible via its parent, and if the node can be deleted from its     -->
-      <!-- parent. Currently, there is no check that all the children can be deleted.    -->
-      <!-- This check can be added but requires more work so the UI is not checking this -->
-      <!-- permission just to show the delete icon.                                      -->
-      <!--                                                                               -->
-      
-      <!-- The permission to read content.                                               -->
-      
-      <permission name="_ReadContent" expose="false">
-         <grantedToGroup permissionGroup="ReadContent"/>
-         <!-- Commented out parent permission check ...
-         <requiredPermission on="parent" name="_ReadChildren" implies="false"/>
-         -->
-      </permission>
+    <!--                                                                                   -->
+    <!-- Permission sets link permissions and groups of permissions to types and aspects   -->
+    <!-- defined in the model. Permissions defined against a type apply to all objects     -->
+    <!-- that inherit from that type. Permissions defined against aspects apply to all     -->
+    <!-- objects or only objects that have the aspect applied. For example, the permission -->
+    <!-- to lock an object could apply to any object but the permission to unlock an       -->
+    <!-- object would only apply to objects that have the lockable aspect.                -->
+    <!--                                                                                   -->
+
+    <!-- =============================================== -->
+    <!-- Base permissions available on all types of node -->
+    <!-- =============================================== -->
+
+    <permissionSet type="sys:base" expose="all">
+
+        <!-- ================= -->
+        <!-- Permission groups -->
+        <!-- ================= -->
+
+        <!--                                                                                -->
+        <!-- Permission groups are convenient groups of permissions. They may be used in    -->
+        <!-- their own right or as the effective set of permissions. If an authority has    -->
+        <!-- all the permissions that make up a permission group they also have that        -->
+        <!-- permission group even though it has not been explicitly granted.               -->
+        <!--                                                                                -->
+
+        <!-- =========== -->
+        <!-- Full access -->
+        <!-- =========== -->
+
+        <!--                                                                                -->
+        <!-- By default this is exposed for all objects unless inherited objects choose to  -->
+        <!-- expose only selected objects at the object level.                              -->
+        <!--                                                                                -->
+
+        <permissionGroup name="FullControl" expose="true" allowFullControl="true"/>
+
+        <permissionGroup name="AdminServiceAccount" expose="false" allowFullControl="false">
+            <includePermissionGroup type="sys:base" permissionGroup="Read"/>
+            <includePermissionGroup type="sys:base" permissionGroup="Write"/>
+            <includePermissionGroup type="sys:base" permissionGroup="AddChildren"/>
+            <includePermissionGroup type="sys:base" permissionGroup="Delete"/>
+            <includePermissionGroup type="sys:base" permissionGroup="ReadAssociations"/>
+            <includePermissionGroup type="sys:base" permissionGroup="CreateAssociations"/>
+            <includePermissionGroup type="sys:base" permissionGroup="DeleteAssociations"/>
+            <includePermissionGroup type="sys:base" permissionGroup="ReadPermissions"/>
+        </permissionGroup>
+        <permissionGroup name="CollaboratorServiceAccount" expose="false" allowFullControl="false">
+            <includePermissionGroup type="sys:base" permissionGroup="Read"/>
+            <includePermissionGroup type="sys:base" permissionGroup="Write"/>
+            <includePermissionGroup type="sys:base" permissionGroup="AddChildren"/>
+        </permissionGroup>
+        <permissionGroup name="EditorServiceAccount" expose="false" allowFullControl="false">
+            <includePermissionGroup type="sys:base" permissionGroup="Read"/>
+            <includePermissionGroup type="sys:base" permissionGroup="Write"/>
+        </permissionGroup>
+
+        <!-- ============================================= -->
+        <!-- Convenient groupings of low level permissions -->
+        <!-- ============================================= -->
+
+        <permissionGroup name="Read" expose="true" allowFullControl="false">
+            <includePermissionGroup type="sys:base" permissionGroup="ReadProperties"/>
+            <includePermissionGroup type="sys:base" permissionGroup="ReadChildren"/>
+            <includePermissionGroup type="sys:base" permissionGroup="ReadContent"/>
+        </permissionGroup>
+
+        <permissionGroup name="Write" expose="true" allowFullControl="false">
+            <includePermissionGroup type="sys:base" permissionGroup="WriteProperties"/>
+            <includePermissionGroup type="sys:base" permissionGroup="WriteContent"/>
+        </permissionGroup>
+
+        <permissionGroup name="Delete" expose="true" allowFullControl="false">
+            <includePermissionGroup type="sys:base" permissionGroup="DeleteNode"/>
+            <includePermissionGroup type="sys:base" permissionGroup="DeleteChildren"/>
+        </permissionGroup>
+
+        <permissionGroup name="AddChildren" expose="true" allowFullControl="false">
+            <includePermissionGroup type="sys:base" permissionGroup="CreateChildren"/>
+            <includePermissionGroup type="sys:base" permissionGroup="LinkChildren"/>
+        </permissionGroup>
+
+        <permissionGroup name="Execute" allowFullControl="false" expose="false">
+            <includePermissionGroup type="sys:base" permissionGroup="ExecuteContent"/>
+        </permissionGroup>
+
+        <!-- Groups for low level permissions -->
+
+        <permissionGroup name="ReadProperties" expose="true" allowFullControl="false"/>
+        <permissionGroup name="ReadChildren" expose="true" allowFullControl="false"/>
+        <permissionGroup name="WriteProperties" expose="true" allowFullControl="false"/>
+        <permissionGroup name="ReadContent" expose="false" allowFullControl="false"/>
+        <permissionGroup name="WriteContent" expose="false" allowFullControl="false"/>
+        <permissionGroup name="ExecuteContent" expose="false" allowFullControl="false"/>
+        <permissionGroup name="DeleteNode" expose="true" allowFullControl="false"/>
+        <permissionGroup name="DeleteChildren" expose="true" allowFullControl="false"/>
+        <permissionGroup name="CreateChildren" expose="true" allowFullControl="false"/>
+        <permissionGroup name="LinkChildren" expose="true" allowFullControl="false"/>
+        <permissionGroup name="DeleteAssociations" expose="true" allowFullControl="false"/>
+        <permissionGroup name="ReadAssociations" expose="true" allowFullControl="false"/>
+        <permissionGroup name="CreateAssociations" expose="true" allowFullControl="false"/>
+        <permissionGroup name="ReadPermissions" expose="true" allowFullControl="false"/>
+        <permissionGroup name="ChangePermissions" expose="true" allowFullControl="false"/>
+
+        <!-- =========== -->
+        <!-- Permissions -->
+        <!-- =========== -->
+
+        <!-- The permission to read properties on a node                                    -->
+        <!--                                                                                -->
+        <!-- The properties of a node may ony be read if there is read access to the parent -->
+        <!-- node. ReadChildren access to the parent node is recursive for all nodes from   -->
+        <!-- which the node inherits permissions. Access is required down the permission    -->
+        <!-- tree at all points.                                                           -->
+        <!--                                                                                -->
+
+        <permission name="_ReadProperties" expose="false">
+            <grantedToGroup permissionGroup="ReadProperties"/>
+            <!-- Commented out parent permission check ...
+            <requiredPermission on="parent" name="_ReadChildren" implies="false"/>
+            -->
+        </permission>
+
+        <!-- The permission to read the children of a node                                 -->
+        <!--                                                                               -->
+        <!-- This permission is recursive. It requires the same permission is granted to   -->
+        <!-- all of the parent nodes from which this node inherits permissions             -->
+        <!--                                                                               -->
+
+        <permission name="_ReadChildren" expose="false">
+            <grantedToGroup permissionGroup="ReadChildren"/>
+            <!-- Commented out parent permission check ...
+            <requiredPermission on="parent" name="_ReadChildren" implies="false"/>
+            -->
+        </permission>
+
+        <!-- The permission to write to the properties of a node                           -->
+        <!--                                                                               -->
+        <!-- This permission includes adding aspects to a node as they are stored as       -->
+        <!-- a property.                                                                   -->
+        <!--                                                                               -->
+
+        <permission name="_WriteProperties" expose="false">
+            <grantedToGroup permissionGroup="WriteProperties"/>
+            <!-- Commented out parent permission check ...
+            <requiredPermission on="parent" name="_ReadChildren" implies="false"/>
+            -->
+        </permission>
+
+        <!-- The permission to delete a node                                               -->
+        <!--                                                                               -->
+        <!-- A node can only be deleted if there is delete permission on the node, if the  -->
+        <!-- node is accessible via its parent, and if the node can be deleted from its     -->
+        <!-- parent. Currently, there is no check that all the children can be deleted.    -->
+        <!-- This check can be added but requires more work so the UI is not checking this -->
+        <!-- permission just to show the delete icon.                                      -->
+        <!--                                                                               -->
+
+        <!-- The permission to read content.                                               -->
+
+        <permission name="_ReadContent" expose="false">
+            <grantedToGroup permissionGroup="ReadContent"/>
+            <!-- Commented out parent permission check ...
+            <requiredPermission on="parent" name="_ReadChildren" implies="false"/>
+            -->
+        </permission>
+
+        <!-- The permission to write content.                                              -->
+
+        <permission name="_WriteContent" expose="false">
+            <grantedToGroup permissionGroup="WriteContent"/>
+            <!-- Commented out parent permission check ...
+            <requiredPermission on="parent" name="_ReadChildren" implies="false"/>
+            -->
+        </permission>
+
+        <!-- Execute permission on content.                                                -->
+
+        <permission name="_ExecuteContent" expose="false">
+            <grantedToGroup permissionGroup="ExecuteContent"/>
+            <!-- Commented out parent permission check ...
+            <requiredPermission on="parent" name="_ReadChildren" implies="false"/>
+            -->
+        </permission>
+
+        <permission name="_DeleteNode" expose="false">
+            <grantedToGroup permissionGroup="DeleteNode"/>
+            <!-- Commented out parent permission check ...
+            <requiredPermission on="parent" name="_ReadChildren" implies="false"/>
+            <requiredPermission on="parent" name="_DeleteChildren" implies="false"/>
+            <requiredPermission on="node" name="_DeleteChildren" implies="false"/>
+            -->
+            <!-- Remove the recursive check for now for performance -->
+            <!-- TODO: have one permission to check for delete on an item and one to check  -->
+            <!--       child permissions when delete is called on the node service          -->
+            <!--  <requiredPermission on="children" name="_DeleteNode" implies="false"/>     -->
+        </permission>
+
+
+        <!-- The permission to delete children of a node                                   -->
+        <!--                                                                               -->
+        <!-- At the moment this includes both unlink and delete                            -->
+        <!--                                                                               -->
+        <permission name="_DeleteChildren" expose="false">
+            <grantedToGroup permissionGroup="DeleteChildren"/>
+            <!-- Commented out parent permission check ...
+            <requiredPermission on="parent" name="_ReadChildren" implies="false"/>
+            -->
+        </permission>
+
+        <!-- The permission to create new nodes                                            -->
+
+        <permission name="_CreateChildren" expose="false">
+            <grantedToGroup permissionGroup="CreateChildren"/>
+            <!-- Commented out parent permission check ...
+            <requiredPermission on="parent" name="_ReadChildren" implies="false" />
+            -->
+        </permission>
+
+        <!-- The permission to link nodes                                                  -->
+
+        <permission name="_LinkChildren" expose="false">
+            <grantedToGroup permissionGroup="LinkChildren"/>
+            <!-- Commented out parent permission check ...
+            <requiredPermission on="parent" name="_ReadChildren" implies="false"/>
+            -->
+        </permission>
+
+        <!-- The permission to delete associations between nodes (not children)              -->
+
+        <permission name="_DeleteAssociations" expose="false">
+            <grantedToGroup permissionGroup="DeleteAssociations"/>
+            <!-- Commented out parent permission check ...
+            <requiredPermission on="parent" name="_ReadChildren" implies="false"/>
+            -->
+        </permission>
+
+        <!-- The permission to read associations                                           -->
+
+        <permission name="_ReadAssociations" expose="false">
+            <grantedToGroup permissionGroup="ReadAssociations"/>
+            <!-- Commented out parent permission check ...
+            <requiredPermission on="parent" name="_ReadChildren" implies="false" />
+            -->
+        </permission>
+
+        <!-- The permission to create associations                                         -->
+
+        <permission name="_CreateAssociations" expose="false">
+            <grantedToGroup permissionGroup="CreateAssociations"/>
+            <!-- Commented out parent permission check ...
+            <requiredPermission on="parent" name="_ReadChildren" implies="false" />
+            -->
+        </permission>
+
+        <!-- ==================================================== -->
+        <!-- Permissions related to the management of permissions -->
+        <!-- ==================================================== -->
+
+        <!-- The permission to read the permissions on a node                              -->
+
+        <permission name="_ReadPermissions" expose="false">
+            <grantedToGroup permissionGroup="ReadPermissions"/>
+            <!-- Commented out parent permission check ...
+            <requiredPermission on="parent" name="_ReadChildren" implies="false"/>
+            -->
+        </permission>
+
+        <!-- The permission to the change the permissions associated with a node           -->
+
+        <permission name="_ChangePermissions" expose="false">
+            <grantedToGroup permissionGroup="ChangePermissions"/>
+            <!-- Commented out parent permission check ...
+            <requiredPermission on="parent" name="_ReadChildren" implies="false"/>
+            -->
+        </permission>
+
+    </permissionSet>
+
+    <!-- ================================================ -->
+    <!-- Permissions available to all content and folders -->
+    <!-- ================================================ -->
+
+    <permissionSet type="cm:cmobject" expose="selected">
+
+        <!-- Kept for backward compatibility - the administrator permission has   -->
+        <!-- been removed to avoid confusion -->
+        <permissionGroup name="Administrator" allowFullControl="true" expose="false"/>
+
+        <!-- A coordinator can do anything to the object or its children unless the     -->
+        <!-- permissions are set not to inherit or permission is denied.                 -->
+        <permissionGroup name="Coordinator" allowFullControl="true" expose="true"/>
+
+        <!-- A collaborator can do anything that an editor and a contributor can do -->
+        <permissionGroup name="Collaborator" allowFullControl="false" expose="true">
+            <includePermissionGroup permissionGroup="Editor" type="cm:cmobject"/>
+            <includePermissionGroup permissionGroup="Contributor" type="cm:cmobject"/>
+        </permissionGroup>
+
+        <!-- A contributor can create content and then they have full permission on what -->
+        <!-- they have created - via the permissions assigned to the owner.              -->
+        <permissionGroup name="Contributor" allowFullControl="false" expose="true">
+            <!-- Contributor is a consumer who can add content, and then can modify via the -->
+            <!-- owner permissions.                                                      -->
+            <includePermissionGroup permissionGroup="Consumer" type="cm:cmobject"/>
+            <includePermissionGroup permissionGroup="AddChildren" type="sys:base"/>
+            <includePermissionGroup permissionGroup="ReadPermissions" type="sys:base"/>
+        </permissionGroup>
+
+        <!-- An editor can read and write to the object; they can not create    -->
+        <!-- new nodes. They can check out content into a space to which they have       -->
+        <!-- create permission.                                                          -->
+        <permissionGroup name="Editor" expose="true" allowFullControl="false">
+            <includePermissionGroup type="cm:cmobject" permissionGroup="Consumer"/>
+            <includePermissionGroup type="sys:base" permissionGroup="Write"/>
+            <includePermissionGroup type="cm:lockable" permissionGroup="CheckOut"/>
+            <includePermissionGroup type="sys:base" permissionGroup="ReadPermissions"/>
+        </permissionGroup>
+
+        <!-- The Consumer permission allows read to everything by default.                  -->
+        <permissionGroup name="Consumer" allowFullControl="false" expose="true">
+            <includePermissionGroup permissionGroup="Read" type="sys:base"/>
+        </permissionGroup>
+
+        <!-- records permission -->
+        <!-- Should be tied to the aspect -->
+        <!-- ownership should be removed when using this permission -->
+        <permissionGroup name="RecordAdministrator" allowFullControl="false" expose="false">
+            <includePermissionGroup type="sys:base" permissionGroup="ReadProperties"/>
+            <includePermissionGroup type="sys:base" permissionGroup="ReadChildren"/>
+            <includePermissionGroup type="sys:base" permissionGroup="WriteProperties"/>
+            <includePermissionGroup type="sys:base" permissionGroup="ReadContent"/>
+            <includePermissionGroup type="sys:base" permissionGroup="DeleteChildren"/>
+            <includePermissionGroup type="sys:base" permissionGroup="CreateChildren"/>
+            <includePermissionGroup type="sys:base" permissionGroup="LinkChildren"/>
+            <includePermissionGroup type="sys:base" permissionGroup="DeleteAssociations"/>
+            <includePermissionGroup type="sys:base" permissionGroup="CreateAssociations"/>
+        </permissionGroup>
+
+    </permissionSet>
+
+    <!-- =============================== -->
+    <!-- Permissions specific to content -->
+    <!-- =============================== -->
+
+    <permissionSet type="cm:content" expose="selected">
+
+        <!-- Content specific roles.                                                       -->
+
+        <permissionGroup name="Coordinator" extends="true" expose="true"/>
+        <permissionGroup name="Collaborator" extends="true" expose="true"/>
+        <permissionGroup name="Contributor" extends="true" expose="true"/>
+        <permissionGroup name="Editor" extends="true" expose="true"/>
+        <permissionGroup name="Consumer" extends="true" expose="true"/>
+        <permissionGroup name="RecordAdministrator" extends="true" expose="false"/>
+
+    </permissionSet>

-      <!-- The permission to write content.                                              -->
-      
-      <permission name="_WriteContent" expose="false">
-         <grantedToGroup permissionGroup="WriteContent" />
-         <!-- Commented out parent permission check ...
-         <requiredPermission on="parent" name="_ReadChildren" implies="false"/>
-         -->
-      </permission>
-      
-      <!-- Execute permission on content.                                                -->
-      
-      <permission name="_ExecuteContent" expose="false">
-         <grantedToGroup permissionGroup="ExecuteContent" />
-         <!-- Commented out parent permission check ...
-         <requiredPermission on="parent" name="_ReadChildren" implies="false"/>
-         -->
-      </permission>
-      
-      <permission name="_DeleteNode" expose="false" >
-         <grantedToGroup permissionGroup="DeleteNode" />
-         <!-- Commented out parent permission check ...
-         <requiredPermission on="parent" name="_ReadChildren" implies="false"/>
-         <requiredPermission on="parent" name="_DeleteChildren" implies="false"/>
-         <requiredPermission on="node" name="_DeleteChildren" implies="false"/>
-         -->
-         <!-- Remove the recursive check for now for performance -->
-         <!-- TODO: have one permission to check for delete on an item and one to check  -->
-         <!--       child permissions when delete is called on the node service          --> 
-         <!--  <requiredPermission on="children" name="_DeleteNode" implies="false"/>     -->
-      </permission>
-      
-      
-      <!-- The permission to delete children of a node                                   -->
-      <!--                                                                               -->
-      <!-- At the moment this includes both unlink and delete                            -->
-      <!--                                                                               -->
-      <permission name="_DeleteChildren" expose="false" >
-         <grantedToGroup permissionGroup="DeleteChildren" />
-         <!-- Commented out parent permission check ...
-         <requiredPermission on="parent" name="_ReadChildren" implies="false"/>
-         -->
-      </permission>
-      
-      <!-- The permission to create new nodes                                            -->
-      
-      <permission name="_CreateChildren" expose="false" >
-         <grantedToGroup permissionGroup="CreateChildren" />
-         <!-- Commented out parent permission check ...
-         <requiredPermission on="parent" name="_ReadChildren" implies="false" />
-         -->
-      </permission>
-      
-      <!-- The permission to link nodes                                                  -->
-      
-      <permission name="_LinkChildren" expose="false" >
-         <grantedToGroup permissionGroup="LinkChildren" />
-         <!-- Commented out parent permission check ...
-         <requiredPermission on="parent" name="_ReadChildren" implies="false"/>
-         -->
-      </permission>
-     
-     <!-- The permission to delete associations between nodes (not children)              -->
-     
-      <permission name="_DeleteAssociations" expose="false" >
-        <grantedToGroup permissionGroup="DeleteAssociations" />
-        <!-- Commented out parent permission check ...
-        <requiredPermission on="parent" name="_ReadChildren" implies="false"/>
-        -->
-      </permission>
-      
-      <!-- The permission to read associations                                           -->
-      
-      <permission name="_ReadAssociations" expose="false" >
-        <grantedToGroup permissionGroup="ReadAssociations" />
-        <!-- Commented out parent permission check ...
-        <requiredPermission on="parent" name="_ReadChildren" implies="false" />
-        -->
-      </permission>
-      
-      <!-- The permission to create associations                                         -->
-      
-      <permission name="_CreateAssociations" expose="false" >
-        <grantedToGroup permissionGroup="CreateAssociations" />
-        <!-- Commented out parent permission check ...
-        <requiredPermission on="parent" name="_ReadChildren" implies="false" />
-        -->
-      </permission>
-      
-      <!-- ==================================================== -->
-      <!-- Permissions related to the management of permissions -->
-      <!-- ==================================================== -->
-      
-      <!-- The permission to read the permissions on a node                              -->
-      
-      <permission name="_ReadPermissions" expose="false" >
-        <grantedToGroup permissionGroup="ReadPermissions" />
-        <!-- Commented out parent permission check ...
-        <requiredPermission on="parent" name="_ReadChildren" implies="false"/>
-        -->
-      </permission>
-      
-      <!-- The permission to the change the permissions associated with a node           -->
-      
-      <permission name="_ChangePermissions" expose="false" >
-        <grantedToGroup permissionGroup="ChangePermissions" />
-        <!-- Commented out parent permission check ...
-        <requiredPermission on="parent" name="_ReadChildren" implies="false"/>
-        -->
-      </permission>
-       
-   </permissionSet>
-   
-   <!-- ================================================ -->
-   <!-- Permissions available to all content and folders -->
-   <!-- ================================================ -->
-   
-   <permissionSet type="cm:cmobject" expose="selected">
-       
-       <!-- Kept for backward compatibility - the administrator permission has   -->
-      <!-- been removed to avoid confusion --> 
-      <permissionGroup name="Administrator" allowFullControl="true" expose="false" />
-      
-      <!-- A coordinator can do anything to the object or its children unless the     -->
-      <!-- permissions are set not to inherit or permission is denied.                 -->
-      <permissionGroup name="Coordinator" allowFullControl="true" expose="true" />
-      
-      <!-- A collaborator can do anything that an editor and a contributor can do -->
-      <permissionGroup name="Collaborator" allowFullControl="false" expose="true">
-         <includePermissionGroup permissionGroup="Editor" type="cm:cmobject" />
-         <includePermissionGroup permissionGroup="Contributor" type="cm:cmobject" />
-      </permissionGroup>
-      
-      <!-- A contributor can create content and then they have full permission on what -->
-      <!-- they have created - via the permissions assigned to the owner.              -->
-      <permissionGroup name="Contributor" allowFullControl="false" expose="true" >
-          <!-- Contributor is a consumer who can add content, and then can modify via the -->
-          <!-- owner permissions.                                                      -->
-          <includePermissionGroup permissionGroup="Consumer" type="cm:cmobject"/>
-          <includePermissionGroup permissionGroup="AddChildren" type="sys:base"/>
-          <includePermissionGroup permissionGroup="ReadPermissions" type="sys:base" />
-      </permissionGroup>
-      
-      <!-- An editor can read and write to the object; they can not create    -->
-      <!-- new nodes. They can check out content into a space to which they have       -->
-      <!-- create permission.                                                          -->
-      <permissionGroup name="Editor"  expose="true" allowFullControl="false" >
-          <includePermissionGroup type="cm:cmobject" permissionGroup="Consumer"/>
-          <includePermissionGroup type="sys:base" permissionGroup="Write"/>
-          <includePermissionGroup type="cm:lockable" permissionGroup="CheckOut"/>
-          <includePermissionGroup type="sys:base" permissionGroup="ReadPermissions"/>
-      </permissionGroup>
-      
-      <!-- The Consumer permission allows read to everything by default.                  -->
-      <permissionGroup name="Consumer" allowFullControl="false" expose="true" >
-          <includePermissionGroup permissionGroup="Read" type="sys:base" />
-      </permissionGroup>
-      
-      <!-- records permission -->
-      <!-- Should be tied to the aspect -->
-      <!-- ownership should be removed when using this permission --> 
-      <permissionGroup name="RecordAdministrator" allowFullControl="false" expose="false">
-          <includePermissionGroup type="sys:base" permissionGroup="ReadProperties"/>
-          <includePermissionGroup type="sys:base" permissionGroup="ReadChildren"/>
-          <includePermissionGroup type="sys:base" permissionGroup="WriteProperties"/>
-          <includePermissionGroup type="sys:base" permissionGroup="ReadContent"/>
-          <includePermissionGroup type="sys:base" permissionGroup="DeleteChildren"/>
-          <includePermissionGroup type="sys:base" permissionGroup="CreateChildren"/>
-          <includePermissionGroup type="sys:base" permissionGroup="LinkChildren"/>
-          <includePermissionGroup type="sys:base" permissionGroup="DeleteAssociations"/>
-          <includePermissionGroup type="sys:base" permissionGroup="CreateAssociations"/>
-      </permissionGroup>
-       
-   </permissionSet>
-   
-   <!-- =============================== -->
-   <!-- Permissions specific to content -->
-   <!-- =============================== -->
-   
-   <permissionSet type="cm:content" expose="selected">

-      <!-- Content specific roles.                                                       -->
-      
-      <permissionGroup name="Coordinator" extends="true" expose="true"/>
-      <permissionGroup name="Collaborator" extends="true" expose="true"/>
-      <permissionGroup name="Contributor" extends="true" expose="true"/>
-      <permissionGroup name="Editor" extends="true" expose="true"/>
-      <permissionGroup name="Consumer" extends="true" expose="true"/>
-      <permissionGroup name="RecordAdministrator" extends="true" expose="false"/>
-      
-   </permissionSet>
-    
-    
    <permissionSet type="cm:folder" expose="selected">

-      <!-- Content folder specific roles.                                                       -->
-      
-      <permissionGroup name="Coordinator" extends="true" expose="true"/>
-      <permissionGroup name="Collaborator" extends="true" expose="true"/>
-      <permissionGroup name="Contributor" extends="true" expose="true"/>
-      <permissionGroup name="Editor" extends="true" expose="true"/>
-      <permissionGroup name="Consumer" extends="true" expose="true"/>
-      <permissionGroup name="RecordAdministrator" extends="true" expose="false"/>
-      
-   </permissionSet>
-   
-   <!-- ============================================== -->
-   <!-- Permissions associated with the Ownable aspect -->
-   <!-- ============================================== -->
-   
-   <permissionSet type="cm:ownable" expose="selected">
-      
-      <!-- Permission control to allow ownership of the node to be taken from others     -->
-      <permissionGroup name="TakeOwnership" requiresType="false" expose="false">
-           <includePermissionGroup permissionGroup="SetOwner" type="cm:ownable" />
-      </permissionGroup>
-       
-      <permissionGroup name="SetOwner" requiresType="false" expose="false"/>
-      
-      <!-- The low level permission to control setting the owner of a node               -->
-      <permission name="_SetOwner" expose="false" requiresType="false">
-        <grantedToGroup permissionGroup="SetOwner" />
-        <!-- require to be able to reach the node and set properties in the node         -->
-        <!-- Commented out parent permission check ...
-        <requiredPermission on="parent" name="_ReadChildren" />
-        -->
-        <requiredPermission on="node" type="sys:base" name="_WriteProperties" />
-      </permission>
-      
-   </permissionSet>
-   
-   <!-- =================================================== -->
-   <!-- Permission related to check in and cancel check out. -->
-   <!-- =================================================== -->
+        <!-- Content folder specific roles.                                                       -->

-      <permissionSet type="cm:workingcopy" expose="selected">
+        <permissionGroup name="Coordinator" extends="true" expose="true"/>
+        <permissionGroup name="Collaborator" extends="true" expose="true"/>
+        <permissionGroup name="Contributor" extends="true" expose="true"/>
+        <permissionGroup name="Editor" extends="true" expose="true"/>
+        <permissionGroup name="Consumer" extends="true" expose="true"/>
+        <permissionGroup name="RecordAdministrator" extends="true" expose="false"/>

-         <!-- Cancel Check Out permission - only exposed for the workingcopy aspect is present -->
-         <permissionGroup name="CancelCheckOut" requiresType="true" expose="false">
-            <includePermissionGroup permissionGroup="Unlock" type="cm:lockable" />
-         </permissionGroup>
+    </permissionSet>
+
+    <!-- ============================================== -->
+    <!-- Permissions associated with the Ownable aspect -->
+    <!-- ============================================== -->
+
+    <permissionSet type="cm:ownable" expose="selected">
+
+        <!-- Permission control to allow ownership of the node to be taken from others     -->
+        <permissionGroup name="TakeOwnership" requiresType="false" expose="false">
+            <includePermissionGroup permissionGroup="SetOwner" type="cm:ownable"/>
+        </permissionGroup>
+
+        <permissionGroup name="SetOwner" requiresType="false" expose="false"/>
+
+        <!-- The low level permission to control setting the owner of a node               -->
+        <permission name="_SetOwner" expose="false" requiresType="false">
+            <grantedToGroup permissionGroup="SetOwner"/>
+            <!-- require to be able to reach the node and set properties in the node         -->
+            <!-- Commented out parent permission check ...
+            <requiredPermission on="parent" name="_ReadChildren" />
+            -->
+            <requiredPermission on="node" type="sys:base" name="_WriteProperties"/>
+        </permission>
+
+    </permissionSet>
+
+    <!-- =================================================== -->
+    <!-- Permission related to check in and cancel check out. -->
+    <!-- =================================================== -->
+
+    <permissionSet type="cm:workingcopy" expose="selected">
+
+        <!-- Cancel Check Out permission - only exposed for the workingcopy aspect is present -->
+        <permissionGroup name="CancelCheckOut" requiresType="true" expose="false">
+            <includePermissionGroup permissionGroup="Unlock" type="cm:lockable"/>
+        </permissionGroup>
+
+        <!-- Check In permission - only exposed when the workingcopy aspect is present        -->
+        <permissionGroup name="CheckIn" requiresType="true" expose="false">
+            <includePermissionGroup permissionGroup="Unlock" type="cm:lockable"/>
+        </permissionGroup>
+
+    </permissionSet>
+
+    <!-- =================================================== -->
+    <!-- Permission related to lock, check out and check in. -->
+    <!-- =================================================== -->
+
+    <permissionSet type="cm:lockable" expose="selected">
+
+        <!-- At the moment these permissions are hidden so they do not appear in the list  -->
+        <!-- of permissions.                                                               -->
+
+        <!-- Check Out permission - exposed for all object types                           -->
+        <permissionGroup name="CheckOut" requiresType="false" expose="false">
+            <includePermissionGroup permissionGroup="Lock" type="cm:lockable"/>
+        </permissionGroup>
+
+        <permissionGroup name="Lock" requiresType="false" expose="false"/>
+        <permissionGroup name="Unlock" requiresType="true" expose="false"/>
+
+
+        <!-- Low level lock permission                                                     -->
+        <permission name="_Lock" requiresType="false" expose="false">
+            <grantedToGroup permissionGroup="Lock"/>
+            <requiredPermission on="node" type="sys:base" name="Write"/>
+        </permission>
+
+        <!-- Low level unlock permission                                                   -->
+        <permission name="_Unlock" requiresType="true" expose="false">
+            <grantedToGroup permissionGroup="Unlock"/>
+        </permission>
+
+    </permissionSet>
+
+    <!-- ================== -->
+    <!-- Global permissions -->
+    <!-- ================== -->
+
+    <!--                                                                                  -->
+    <!-- Global permissions apply regardless of any particular node context.              -->
+    <!-- They can not be denied by the permissions set on any node.                       -->
+    <!--                                                                                  -->
+
+    <!-- Admin can do anything to any node                                                -->
+    <globalPermission permission="FullControl" authority="ROLE_ADMINISTRATOR"/>
+
+    <!-- For now, owners can always see, find and manipulate their stuff                  -->
+    <globalPermission permission="FullControl" authority="ROLE_OWNER"/>
+
+    <!-- Unlock is granted to the lock owner                                              -->
+    <globalPermission permission="Unlock" authority="ROLE_LOCK_OWNER"/>
+
+    <!-- Check in is granted to the lock owner                                            -->
+    <globalPermission permission="CheckIn" authority="ROLE_LOCK_OWNER"/>
+
+    <!-- Cancel check out is granted to the lock owner                                   -->
+    <globalPermission permission="CancelCheckOut" authority="ROLE_LOCK_OWNER"/>
+
+    <!-- Service Account roles -->
+    <globalPermission permission="AdminServiceAccount" authority="ROLE_ADMIN_SERVICE_ACCOUNT"/>
+    <globalPermission permission="CollaboratorServiceAccount" authority="ROLE_COLLABORATOR_SERVICE_ACCOUNT"/>
+    <globalPermission permission="EditorServiceAccount" authority="ROLE_EDITOR_SERVICE_ACCOUNT"/>

-         <!-- Check In permission - only exposed when the workingcopy aspect is present        -->
-         <permissionGroup name="CheckIn" requiresType="true" expose="false">
-            <includePermissionGroup permissionGroup="Unlock" type="cm:lockable" />
-         </permissionGroup>
-			
-      </permissionSet>
-   
-   <!-- =================================================== -->
-   <!-- Permission related to lock, check out and check in. -->
-   <!-- =================================================== -->
-   
-   <permissionSet type="cm:lockable" expose="selected">
-    
-      <!-- At the moment these permissions are hidden so they do not appear in the list  -->
-      <!-- of permissions.                                                               -->
-    
-      <!-- Check Out permission - exposed for all object types                           -->
-      <permissionGroup name="CheckOut" requiresType="false" expose="false">
-          <includePermissionGroup permissionGroup="Lock" type="cm:lockable" />
-      </permissionGroup>
-      
-      <permissionGroup name="Lock" requiresType="false" expose="false"/>
-      <permissionGroup name="Unlock" requiresType="true" expose="false"/>
-       
-    
-      <!-- Low level lock permission                                                     -->
-      <permission name="_Lock" requiresType="false" expose="false">
-        <grantedToGroup permissionGroup="Lock" />
-        <requiredPermission on="node" type="sys:base"  name="Write"/>
-      </permission>
-      
-      <!-- Low level unlock permission                                                   -->
-      <permission name="_Unlock" requiresType="true" expose="false">
-        <grantedToGroup permissionGroup="Unlock" />
-      </permission>      
-      
-   </permissionSet>
-   
-   <!-- ================== -->
-   <!-- Global permissions -->
-   <!-- ================== -->
-   
-   <!--                                                                                  -->
-   <!-- Global permissions apply regardless of any particular node context.              -->
-   <!-- They can not be denied by the permissions set on any node.                       -->
-   <!--                                                                                  --> 
-      
-   <!-- Admin can do anything to any node                                                -->
-   <globalPermission permission="FullControl" authority="ROLE_ADMINISTRATOR"/>
-   
-   <!-- For now, owners can always see, find and manipulate their stuff                  -->
-   <globalPermission permission="FullControl" authority="ROLE_OWNER"/>
-   
-   <!-- Unlock is granted to the lock owner                                              -->
-   <globalPermission permission="Unlock" authority="ROLE_LOCK_OWNER"/>
-   
-   <!-- Check in is granted to the lock owner                                            -->
-   <globalPermission permission="CheckIn" authority="ROLE_LOCK_OWNER"/>
-   
-   <!-- Cancel check out is granted to the lock owner                                   -->
-   <globalPermission permission="CancelCheckOut" authority="ROLE_LOCK_OWNER"/>
-   
 </permissions>
--- a/repository/src/main/resources/alfresco/public-services-security-context.xml
+++ b/repository/src/main/resources/alfresco/public-services-security-context.xml
@@ -102,6 +102,9 @@
            <list>
                <ref bean="ownerDynamicAuthority" />
                <ref bean="lockOwnerDynamicAuthority" />
+                <ref bean="adminServiceAccountAuthority"/>
+                <ref bean="collaboratorServiceAccountAuthority"/>
+                <ref bean="editorServiceAccountAuthority"/>
            </list>
        </property>
        <property name="fixedAclUpdater">
@@ -147,6 +150,23 @@
        </property>
    </bean>

+    <!-- Service account authority beans -->
+    <bean id="baseServiceAccountAuthority" abstract="true">
+        <property name="serviceAccountRegistry" ref="serviceAccountRegistry"/>
+    </bean>
+    <bean id="adminServiceAccountAuthority" class="org.alfresco.repo.security.permissions.dynamic.ServiceAccountAuthority"
+          parent="baseServiceAccountAuthority">
+        <property name="authority" value="#{T(org.alfresco.service.cmr.security.PermissionService).ADMIN_SVC_AUTHORITY}"/>
+    </bean>
+    <bean id="collaboratorServiceAccountAuthority" class="org.alfresco.repo.security.permissions.dynamic.ServiceAccountAuthority"
+          parent="baseServiceAccountAuthority">
+        <property name="authority" value="#{T(org.alfresco.service.cmr.security.PermissionService).COLLABORATOR_SVC_AUTHORITY}"/>
+    </bean>
+    <bean id="editorServiceAccountAuthority" class="org.alfresco.repo.security.permissions.dynamic.ServiceAccountAuthority"
+          parent="baseServiceAccountAuthority">
+        <property name="authority" value="#{T(org.alfresco.service.cmr.security.PermissionService).EDITOR_SVC_AUTHORITY}"/>
+    </bean>
+
    <!-- =========================== -->
    <!-- Permissions Model Bootstrap -->
    <!-- =========================== -->
--- a/repository/src/test/java/org/alfresco/AllUnitTestsSuite.java
+++ b/repository/src/test/java/org/alfresco/AllUnitTestsSuite.java
@@ -261,7 +261,8 @@ import org.junit.runners.Suite;
    org.alfresco.repo.event2.RepoEvent2UnitSuite.class,

    org.alfresco.util.schemacomp.SchemaDifferenceHelperUnitTest.class,
-    org.alfresco.repo.tagging.TaggingServiceImplUnitTest.class
+    org.alfresco.repo.tagging.TaggingServiceImplUnitTest.class,
+    org.alfresco.repo.serviceaccount.ServiceAccountRegistryImplTest.class
 })
 public class AllUnitTestsSuite
 {
--- a/repository/src/test/java/org/alfresco/AppContext05TestSuite.java
+++ b/repository/src/test/java/org/alfresco/AppContext05TestSuite.java
@@ -2,7 +2,7 @@
 * #%L
 * Alfresco Repository
 * %%
- * Copyright (C) 2005 - 2023 Alfresco Software Limited
+ * Copyright (C) 2005 - 2024 Alfresco Software Limited
 * %%
 * This file is part of the Alfresco software. 
 * If the software was purchased under a paid Alfresco license, the terms of 
@@ -85,6 +85,7 @@ import org.junit.runners.Suite;
    org.alfresco.repo.model.ModelTestSuite.class,
    org.alfresco.repo.tenant.MultiTNodeServiceInterceptorTest.class,
    org.alfresco.repo.transfer.RepoTransferReceiverImplTest.class,
+    org.alfresco.repo.security.permissions.dynamic.ServiceAccountRoleTest.class
 })
 public class AppContext05TestSuite
 {
--- a/repository/src/test/java/org/alfresco/repo/security/SecurityTestSuite.java
+++ b/repository/src/test/java/org/alfresco/repo/security/SecurityTestSuite.java
@@ -45,6 +45,7 @@ import org.alfresco.repo.security.authority.AuthorityServiceTest;
 import org.alfresco.repo.security.authority.DuplicateAuthorityTest;
 import org.alfresco.repo.security.authority.ExtendedPermissionServiceTest;
 import org.alfresco.repo.security.permissions.dynamic.LockOwnerDynamicAuthorityTest;
+import org.alfresco.repo.security.permissions.dynamic.ServiceAccountRoleTest;
 import org.alfresco.repo.security.permissions.impl.AclDaoComponentTest;
 import org.alfresco.repo.security.permissions.impl.PermissionServiceTest;
 import org.alfresco.repo.security.permissions.impl.ReadPermissionTest;
@@ -108,6 +109,7 @@ public class SecurityTestSuite extends TestSuite
 		suite.addTest(new JUnit4TestAdapter(LocalAuthenticationServiceTest.class));

        suite.addTest(new JUnit4TestAdapter(ResetPasswordServiceImplTest.class));
+        suite.addTest(new JUnit4TestAdapter(ServiceAccountRoleTest.class));
        return suite;
    }
 }
--- a/repository/src/test/java/org/alfresco/repo/security/permissions/dynamic/ServiceAccountRoleTest.java
+++ b/repository/src/test/java/org/alfresco/repo/security/permissions/dynamic/ServiceAccountRoleTest.java
@@ -0,0 +1,355 @@
+/*
+ * #%L
+ * Alfresco Data model classes
+ * %%
+ * Copyright (C) 2005 - 2024 Alfresco Software Limited
+ * %%
+ * This file is part of the Alfresco software.
+ * If the software was purchased under a paid Alfresco license, the terms of
+ * the paid license agreement will prevail.  Otherwise, the software is
+ * provided under the following open source license terms:
+ *
+ * Alfresco is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * Alfresco is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
+ * #L%
+ */
+package org.alfresco.repo.security.permissions.dynamic;
+
+import static java.lang.System.currentTimeMillis;
+import static org.junit.Assert.assertEquals;
+
+import java.io.Serializable;
+import java.util.Map;
+import java.util.Properties;
+
+import org.alfresco.model.ContentModel;
+import org.alfresco.repo.security.authentication.AuthenticationUtil;
+import org.alfresco.service.cmr.repository.NodeRef;
+import org.alfresco.service.cmr.repository.NodeService;
+import org.alfresco.service.cmr.security.AccessStatus;
+import org.alfresco.service.cmr.security.PermissionService;
+import org.alfresco.service.cmr.site.SiteInfo;
+import org.alfresco.service.cmr.site.SiteService;
+import org.alfresco.service.cmr.site.SiteVisibility;
+import org.alfresco.service.namespace.QName;
+import org.alfresco.util.test.junitrules.AlfrescoPerson;
+import org.alfresco.util.test.junitrules.ApplicationContextInit;
+import org.alfresco.util.test.junitrules.TemporaryNodes;
+import org.alfresco.util.test.junitrules.TemporarySites;
+import org.junit.After;
+import org.junit.BeforeClass;
+import org.junit.ClassRule;
+import org.junit.Test;
+import org.junit.rules.RuleChain;
+import org.springframework.context.ApplicationContext;
+
+/**
+ * This test class demonstrates the permissions of the service account authorities.
+ * The service account authorities are used to grant permissions to service accounts.
+ * <p>
+ * The service account authorities are defined in the <i>alfresco-global.properties</i> file.
+ * Using the following naming convention:
+ * <pre>
+ *   {@code
+ *     serviceaccount.role.<service-account-name>=<service-account-role>
+ *   }
+ * </pre>
+ * The service account roles that currently supported are:
+ * <ul>
+ *   <li>{@link PermissionService#EDITOR_SVC_AUTHORITY}</li>
+ *   <li>{@link PermissionService#COLLABORATOR_SVC_AUTHORITY}</li>
+ *   <li>{@link PermissionService#ADMIN_SVC_AUTHORITY}</li>
+ * </ul>
+ * The test class relies on the following service accounts defined in the <i>alfresco-global.properties</i> file:
+ * <ul>
+ *   <li>serviceaccount.role.test-editor-sa=ROLE_EDITOR_SERVICE_ACCOUNT</li>
+ *   <li>serviceaccount.role.test-collaborator-sa=ROLE_COLLABORATOR_SERVICE_ACCOUNT</li>
+ *   <li>serviceaccount.role.test-admin-sa=ROLE_ADMIN_SERVICE_ACCOUNT</li>
+ * </ul>
+ * <p>
+ * <b>Note:</b> There is no need to use public services (i.e., beans that start with a capital letter, such as NodeService)
+ * to validate roles permissions. This is because the security enforcement of public services (i.e., ACL checks) ultimately relies on
+ * the {@code permissionService.hasPermission()} method. Therefore, we can directly use the {@code permissionService.hasPermission()} method.
+ *
+ * @author Jamal Kaabi-Mofrad
+ */
+// Ignore the PMD warning about having too many test methods in this class; it makes the tests easier to read and maintain.
+@SuppressWarnings("PMD.TooManyMethods")
+public class ServiceAccountRoleTest
+{
+    // Rule to initialise the default Alfresco spring configuration
+    private static final ApplicationContextInit APP_CONTEXT = new ApplicationContextInit();
+
+    // A rule to manage a test site
+    private static final TemporarySites TEST_SITES = new TemporarySites(APP_CONTEXT);
+
+    // A rule to manage test nodes reused across all the test methods
+    private static final TemporaryNodes TEST_NODES = new TemporaryNodes(APP_CONTEXT);
+
+    // Rules to create the users for the tests
+    private static final AlfrescoPerson NORMAL_USER = getAlfrescoPerson("john.doe" + currentTimeMillis());
+    private static final AlfrescoPerson EDITOR_SA = getAlfrescoPerson("test-editor-sa");
+    private static final AlfrescoPerson COLLABORATOR_SA = getAlfrescoPerson("test-collaborator-sa");
+    private static final AlfrescoPerson ADMIN_SA = getAlfrescoPerson("test-admin-sa");
+
+    private static final String TEST_TEXT_FILE_NAME = "testTextFile.txt";
+
+    // Tie them together in a static Rule Chain
+    @ClassRule
+    public static final RuleChain STATIC_RULE_CHAIN = RuleChain.outerRule(APP_CONTEXT)
+            .around(TEST_SITES)
+            .around(TEST_NODES)
+            .around(NORMAL_USER)
+            .around(EDITOR_SA)
+            .around(COLLABORATOR_SA)
+            .around(ADMIN_SA);
+
+    private static NodeService nodeService;
+    private static SiteService siteService;
+    private static PermissionService permissionService;
+    private static Properties globalProperties;
+    private static NodeRef testTextFile;
+
+    @BeforeClass
+    public static void initStaticData() throws Exception
+    {
+        ApplicationContext context = APP_CONTEXT.getApplicationContext();
+        nodeService = context.getBean("NodeService", NodeService.class);
+        siteService = context.getBean("SiteService", SiteService.class);
+        permissionService = context.getBean("permissionService", PermissionService.class);
+        globalProperties = context.getBean("global-properties", Properties.class);
+
+        // Check that the service account roles are defined in the global properties before starting the tests.
+        serviceAccountsShouldExistInGlobalProperties();
+
+        // Create a test site
+        SiteInfo testSite = createTestSite();
+        // Create a test text file in the test site
+        createTestFile(testSite);
+
+        // Clear the current security context to avoid any issues with the test setup
+        AuthenticationUtil.clearCurrentSecurityContext();
+    }
+
+    private static AlfrescoPerson getAlfrescoPerson(String username)
+    {
+        return new AlfrescoPerson(APP_CONTEXT, username);
+    }
+
+    private static SiteInfo createTestSite()
+    {
+        // Create a private test site to make sure no other non-members or
+        // non-site-admins can access the test site.
+        return TEST_SITES.createSite("sitePreset", "saTestSite" + currentTimeMillis(), "SA Test Site",
+                                     "sa test site desc", SiteVisibility.PRIVATE,
+                                     AuthenticationUtil.getAdminUserName());
+    }
+
+    private static void createTestFile(SiteInfo testSite)
+    {
+        // Create a test text file in the test site as the admin user
+        AuthenticationUtil.setAdminUserAsFullyAuthenticatedUser();
+        final NodeRef docLib = siteService.getContainer(testSite.getShortName(), SiteService.DOCUMENT_LIBRARY);
+
+        final NodeRef testFolder = TEST_NODES.createFolder(docLib, "testFolder", AuthenticationUtil.getAdminUserName());
+        testTextFile = TEST_NODES.createNodeWithTextContent(testFolder, TEST_TEXT_FILE_NAME, ContentModel.TYPE_CONTENT,
+                                                            AuthenticationUtil.getAdminUserName(),
+                                                            "The quick brown fox jumps over the lazy dog.");
+
+        Map<QName, Serializable> props = Map.of(ContentModel.PROP_NAME, TEST_TEXT_FILE_NAME,
+                                                ContentModel.PROP_DESCRIPTION, "Desc added by Admin.");
+        nodeService.setProperties(testTextFile, props);
+    }
+
+    private static void serviceAccountsShouldExistInGlobalProperties()
+    {
+        assertServiceAccountIsDefined(PermissionService.EDITOR_SVC_AUTHORITY, EDITOR_SA.getUsername());
+        assertServiceAccountIsDefined(PermissionService.COLLABORATOR_SVC_AUTHORITY, COLLABORATOR_SA.getUsername());
+        assertServiceAccountIsDefined(PermissionService.ADMIN_SVC_AUTHORITY, ADMIN_SA.getUsername());
+    }
+
+    private static void assertServiceAccountIsDefined(String expectedRole, String username)
+    {
+        assertEquals(expectedRole, globalProperties.getProperty("serviceaccount.role." + username));
+    }
+
+    @After
+    public void tearDown() throws Exception
+    {
+        AuthenticationUtil.clearCurrentSecurityContext();
+    }
+
+    @Test
+    public void normalUserReadAccessShouldBeDenied()
+    {
+        assertAccessDenied(NORMAL_USER, PermissionService.READ);
+    }
+
+    @Test
+    public void editorSaReadAccessShouldBeAllowed()
+    {
+        assertAccessAllowed(EDITOR_SA, PermissionService.READ);
+    }
+
+    @Test
+    public void collaboratorSaReadAccessShouldBeAllowed()
+    {
+        assertAccessAllowed(COLLABORATOR_SA, PermissionService.READ);
+    }
+
+    @Test
+    public void adminSaReadAccessShouldBeAllowed()
+    {
+        assertAccessAllowed(ADMIN_SA, PermissionService.READ);
+    }
+
+    @Test
+    public void normalUserWriteAccessShouldBeDenied()
+    {
+        assertAccessDenied(NORMAL_USER, PermissionService.WRITE);
+    }
+
+    @Test
+    public void editorSaWriteAccessShouldBeAllowed()
+    {
+        assertAccessAllowed(EDITOR_SA, PermissionService.WRITE);
+    }
+
+    @Test
+    public void collaboratorSaWriteAccessShouldBeAllowed()
+    {
+        assertAccessAllowed(COLLABORATOR_SA, PermissionService.WRITE);
+    }
+
+    @Test
+    public void adminSaWriteAccessShouldBeAllowed()
+    {
+        assertAccessAllowed(ADMIN_SA, PermissionService.WRITE);
+    }
+
+    @Test
+    public void normalUserAddChildrenAccessShouldBeDenied()
+    {
+        assertAccessDenied(NORMAL_USER, PermissionService.ADD_CHILDREN);
+    }
+
+    @Test
+    public void editorSaAddChildrenAccessShouldBeDenied()
+    {
+        assertAccessDenied(EDITOR_SA, PermissionService.ADD_CHILDREN);
+    }
+
+    @Test
+    public void collaboratorSaAddChildrenAccessShouldBeAllowed()
+    {
+        assertAccessAllowed(COLLABORATOR_SA, PermissionService.ADD_CHILDREN);
+    }
+
+    @Test
+    public void adminSaAddChildrenAccessShouldBeAllowed()
+    {
+        assertAccessAllowed(ADMIN_SA, PermissionService.ADD_CHILDREN);
+    }
+
+    @Test
+    public void normalUserDeleteAccessShouldBeDenied()
+    {
+        assertAccessDenied(NORMAL_USER, PermissionService.DELETE);
+    }
+
+    @Test
+    public void editorSaDeleteAccessShouldBeDenied()
+    {
+        assertAccessDenied(EDITOR_SA, PermissionService.DELETE);
+    }
+
+    @Test
+    public void collaboratorSaDeleteAccessShouldBeDenied()
+    {
+        assertAccessDenied(COLLABORATOR_SA, PermissionService.DELETE);
+    }
+
+    @Test
+    public void adminSaDeleteAccessShouldBeAllowed()
+    {
+        assertAccessAllowed(ADMIN_SA, PermissionService.DELETE);
+    }
+
+    @Test
+    public void normalUserAssociationAccessShouldBeDenied()
+    {
+        assertAccessDenied(NORMAL_USER, PermissionService.READ_ASSOCIATIONS);
+        assertAccessDenied(NORMAL_USER, PermissionService.CREATE_ASSOCIATIONS);
+        assertAccessDenied(NORMAL_USER, PermissionService.DELETE_ASSOCIATIONS);
+    }
+
+    @Test
+    public void editorSaAssociationAccessShouldBeDenied()
+    {
+        assertAccessDenied(EDITOR_SA, PermissionService.READ_ASSOCIATIONS);
+        assertAccessDenied(EDITOR_SA, PermissionService.CREATE_ASSOCIATIONS);
+        assertAccessDenied(EDITOR_SA, PermissionService.DELETE_ASSOCIATIONS);
+    }
+
+    @Test
+    public void collaboratorSaAssociationAccessShouldBeDenied()
+    {
+        assertAccessDenied(COLLABORATOR_SA, PermissionService.READ_ASSOCIATIONS);
+        assertAccessDenied(COLLABORATOR_SA, PermissionService.CREATE_ASSOCIATIONS);
+        assertAccessDenied(COLLABORATOR_SA, PermissionService.DELETE_ASSOCIATIONS);
+    }
+
+    @Test
+    public void adminSaAssociationAccessShouldBeAllowed()
+    {
+        assertAccessAllowed(ADMIN_SA, PermissionService.READ_ASSOCIATIONS);
+        assertAccessAllowed(ADMIN_SA, PermissionService.CREATE_ASSOCIATIONS);
+        assertAccessAllowed(ADMIN_SA, PermissionService.DELETE_ASSOCIATIONS);
+    }
+
+    @Test
+    public void normalUserReadPermissionsAccessShouldBeDenied()
+    {
+        assertAccessDenied(NORMAL_USER, PermissionService.READ_PERMISSIONS);
+    }
+
+    @Test
+    public void editorSaReadPermissionsAccessShouldBeDenied()
+    {
+        assertAccessDenied(EDITOR_SA, PermissionService.READ_PERMISSIONS);
+    }
+
+    @Test
+    public void collaboratorSaReadPermissionsAccessShouldBeDenied()
+    {
+        assertAccessDenied(COLLABORATOR_SA, PermissionService.READ_PERMISSIONS);
+    }
+
+    @Test
+    public void adminSaReadPermissionsAccessShouldBeAllowed()
+    {
+        assertAccessAllowed(ADMIN_SA, PermissionService.READ_PERMISSIONS);
+    }
+
+    private static void assertAccessDenied(AlfrescoPerson user, String permission)
+    {
+        AuthenticationUtil.setFullyAuthenticatedUser(user.getUsername());
+        assertEquals(AccessStatus.DENIED, permissionService.hasPermission(testTextFile, permission));
+    }
+
+    private static void assertAccessAllowed(AlfrescoPerson user, String permission)
+    {
+        AuthenticationUtil.setFullyAuthenticatedUser(user.getUsername());
+        assertEquals(AccessStatus.ALLOWED, permissionService.hasPermission(testTextFile, permission));
+    }
+}
--- a/repository/src/test/java/org/alfresco/repo/security/permissions/impl/AbstractPermissionTest.java
+++ b/repository/src/test/java/org/alfresco/repo/security/permissions/impl/AbstractPermissionTest.java
@@ -2,7 +2,7 @@
 * #%L
 * Alfresco Repository
 * %%
- * Copyright (C) 2005 - 2023 Alfresco Software Limited
+ * Copyright (C) 2005 - 2024 Alfresco Software Limited
 * %%
 * This file is part of the Alfresco software. 
 * If the software was purchased under a paid Alfresco license, the terms of 
@@ -66,6 +66,8 @@ import org.springframework.context.ApplicationContext;

 public abstract class AbstractPermissionTest extends TestCase
 {
+    public static final int NUMBER_OF_GLOBAL_PERMISSIONS = 8;
+
    protected static final String USER2_LEMUR = "lemur";

    protected static final String USER1_ANDY = "andy";
--- a/repository/src/test/java/org/alfresco/repo/security/permissions/impl/PermissionServiceTest.java
+++ b/repository/src/test/java/org/alfresco/repo/security/permissions/impl/PermissionServiceTest.java
@@ -2,7 +2,7 @@
 * #%L
 * Alfresco Repository
 * %%
- * Copyright (C) 2005 - 2016 Alfresco Software Limited
+ * Copyright (C) 2005 - 2024 Alfresco Software Limited
 * %%
 * This file is part of the Alfresco software. 
 * If the software was purchased under a paid Alfresco license, the terms of 
@@ -73,6 +73,10 @@ import org.junit.runners.MethodSorters;
@FixMethodOrder(MethodSorters.NAME_ASCENDING)
 public class PermissionServiceTest extends AbstractPermissionTest
 {
+    // The number of permissions in the system.
+    // See permissionDefinitions.xml and PermissionService interface
+    private static final int NUM_OF_PERMISSIONS = 39;
+
    private SimplePermissionEntry denyAndyAll;

    private SimplePermissionEntry allowAndyAll;
@@ -1764,7 +1768,7 @@ public class PermissionServiceTest extends AbstractPermissionTest
    public void testGetSettablePermissionsForType()
    {
        Set<String> answer = permissionService.getSettablePermissions(QName.createQName("sys", "base", namespacePrefixResolver));
-        assertEquals(36, answer.size());
+        assertEquals(NUM_OF_PERMISSIONS, answer.size());

        answer = permissionService.getSettablePermissions(QName.createQName("cm", "ownable", namespacePrefixResolver));
        assertEquals(0, answer.size());
@@ -1784,15 +1788,15 @@ public class PermissionServiceTest extends AbstractPermissionTest
        QName ownable = QName.createQName("cm", "ownable", namespacePrefixResolver);

        Set<String> answer = permissionService.getSettablePermissions(rootNodeRef);
-        assertEquals(36, answer.size());
+        assertEquals(NUM_OF_PERMISSIONS, answer.size());

        nodeService.addAspect(rootNodeRef, ownable, null);
        answer = permissionService.getSettablePermissions(rootNodeRef);
-        assertEquals(36, answer.size());
+        assertEquals(NUM_OF_PERMISSIONS, answer.size());

        nodeService.removeAspect(rootNodeRef, ownable);
        answer = permissionService.getSettablePermissions(rootNodeRef);
-        assertEquals(36, answer.size());
+        assertEquals(NUM_OF_PERMISSIONS, answer.size());
    }


@@ -1816,7 +1820,7 @@ public class PermissionServiceTest extends AbstractPermissionTest
    {
        runAs("andy");

-        assertEquals(36, permissionService.getPermissions(rootNodeRef).size());
+        assertEquals(NUM_OF_PERMISSIONS, permissionService.getPermissions(rootNodeRef).size());
        assertEquals(0, countGranted(permissionService.getPermissions(rootNodeRef)));
        assertEquals(0, permissionService.getAllSetPermissions(rootNodeRef).size());

@@ -1828,7 +1832,7 @@ public class PermissionServiceTest extends AbstractPermissionTest
        assertEquals(1, permissionService.getAllSetPermissions(rootNodeRef).size());
        runAs("andy");

-        assertEquals(36, permissionService.getPermissions(rootNodeRef).size());
+        assertEquals(NUM_OF_PERMISSIONS, permissionService.getPermissions(rootNodeRef).size());
        assertEquals(2, countGranted(permissionService.getPermissions(rootNodeRef)));

        assertTrue(permissionService.hasPermission(rootNodeRef, getPermission(PermissionService.READ_PROPERTIES)) == AccessStatus.ALLOWED);
@@ -1933,7 +1937,7 @@ public class PermissionServiceTest extends AbstractPermissionTest
        permissionService.setPermission(allowAndyRead);
        runAs("andy");

-        assertEquals(36, permissionService.getPermissions(rootNodeRef).size());
+        assertEquals(NUM_OF_PERMISSIONS, permissionService.getPermissions(rootNodeRef).size());
        assertEquals(7, countGranted(permissionService.getPermissions(rootNodeRef)));
        assertEquals(1, permissionService.getAllSetPermissions(rootNodeRef).size());

--- a/repository/src/test/java/org/alfresco/repo/security/permissions/impl/model/PermissionModelTest.java
+++ b/repository/src/test/java/org/alfresco/repo/security/permissions/impl/model/PermissionModelTest.java
@@ -1,28 +1,28 @@
-/*
- * #%L
- * Alfresco Repository
- * %%
- * Copyright (C) 2005 - 2016 Alfresco Software Limited
- * %%
- * This file is part of the Alfresco software. 
- * If the software was purchased under a paid Alfresco license, the terms of 
- * the paid license agreement will prevail.  Otherwise, the software is 
- * provided under the following open source license terms:
- * 
- * Alfresco is free software: you can redistribute it and/or modify
- * it under the terms of the GNU Lesser General Public License as published by
- * the Free Software Foundation, either version 3 of the License, or
- * (at your option) any later version.
- * 
- * Alfresco is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU Lesser General Public License for more details.
- * 
- * You should have received a copy of the GNU Lesser General Public License
- * along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
- * #L%
- */
+/*
+ * #%L
+ * Alfresco Repository
+ * %%
+ * Copyright (C) 2005 - 2024 Alfresco Software Limited
+ * %%
+ * This file is part of the Alfresco software. 
+ * If the software was purchased under a paid Alfresco license, the terms of 
+ * the paid license agreement will prevail.  Otherwise, the software is 
+ * provided under the following open source license terms:
+ * 
+ * Alfresco is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ * 
+ * Alfresco is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Lesser General Public License for more details.
+ * 
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
+ * #L%
+ */
 package org.alfresco.repo.security.permissions.impl.model;

 import java.util.Collections;
@@ -94,7 +94,7 @@ public class PermissionModelTest extends AbstractPermissionTest
        Set<PermissionReference> grantees = permissionModelDAO.getGranteePermissions(SimplePermissionReference.getPermissionReference(QName.createQName("cm", "cmobject",
                namespacePrefixResolver), "Coordinator"));

-        assertEquals(69, grantees.size());
+        assertEquals(72, grantees.size());
    }

    public void testIncludePermissionGroups6()
@@ -109,17 +109,17 @@ public class PermissionModelTest extends AbstractPermissionTest
    {
        Set<PermissionReference> granters = permissionModelDAO.getGrantingPermissions(SimplePermissionReference.getPermissionReference(QName.createQName("sys", "base",
                namespacePrefixResolver), "ReadProperties"));
-        assertEquals(14, granters.size());
+        assertEquals(17, granters.size());

        granters = permissionModelDAO.getGrantingPermissions(SimplePermissionReference.getPermissionReference(QName.createQName("sys", "base", namespacePrefixResolver),
                "_ReadProperties"));
-        assertEquals(15, granters.size());
+        assertEquals(18, granters.size());
    }

    public void testGlobalPermissions()
    {
        Set<? extends PermissionEntry> globalPermissions = permissionModelDAO.getGlobalPermissionEntries();
-        assertEquals(5, globalPermissions.size());
+        assertEquals(NUMBER_OF_GLOBAL_PERMISSIONS, globalPermissions.size());
    }

    public void testRequiredPermissions()
--- a/repository/src/test/java/org/alfresco/repo/serviceaccount/ServiceAccountRegistryImplTest.java
+++ b/repository/src/test/java/org/alfresco/repo/serviceaccount/ServiceAccountRegistryImplTest.java
@@ -0,0 +1,157 @@
+/*
+ * #%L
+ * Alfresco Repository
+ * %%
+ * Copyright (C) 2005 - 2024 Alfresco Software Limited
+ * %%
+ * This file is part of the Alfresco software.
+ * If the software was purchased under a paid Alfresco license, the terms of
+ * the paid license agreement will prevail.  Otherwise, the software is
+ * provided under the following open source license terms:
+ *
+ * Alfresco is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * Alfresco is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
+ * #L%
+ */
+package org.alfresco.repo.serviceaccount;
+
+import static org.alfresco.service.cmr.security.PermissionService.ADMIN_SVC_AUTHORITY;
+import static org.alfresco.service.cmr.security.PermissionService.COLLABORATOR_SVC_AUTHORITY;
+import static org.alfresco.service.cmr.security.PermissionService.EDITOR_SVC_AUTHORITY;
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertTrue;
+
+import java.util.Optional;
+import java.util.Properties;
+
+import org.junit.Before;
+import org.junit.Test;
+
+/**
+ * Unit tests for the {@link ServiceAccountRegistryImpl} class.
+ *
+ * @author Jamal Kaabi-Mofrad
+ */
+public class ServiceAccountRegistryImplTest
+{
+    private ServiceAccountRegistryImpl serviceAccountService;
+    private Properties globalProperties;
+
+    @Before
+    public void setUp() throws Exception
+    {
+        globalProperties = new Properties();
+        globalProperties.put("system.test.property", "test-prop");
+        globalProperties.put("repo.events.test.someKey", "test-event-value");
+
+        serviceAccountService = new ServiceAccountRegistryImpl();
+        serviceAccountService.setGlobalProperties(globalProperties);
+        serviceAccountService.afterPropertiesSet();
+    }
+
+    @Test
+    public void testNoDefinedServiceAccount()
+    {
+        Optional<String> nonExistentSa = serviceAccountService.getServiceAccountRole("nonExistentServiceAccount");
+        assertTrue(nonExistentSa.isEmpty());
+        assertTrue(serviceAccountService.getServiceAccountNames().isEmpty());
+    }
+
+    @Test
+    public void testInvalidServiceAccountName()
+    {
+        globalProperties.put("serviceaccount.role. ", ADMIN_SVC_AUTHORITY);
+        assertTrue("Invalid service account name.", serviceAccountService.getServiceAccountNames().isEmpty());
+    }
+
+    @Test
+    public void testInvalidServiceAccountRole() throws Exception
+    {
+        globalProperties.put("serviceaccount.role.testServiceAccount", "");
+        serviceAccountService.afterPropertiesSet();
+
+        Optional<String> testServiceAccount = serviceAccountService.getServiceAccountRole("testServiceAccount");
+        assertTrue("Invalid service account role.", testServiceAccount.isEmpty());
+        assertTrue(serviceAccountService.getServiceAccountNames().isEmpty());
+    }
+
+    @Test
+    public void testNotSupportedServiceAccountRole() throws Exception
+    {
+        globalProperties.put("serviceaccount.role.testServiceAccount", "testRole");
+        serviceAccountService.afterPropertiesSet();
+
+        Optional<String> testServiceAccount = serviceAccountService.getServiceAccountRole("testServiceAccount");
+        assertTrue("Not supported service account role.", testServiceAccount.isEmpty());
+        assertTrue(serviceAccountService.getServiceAccountNames().isEmpty());
+    }
+
+    @Test
+    public void testValidServiceAccount() throws Exception
+    {
+        globalProperties.put("serviceaccount.role.testServiceAccount", ADMIN_SVC_AUTHORITY);
+        serviceAccountService.afterPropertiesSet();
+
+        Optional<String> testServiceAccount = serviceAccountService.getServiceAccountRole("testServiceAccount");
+        assertFalse("The service account role is not empty.", testServiceAccount.isEmpty());
+        assertEquals(ADMIN_SVC_AUTHORITY, testServiceAccount.get());
+        assertEquals(1, serviceAccountService.getServiceAccountNames().size());
+    }
+
+    @Test
+    public void testManyServiceAccounts() throws Exception
+    {
+        globalProperties.put("serviceaccount.role.testEditorSA", EDITOR_SVC_AUTHORITY);
+        globalProperties.put("serviceaccount.role.testCollaboratorSA", COLLABORATOR_SVC_AUTHORITY);
+        globalProperties.put("serviceaccount.role.testAdminSA", ADMIN_SVC_AUTHORITY);
+        serviceAccountService.afterPropertiesSet();
+
+        assertEquals(3, serviceAccountService.getServiceAccountNames().size());
+
+        Optional<String> editorSA = serviceAccountService.getServiceAccountRole("testEditorSA");
+        assertFalse("The service account role is not empty.", editorSA.isEmpty());
+        assertEquals(EDITOR_SVC_AUTHORITY, editorSA.get());
+
+        Optional<String> collaboratorSA = serviceAccountService.getServiceAccountRole("testCollaboratorSA");
+        assertFalse("The service account role is not empty.", collaboratorSA.isEmpty());
+        assertEquals(COLLABORATOR_SVC_AUTHORITY, collaboratorSA.get());
+
+        Optional<String> adminSA = serviceAccountService.getServiceAccountRole("testAdminSA");
+        assertFalse("The service account role is not empty.", adminSA.isEmpty());
+        assertEquals(ADMIN_SVC_AUTHORITY, adminSA.get());
+    }
+
+    @Test
+    public void testValidServiceAccountRoleValues() throws Exception
+    {
+        globalProperties.put("serviceaccount.role.testEditorSA", "EDITOR_SERVICE_ACCOUNT");
+        globalProperties.put("serviceaccount.role.testCollaboratorSA", "COLLABORATOR_SERVICE_ACCOUNT");
+        globalProperties.put("serviceaccount.role.testAdminSA", "ADMIN_SERVICE_ACCOUNT");
+        serviceAccountService.afterPropertiesSet();
+
+        assertEquals(3, serviceAccountService.getServiceAccountNames().size());
+
+        Optional<String> editorSA = serviceAccountService.getServiceAccountRole("testEditorSA");
+        assertFalse("The service account role is not empty.", editorSA.isEmpty());
+        assertEquals(EDITOR_SVC_AUTHORITY, editorSA.get());
+
+        Optional<String> collaboratorSA = serviceAccountService.getServiceAccountRole("testCollaboratorSA");
+        assertFalse("The service account role is not empty.", collaboratorSA.isEmpty());
+        assertEquals(COLLABORATOR_SVC_AUTHORITY, collaboratorSA.get());
+
+        Optional<String> adminSA = serviceAccountService.getServiceAccountRole("testAdminSA");
+        assertFalse("The service account role is not empty.", adminSA.isEmpty());
+        assertEquals(ADMIN_SVC_AUTHORITY, adminSA.get());
+    }
+}
--- a/repository/src/test/resources/alfresco-global.properties
+++ b/repository/src/test/resources/alfresco-global.properties
@@ -61,3 +61,8 @@ encryption.keystore.backup.type=JCEKS

 # For CI override the default hashing algorithm for password storage to save build time.
 system.preferred.password.encoding=sha256
+
+# Test service accounts
+serviceaccount.role.test-editor-sa=ROLE_EDITOR_SERVICE_ACCOUNT
+serviceaccount.role.test-collaborator-sa=ROLE_COLLABORATOR_SERVICE_ACCOUNT
+serviceaccount.role.test-admin-sa=ROLE_ADMIN_SERVICE_ACCOUNT
Author	SHA1	Message	Date
alfresco-build	96231517bd	[maven-release-plugin][skip ci] prepare release 23.3.0.55	2024-06-19 10:27:44 +00:00
mikolajbrzezinski	b73b8df892	ACS-6931 Re-enable Veracode SAST Scan (#2690 ) ACS-6931 Re-enable Veracode SAST Scan	2024-06-19 11:51:40 +02:00
alfresco-build	08e49c98dd	[maven-release-plugin][skip ci] prepare for next development iteration	2024-06-18 07:43:10 +00:00
alfresco-build	ba50617181	[maven-release-plugin][skip ci] prepare release 23.3.0.54	2024-06-18 07:43:08 +00:00
Sara	0d621badd7	Merge pull request #2696 from Alfresco/feature/MNT-24205_Bump_ATS_to_4.1.3-A2 MNT-24205 Bump t-core to 5.1.3-A3 and t-service to 4.1.3-A2	2024-06-18 08:07:03 +01:00
alfresco-build	661ddce806	[maven-release-plugin][skip ci] prepare for next development iteration	2024-06-17 14:37:53 +00:00
alfresco-build	aa8b0256e1	[maven-release-plugin][skip ci] prepare release 23.3.0.53	2024-06-17 14:37:50 +00:00
tiagosalvado10	8990581cc1	MNT-24205 Bump t-core to 5.1.3-A3 and t-service to 4.1.3-A2	2024-06-17 14:56:44 +01:00
Kacper Magdziarz	04d76a182a	Bump SS/IE to 2.0.11-A6 (#2694 )	2024-06-17 15:20:02 +02:00
alfresco-build	27fbf633df	[maven-release-plugin][skip ci] prepare for next development iteration	2024-06-17 11:22:54 +00:00
alfresco-build	358ca8dc9e	[maven-release-plugin][skip ci] prepare release 23.3.0.52	2024-06-17 11:22:51 +00:00
rrajoria	9a25862cc9	Update Aos alpha version	2024-06-17 16:05:53 +05:30
alfresco-build	ac7e58ddc5	[maven-release-plugin][skip ci] prepare for next development iteration	2024-06-16 00:06:38 +00:00
alfresco-build	6bcaa1be04	[maven-release-plugin][skip ci] prepare release 23.3.0.51	2024-06-16 00:06:36 +00:00
Alfresco CI User	a1bf0f5480	[force] Force release for 2024-06-16.	2024-06-16 00:03:32 +00:00
alfresco-build	2c3d5dd297	[maven-release-plugin][skip ci] prepare for next development iteration	2024-06-09 00:07:41 +00:00
alfresco-build	6b32d96f08	[maven-release-plugin][skip ci] prepare release 23.3.0.50	2024-06-09 00:07:38 +00:00
Alfresco CI User	69dd388133	[force] Force release for 2024-06-09.	2024-06-09 00:04:05 +00:00
alfresco-build	29106d307f	[maven-release-plugin][skip ci] prepare for next development iteration	2024-06-07 11:35:11 +00:00
alfresco-build	ef8b3578df	[maven-release-plugin][skip ci] prepare release 23.3.0.49	2024-06-07 11:35:08 +00:00
Domenico Sibilio	dc5128b447	ACS-8114 Bump TAS utility to 5.0.1 (#2684 )	2024-06-07 12:58:40 +02:00
alfresco-build	741ac97c3b	[maven-release-plugin][skip ci] prepare for next development iteration	2024-06-06 12:07:03 +00:00
alfresco-build	3f5cb68250	[maven-release-plugin][skip ci] prepare release 23.3.0.48	2024-06-06 12:07:00 +00:00
dependabot[bot]	fdb4f9e338	Bump org.springframework.security:spring-security-bom from 6.2.2 to 6.3.0 (#2658 ) updated-dependencies: - dependency-name: org.springframework.security:spring-security-bom dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2024-06-06 13:29:18 +02:00
alfresco-build	f3f3a1db4b	[maven-release-plugin][skip ci] prepare for next development iteration	2024-06-05 16:18:58 +00:00
alfresco-build	eb922e1c95	[maven-release-plugin][skip ci] prepare release 23.3.0.47	2024-06-05 16:18:55 +00:00
Domenico Sibilio	46da34fabd	ACS-8071 Bump bouncycastle to 1.78.1 (#2682 )	2024-06-05 17:42:17 +02:00
alfresco-build	7dee8314fb	[maven-release-plugin][skip ci] prepare for next development iteration	2024-06-04 08:47:09 +00:00
alfresco-build	f888f8244e	[maven-release-plugin][skip ci] prepare release 23.3.0.46	2024-06-04 08:47:07 +00:00
Kacper Magdziarz	8e3eeb9dd7	[ACS-5648] Add header 'X-Alfresco-Retry-Needed' indicating that recovery mode is on and client should retry later (#2670 ) * [ACS-5648] Add header'X-Alfresco-Retry-Needed' indicating that recovery mode is on and client should retry later * [ACS-5648] Bump ATS to 4.1.3-A1	2024-06-04 10:11:40 +02:00
alfresco-build	012d2f37c7	[maven-release-plugin][skip ci] prepare for next development iteration	2024-06-03 18:42:01 +00:00
alfresco-build	f5f73162bd	[maven-release-plugin][skip ci] prepare release 23.3.0.45	2024-06-03 18:41:58 +00:00
Piotr Żurek	e7a83f2641	ACS-8077 Bump Netty and Camel (#2678 )	2024-06-03 19:56:14 +02:00
alfresco-build	2a300f9b7c	[maven-release-plugin][skip ci] prepare for next development iteration	2024-06-03 11:00:19 +00:00
alfresco-build	ac0ed124aa	[maven-release-plugin][skip ci] prepare release 23.3.0.44	2024-06-03 11:00:17 +00:00
Tom Page	cee2da9700	Merge pull request #2661 from Alfresco/feature/PRODENG-276_implement_service_accounts PRODENG-276: Implement service accounts	2024-06-03 11:24:12 +01:00
alfresco-build	2bc914b649	[maven-release-plugin][skip ci] prepare for next development iteration	2024-06-02 00:06:43 +00:00
Jamal Kaabi-Mofrad	89dd6f7b35	PRODENG-276: Addressed minor comments from peer review.	2024-05-31 14:49:44 +01:00
Jamal Kaabi-Mofrad	c82e8d652a	PRODENG-276: Resolved peer review comments.	2024-05-30 17:29:04 +01:00
Jamal Kaabi-Mofrad	a9a911e77f	PRODENG-276: Resolved PMD issues.	2024-05-30 17:06:24 +01:00
Jamal Kaabi-Mofrad	e59bb3261c	PRODENG-276: Fixed test failures.	2024-05-30 15:57:46 +01:00
Jamal Kaabi-Mofrad	d999558b33	PRODENG-276: Cleanup - Fixed inconsistent spacing issues.	2024-05-24 16:04:49 +01:00
Jamal Kaabi-Mofrad	897bfa8410	PRODENG-276: Implemented three distinct service account roles with varying access levels.	2024-05-24 15:54:10 +01:00