CCM NG/ccm-cms: Moved constants for privileges to extra classes, refactored usages.

git-svn-id: https://svn.libreccm.org/ccm/ccm_ng@4398 8810af33-2d31-482b-a856-94f89814c4df

ccm-cms/src/main/java/com/arsdigita/cms/ContentCenterServlet.java

@@ -45,6 +45,7 @@ import org.libreccm.web.CcmApplication;
 import org.librecms.CmsConstants;
 import org.librecms.contentsection.ContentSection;
 import org.librecms.contentsection.ContentSectionRepository;
+import org.librecms.contentsection.privileges.ItemPrivileges;
 
 import java.io.IOException;
 import java.util.HashMap;
@@ -145,7 +146,7 @@ public class ContentCenterServlet extends BaseApplicationServlet {
         final List<ContentSection> sections = sectionRepo.findAll();
         boolean hasAccess = false;
         for (final ContentSection section : sections) {
-            if (permissionChecker.isPermitted(CmsConstants.PRIVILEGE_ITEMS_EDIT,
+            if (permissionChecker.isPermitted(ItemPrivileges.EDIT,
                                               section.getRootDocumentsFolder())) {
                 hasAccess = true;
                 break;

ccm-cms/src/main/java/com/arsdigita/cms/ContentSectionServlet.java

@@ -68,6 +68,7 @@ import org.librecms.contentsection.ContentItemManager;
 import org.librecms.contentsection.ContentItemRepository;
 import org.librecms.contentsection.ContentSection;
 import org.librecms.contentsection.ContentSectionConfig;
+import org.librecms.contentsection.privileges.ItemPrivileges;
 import org.librecms.lifecycle.Lifecycle;
 
 import javax.enterprise.inject.spi.CDI;
@@ -425,7 +426,7 @@ public class ContentSectionServlet extends BaseApplicationServlet {
             PermissionChecker.class);
         if (s_cacheItems && contentItemManager.isLive(item)) {
             if (permissionChecker.isPermitted(
-                CmsConstants.PRIVILEGE_ITEMS_VIEW_PUBLISHED, item)) {
+                ItemPrivileges.VIEW_PUBLISHED, item)) {
                 DispatcherHelper.cacheForWorld(sresp, expires);
             } else {
                 DispatcherHelper.cacheForUser(sresp, expires);
@@ -540,7 +541,7 @@ public class ContentSectionServlet extends BaseApplicationServlet {
             item = itemResolver.getItem(section, url, CMSDispatcher.PREVIEW);
             if (item != null) {
                 hasPermission = permissionChecker.isPermitted(
-                    CmsConstants.PRIVILEGE_ITEMS_PREVIEW, item);
+                    ItemPrivileges.PREVIEW, item);
             }
         } else {
             if (s_log.isInfoEnabled()) {
@@ -588,7 +589,7 @@ public class ContentSectionServlet extends BaseApplicationServlet {
                 }
 
                 hasPermission = permissionChecker.isPermitted(
-                    CmsConstants.PRIVILEGE_ITEMS_VIEW_PUBLISHED, item);
+                    ItemPrivileges.VIEW_PUBLISHED, item);
 
                 if (hasPermission) {
                 }
@@ -611,7 +612,7 @@ public class ContentSectionServlet extends BaseApplicationServlet {
             item = itemResolver.getItem(section, url, "live");
             if (item != null) {
                 hasPermission = permissionChecker.isPermitted(
-                    CmsConstants.PRIVILEGE_ITEMS_VIEW_PUBLISHED, item);
+                    ItemPrivileges.VIEW_PUBLISHED, item);
             }
         }
 
@@ -747,7 +748,7 @@ public class ContentSectionServlet extends BaseApplicationServlet {
     public static boolean checkAdminAccess(HttpServletRequest request,
                                            ContentSection section) {
         return CdiUtil.createCdiUtil().findBean(PermissionChecker.class)
-            .isPermitted(CmsConstants.PRIVILEGE_ITEMS_EDIT,
+            .isPermitted(ItemPrivileges.EDIT,
                          section.getRootDocumentsFolder());
     }
 

ccm-cms/src/main/java/com/arsdigita/cms/dispatcher/CMSDispatcher.java

@@ -46,6 +46,7 @@ import org.librecms.CmsConstants;
 import org.librecms.contentsection.ContentItem;
 import org.librecms.contentsection.ContentSection;
 import org.librecms.contentsection.ContentSectionRepository;
+import org.librecms.contentsection.privileges.ItemPrivileges;
 
 /**
  * <p>
@@ -281,7 +282,7 @@ public class CMSDispatcher implements Dispatcher, ChainedDispatcher {
                 .findBean(PermissionChecker.class);
 
             if (permissionChecker.isPermitted(
-                CmsConstants.PRIVILEGE_ITEMS_VIEW_PUBLISHED, item)) {
+                ItemPrivileges.VIEW_PUBLISHED, item)) {
                 if (preview) {
                     item = getContentItem(section,
                                           remainingUrl,
@@ -384,13 +385,13 @@ public class CMSDispatcher implements Dispatcher, ChainedDispatcher {
                 return;
             }
             //if (!sm.canAccess(user, SecurityManager.ADMIN_PAGES)) {
-            permissionChecker.checkPermission(CmsConstants.PRIVILEGE_ITEMS_EDIT,
+            permissionChecker.checkPermission(ItemPrivileges.EDIT,
                                               section.getRootDocumentsFolder());
         } else {
             // For public page requests, use the SecurityManager to check access
             // SecurityManager.canAccess(user, SecurityManager.PUBLIC_PAGES) must
             permissionChecker.checkPermission(
-                CmsConstants.PRIVILEGE_ITEMS_VIEW_PUBLISHED,
+                ItemPrivileges.VIEW_PUBLISHED,
                 section.getRootDocumentsFolder());
         }
     }

ccm-cms/src/main/java/com/arsdigita/cms/dispatcher/CMSPage.java

@@ -48,6 +48,7 @@ import org.librecms.CmsConstants;
 import org.librecms.contentsection.ContentItem;
 import org.librecms.contentsection.ContentItemRepository;
 import org.librecms.contentsection.ContentSection;
+import org.librecms.contentsection.privileges.ItemPrivileges;
 
 
 /**
@@ -288,7 +289,7 @@ public class CMSPage extends Page implements ResourceHandler {
             final ContentItem item = itemRepo.findById(Long.parseLong("item_id")).get();
             final PermissionChecker permissionChecker = cdiUtil.findBean(
                 PermissionChecker.class);
-            permissionChecker.checkPermission(CmsConstants.PRIVILEGE_ITEMS_PREVIEW, 
+            permissionChecker.checkPermission(ItemPrivileges.PREVIEW, 
                                               item);
         }
         

ccm-cms/src/main/java/com/arsdigita/cms/dispatcher/ContentSectionDispatcher.java

@@ -30,6 +30,7 @@ import org.libreccm.web.ApplicationManager;
 import org.librecms.CmsConstants;
 import org.librecms.contentsection.ContentItem;
 import org.librecms.contentsection.ContentSection;
+import org.librecms.contentsection.privileges.ItemPrivileges;
 
 import java.io.IOException;
 
@@ -125,7 +126,7 @@ public class ContentSectionDispatcher implements Dispatcher {
                                            ContentSection section) {
 
         return CdiUtil.createCdiUtil().findBean(PermissionChecker.class)
-            .isPermitted(CmsConstants.PRIVILEGE_ITEMS_EDIT, section
+            .isPermitted(ItemPrivileges.EDIT, section
                          .getRootDocumentsFolder());
     }
 

ccm-cms/src/main/java/com/arsdigita/cms/dispatcher/ItemDispatcher.java

@@ -26,7 +26,6 @@ import com.arsdigita.web.LoginSignal;
 
 import java.io.IOException;
 import java.util.Collections;
-import java.util.Date;
 import java.util.HashMap;
 import java.util.Map;
 
@@ -38,12 +37,9 @@ import org.apache.log4j.Logger;
 import org.libreccm.cdi.utils.CdiUtil;
 import org.libreccm.security.PermissionChecker;
 import org.libreccm.security.Shiro;
-import org.librecms.CmsConstants;
 import org.librecms.contentsection.ContentItem;
 import org.librecms.contentsection.ContentSection;
-import org.librecms.lifecycle.Lifecycle;
+import org.librecms.contentsection.privileges.ItemPrivileges;
-
-import java.util.logging.Level;
 
 /**
  * Dispatches to the JSP or Servlet for rendering a content item.
@@ -153,7 +149,7 @@ public class ItemDispatcher implements ChainedDispatcher {
 //            if (sm.canAccess((User)null, SecurityManager.PUBLIC_PAGES, item)) {
             if (CdiUtil.createCdiUtil().findBean(PermissionChecker.class)
                 .isPermitted(
-                    CmsConstants.PRIVILEGE_ITEMS_VIEW_PUBLISHED, item)) {
+                    ItemPrivileges.VIEW_PUBLISHED, item)) {
                 DispatcherHelper.cacheForWorld(response, expires);
             } else {
                 DispatcherHelper.cacheForUser(response, expires);
@@ -205,13 +201,13 @@ public class ItemDispatcher implements ChainedDispatcher {
             item = itemResolver.getItem(section, url, "draft");
             if (item != null) {
                 hasPermission = permissionChecker.isPermitted(
-                    CmsConstants.PRIVILEGE_ITEMS_PREVIEW, item);
+                    ItemPrivileges.PREVIEW, item);
             }
         } else {
             item = itemResolver.getItem(section, url, "live");
             if (item != null) {
                 hasPermission = permissionChecker.isPermitted(
-                    CmsConstants.PRIVILEGE_ITEMS_VIEW_PUBLISHED, item);
+                    ItemPrivileges.VIEW_PUBLISHED, item);
             }
         }
 
@@ -223,7 +219,7 @@ public class ItemDispatcher implements ChainedDispatcher {
             item = itemResolver.getItem(section, url, "live");
             if (item != null) {
                 hasPermission = permissionChecker.isPermitted(
-                    CmsConstants.PRIVILEGE_ITEMS_VIEW_PUBLISHED, item);
+                    ItemPrivileges.VIEW_PUBLISHED, item);
             }
         }
         // chris.gilbert@westsussex.gov.uk -  if user is not logged in, give them a chance to do that, else show them the door

ccm-cms/src/main/java/com/arsdigita/cms/dispatcher/ResourceHandlerImpl.java

@@ -24,9 +24,9 @@ import com.arsdigita.util.Assert;
 import org.apache.shiro.authz.AuthorizationException;
 import org.libreccm.cdi.utils.CdiUtil;
 import org.libreccm.security.PermissionChecker;
-import org.librecms.CmsConstants;
 import org.librecms.contentsection.ContentItem;
 import org.librecms.contentsection.ContentSection;
+import org.librecms.contentsection.privileges.ItemPrivileges;
 
 import java.io.IOException;
 
@@ -83,7 +83,7 @@ public abstract class ResourceHandlerImpl implements ResourceHandler {
                                 RequestContext actx,
                                 ContentItem item) {
         if (!CdiUtil.createCdiUtil().findBean(PermissionChecker.class)
-            .isPermitted(CmsConstants.PRIVILEGE_ITEMS_VIEW_PUBLISHED, item)) {
+            .isPermitted(ItemPrivileges.VIEW_PUBLISHED, item)) {
             throw new AuthorizationException(
                 "cms.dispatcher.no_permission_to_access_resource");
         }

ccm-cms/src/main/java/com/arsdigita/cms/ui/contentcenter/ContentSectionContainer.java

@@ -18,23 +18,15 @@
  */
 package com.arsdigita.cms.ui.contentcenter;
 
-import com.arsdigita.bebop.BoxPanel;
-
-import java.math.BigDecimal;
 
 import com.arsdigita.bebop.Component;
 import com.arsdigita.bebop.Embedded;
-import com.arsdigita.bebop.FormProcessException;
 import com.arsdigita.bebop.Label;
 import com.arsdigita.bebop.Link;
 import com.arsdigita.bebop.Page;
 import com.arsdigita.bebop.PageState;
 import com.arsdigita.bebop.SingleSelectionModel;
 import com.arsdigita.bebop.Table;
-import com.arsdigita.bebop.event.FormProcessListener;
-import com.arsdigita.bebop.event.FormSectionEvent;
-import com.arsdigita.bebop.event.FormSubmissionListener;
-import com.arsdigita.bebop.form.Hidden;
 import com.arsdigita.bebop.parameters.BigDecimalParameter;
 import com.arsdigita.bebop.table.TableCellRenderer;
 import com.arsdigita.bebop.table.TableColumn;
@@ -43,24 +35,18 @@ import com.arsdigita.bebop.table.TableModel;
 import com.arsdigita.bebop.table.TableModelBuilder;
 import com.arsdigita.cms.ui.CMSContainer;
 import com.arsdigita.ui.admin.GlobalizationUtil;
-import com.arsdigita.util.Assert;
 import com.arsdigita.util.LockableImpl;
-import com.arsdigita.web.Web;
 
 import org.libreccm.categorization.Category;
 import org.libreccm.cdi.utils.CdiUtil;
 import org.libreccm.security.PermissionChecker;
-import org.libreccm.security.User;
-import org.librecms.CmsConstants;
 import org.librecms.contentsection.ContentSection;
-import org.librecms.contentsection.ContentSectionConfig;
 import org.librecms.contentsection.ContentSectionRepository;
+import org.librecms.contentsection.privileges.ItemPrivileges;
 
-import java.util.Iterator;
 import java.util.List;
 import java.util.stream.Collectors;
 
-import javax.mail.Folder;
 
 /**
  * Displays all the content sections in table, with links to the admin (and in
@@ -171,7 +157,7 @@ public class ContentSectionContainer extends CMSContainer {
 //                    folder = section.getRootDocumentsFolder();
 //
 //                    if (!permissionChecker.isPermitted(
-//                        CmsConstants.PRIVILEGE_ITEMS_CREATE_NEW, folder)) {
+//                        ItemPrivileges.CREATE_NEW, folder)) {
 //                        throw new FormProcessException(
 //                            (GlobalizationUtil.globalize(
 //                             "cms.ui.insufficient_privileges")));
@@ -414,7 +400,7 @@ public class ContentSectionContainer extends CMSContainer {
                 return allSections
                     .stream()
                     .filter(section -> permissionChecker
-                        .isPermitted(CmsConstants.PRIVILEGE_ITEMS_VIEW_PUBLISHED,
+                        .isPermitted(ItemPrivileges.VIEW_PUBLISHED,
                                      section))
                     .collect(Collectors.toList());
             }
@@ -616,7 +602,7 @@ public class ContentSectionContainer extends CMSContainer {
 
             // If the user has no access, return a Label instead of a Link
             if (permissionChecker.isPermitted(
-                CmsConstants.PRIVILEGE_ITEMS_EDIT,
+                ItemPrivileges.EDIT,
                 section.getRootDocumentsFolder())) {
 
                 return new Link(section.getLabel(),

ccm-cms/src/main/java/com/arsdigita/cms/ui/folder/FolderBrowser.java

@@ -76,6 +76,7 @@ import org.librecms.contentsection.ContentItemManager;
 import org.librecms.contentsection.ContentItemRepository;
 import org.librecms.contentsection.ContentSection;
 import org.librecms.contentsection.ContentSectionManager;
+import org.librecms.contentsection.privileges.ItemPrivileges;
 
 import java.util.Date;
 
@@ -218,7 +219,7 @@ public class FolderBrowser extends Table {
         Assert.exists(folder);
 
         final boolean canDelete = permissionChecker.isPermitted(
-            CmsConstants.PRIVILEGE_ITEMS_DELETE, folder);
+            ItemPrivileges.DELETE, folder);
         m_deleteColumn.setVisible(state, canDelete);
     }
 

ccm-cms/src/main/java/com/arsdigita/cms/ui/folder/FolderManipulator.java

@@ -66,16 +66,20 @@ import com.arsdigita.toolbox.ui.ActionGroup;
 import com.arsdigita.util.Assert;
 import com.arsdigita.util.UncheckedWrapperException;
 import com.arsdigita.web.Web;
+
 import java.io.PrintWriter;
 import java.io.StringWriter;
 import java.io.Writer;
+
 import org.apache.log4j.Logger;
 
 import java.math.BigDecimal;
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.List;
+
 import javax.persistence.TypedQuery;
+
 import org.arsdigita.cms.CMSConfig;
 import org.libreccm.categorization.Category;
 import org.libreccm.categorization.CategoryManager;
@@ -88,6 +92,7 @@ import org.librecms.contentsection.ContentItem;
 import org.librecms.contentsection.ContentItemManager;
 import org.librecms.contentsection.ContentItemRepository;
 import org.librecms.contentsection.ContentSectionConfig;
+import org.librecms.contentsection.privileges.ItemPrivileges;
 
 /**
  * Browse folders and manipulate them with various actions (move/copy/delete).
@@ -550,7 +555,7 @@ public class FolderManipulator extends SimpleContainer implements
             final PermissionChecker permissionChecker = cdiUtil.findBean(
                     PermissionChecker.class);
             if (!permissionChecker.isPermitted(
-                    CmsConstants.PRIVILEGE_ITEMS_CREATE_NEW, target)) {
+                    ItemPrivileges.CREATE_NEW, target)) {
                 data.addError("cms.ui.folder.no_permission_for_item",
                               CmsConstants.CMS_FOLDER_BUNDLE);
             }
@@ -589,7 +594,7 @@ public class FolderManipulator extends SimpleContainer implements
             }
 
             if (!(permissionChecker.isPermitted(
-                  CmsConstants.PRIVILEGE_ITEMS_DELETE, item))
+                  ItemPrivileges.DELETE, item))
                         && isMove(state)) {
                 addErrorMessage(data, "cms.ui.folder.no_permission_for_item",
                                 name);

ccm-cms/src/main/java/com/arsdigita/cms/ui/lifecycle/AddPhaseForm.java

@@ -52,6 +52,7 @@ import com.arsdigita.util.UncheckedWrapperException;
 import org.libreccm.cdi.utils.CdiUtil;
 import org.libreccm.configuration.ConfigurationManager;
 import org.librecms.CmsConstants;
+import org.librecms.contentsection.privileges.AdminPrivileges;
 import org.librecms.lifecycle.LifecycleDefinitionRepository;
 import org.librecms.lifecycle.PhaseDefinititionRepository;
 
@@ -211,7 +212,7 @@ class AddPhaseForm extends CMSForm {
         });
 
         addSubmissionListener(new FormSecurityListener(
-            CmsConstants.PRIVILEGE_ADMINISTER_LIFECYLES));
+            AdminPrivileges.ADMINISTER_LIFECYLES));
 
         addValidationListener(new FormValidationListener() {
 

ccm-cms/src/main/java/com/arsdigita/cms/ui/lifecycle/BaseLifecycleForm.java

@@ -38,6 +38,7 @@ import org.apache.log4j.Logger;
 import org.libreccm.cdi.utils.CdiUtil;
 import org.libreccm.configuration.ConfigurationManager;
 import org.librecms.CmsConstants;
+import org.librecms.contentsection.privileges.AdminPrivileges;
 import org.librecms.lifecycle.LifecycleDefinition;
 
 import java.util.Locale;
@@ -77,7 +78,7 @@ class BaseLifecycleForm extends BaseForm {
         addAction(new Cancel());
 
         addSubmissionListener(new FormSecurityListener(
-            CmsConstants.PRIVILEGE_ADMINISTER_LIFECYLES));
+            AdminPrivileges.ADMINISTER_LIFECYLES));
     }
 
     class NameUniqueListener implements ParameterListener {

ccm-cms/src/main/java/com/arsdigita/cms/ui/lifecycle/DeletePhaseForm.java

@@ -39,6 +39,7 @@ import com.arsdigita.cms.ui.FormSecurityListener;
 
 import org.libreccm.cdi.utils.CdiUtil;
 import org.librecms.CmsConstants;
+import org.librecms.contentsection.privileges.AdminPrivileges;
 import org.librecms.lifecycle.PhaseDefinititionRepository;
 
 import java.math.BigDecimal;
@@ -87,7 +88,7 @@ class DeletePhaseForm extends CMSForm
         addInitListener(this);
 
         addSubmissionListener(new FormSecurityListener(
-            CmsConstants.PRIVILEGE_ADMINISTER_LIFECYLES));
+            AdminPrivileges.ADMINISTER_LIFECYLES));
 
         addProcessListener(this);
     }

ccm-cms/src/main/java/com/arsdigita/cms/ui/lifecycle/EditPhaseForm.java

@@ -48,6 +48,7 @@ import com.arsdigita.kernel.KernelConfig;
 import org.libreccm.cdi.utils.CdiUtil;
 import org.libreccm.configuration.ConfigurationManager;
 import org.librecms.CmsConstants;
+import org.librecms.contentsection.privileges.AdminPrivileges;
 import org.librecms.lifecycle.PhaseDefinititionRepository;
 
 import java.util.Locale;
@@ -202,7 +203,7 @@ class EditPhaseForm extends CMSForm {
         });
 
         addSubmissionListener(new FormSecurityListener(
-            CmsConstants.PRIVILEGE_ADMINISTER_LIFECYLES));
+            AdminPrivileges.ADMINISTER_LIFECYLES));
 
         addValidationListener(new FormValidationListener() {
 

ccm-cms/src/main/java/com/arsdigita/cms/ui/lifecycle/LifecycleAdminContainer.java

@@ -29,21 +29,19 @@ import com.arsdigita.toolbox.ui.SecurityContainer;
 import org.libreccm.cdi.utils.CdiUtil;
 import org.libreccm.security.PermissionChecker;
 import org.librecms.CmsConstants;
-
+import org.librecms.contentsection.privileges.AdminPrivileges;
 
 /**
- * Security container that wraps the canAdministerLifecycles access check
+ * Security container that wraps the canAdministerLifecycles access check around
- * around its components.
+ * its components.
  *
  * @author <a href="mailto:jens.pelzetter@googlemail.com">Jens Pelzetter</a>
  * @author <a href="mailto:pihman@arsdigita.com">Michael Pih</a>
  */
 public class LifecycleAdminContainer extends SecurityContainer {
 
-
     /**
-     * This default constructor should be followed by calls to
+     * This default constructor should be followed by calls to <code>add</code>.
-     * <code>add</code>.
      */
     public LifecycleAdminContainer() {
         super();
@@ -62,14 +60,17 @@ public class LifecycleAdminContainer extends SecurityContainer {
      * Returns true if the current user can access the child component.
      *
      * @param state The page state
+     *
      * @return true if the access checks pass, false otherwise
      */
     @Override
     protected boolean canAccess(final Party party, final PageState state) {
         final CdiUtil cdiUtil = CdiUtil.createCdiUtil();
-        final PermissionChecker permissionChecker = cdiUtil.findBean(PermissionChecker.class);
+        final PermissionChecker permissionChecker = cdiUtil.findBean(
+            PermissionChecker.class);
 
-        return permissionChecker.isPermitted(CmsConstants.PRIVILEGE_ADMINISTER_LIFECYLES);
+        return permissionChecker.isPermitted(
+            AdminPrivileges.ADMINISTER_LIFECYLES);
     }
 
 }

ccm-cms/src/main/java/com/arsdigita/cms/ui/lifecycle/LifecycleAdminPane.java

@@ -36,13 +36,15 @@ import org.apache.log4j.Logger;
 import org.libreccm.cdi.utils.CdiUtil;
 import org.librecms.CmsConstants;
 import org.librecms.contentsection.ContentSectionManager;
+import org.librecms.contentsection.privileges.AdminPrivileges;
 import org.librecms.lifecycle.Lifecycle;
 import org.librecms.lifecycle.LifecycleDefinitionRepository;
 
 import java.math.BigDecimal;
 
 /**
- * <p>This class contains the split pane for the lifecycle administration
+ * <p>
+ * This class contains the split pane for the lifecycle administration
  * interface.</p>
  *
  * @author <a href="mailto:jens.pelzetter@googlemail.com">Jens Pelzetter</a>
@@ -66,7 +68,6 @@ public class LifecycleAdminPane extends BaseAdminPane {
 
         // XXX secvis
         //add(new LifecycleAdminContainer(m_addLink));
-
         setAdd(gz("cms.ui.lifecycle.add"),
                new LifecycleAddForm(m_model));
         setEdit(gz("cms.ui.lifecycle.edit"),
@@ -82,38 +83,42 @@ public class LifecycleAdminPane extends BaseAdminPane {
     }
 
     private class SelectionRequestLocal
-            extends LifecycleDefinitionRequestLocal {
+        extends LifecycleDefinitionRequestLocal {
+
         @Override
         protected final Object initialValue(final PageState state) {
             final String id = m_model.getSelectedKey(state).toString();
 
             final CdiUtil cdiUtil = CdiUtil.createCdiUtil();
-            final LifecycleDefinitionRepository lifecycleDefRepo = cdiUtil.findBean(LifecycleDefinitionRepository.class);
+            final LifecycleDefinitionRepository lifecycleDefRepo = cdiUtil
+                .findBean(LifecycleDefinitionRepository.class);
 
             return lifecycleDefRepo.findById(Long.parseLong(id));
         }
+
     }
 
     private final class DeleteForm extends BaseDeleteForm {
+
         DeleteForm() {
             super(new Label(gz("cms.ui.lifecycle.delete_prompt")));
 
-            addSubmissionListener
+            addSubmissionListener(new FormSecurityListener(
-                (new FormSecurityListener(CmsConstants.PRIVILEGE_ADMINISTER_LIFECYLES));
+                AdminPrivileges.ADMINISTER_LIFECYLES));
         }
 
         public final void process(final FormSectionEvent event)
-                throws FormProcessException {
+            throws FormProcessException {
             final PageState state = event.getPageState();
-            final ContentSection section =
+            final ContentSection section = CMS.getContext().getContentSection();
-                CMS.getContext().getContentSection();
+            final LifecycleDefinition definition = m_definition
-            final LifecycleDefinition definition =
+                .getLifecycleDefinition(state);
-                m_definition.getLifecycleDefinition(state);
 
             final CdiUtil cdiUtil = CdiUtil.createCdiUtil();
             final ContentSectionManager sectionManager = cdiUtil.findBean(
                 ContentSectionManager.class);
-            final LifecycleDefinitionRepository lifecycleDefRepo = cdiUtil.findBean(LifecycleDefinitionRepository.class);
+            final LifecycleDefinitionRepository lifecycleDefRepo = cdiUtil
+                .findBean(LifecycleDefinitionRepository.class);
 
             sectionManager.removeLifecycleDefinitionFromContentSection(
                 definition, section);
@@ -121,5 +126,7 @@ public class LifecycleAdminPane extends BaseAdminPane {
 
             m_model.clearSelection(state);
         }
+
     }
+
 }

ccm-cms/src/main/java/com/arsdigita/cms/ui/lifecycle/LifecycleItemPane.java

@@ -46,6 +46,7 @@ import org.libreccm.cdi.utils.CdiUtil;
 import org.libreccm.configuration.ConfigurationManager;
 import org.libreccm.security.PermissionChecker;
 import org.librecms.CmsConstants;
+import org.librecms.contentsection.privileges.AdminPrivileges;
 import org.librecms.lifecycle.PhaseDefinititionRepository;
 
 import java.util.Locale;
@@ -235,7 +236,7 @@ class LifecycleItemPane extends BaseItemPane {
             PermissionChecker.class);
 
         return permissionChecker.isPermitted(
-            CmsConstants.PRIVILEGE_ADMINISTER_LIFECYLES);
+            AdminPrivileges.ADMINISTER_LIFECYLES);
     }
 
     @Override

ccm-cms/src/main/java/com/arsdigita/cms/ui/role/BaseRoleForm.java

@@ -32,12 +32,14 @@ import com.arsdigita.cms.ui.BaseForm;
 import com.arsdigita.globalization.GlobalizedMessage;
 import com.arsdigita.ui.admin.GlobalizationUtil;
 import com.arsdigita.util.UncheckedWrapperException;
+
 import org.apache.log4j.Logger;
 import org.libreccm.cdi.utils.CdiUtil;
 import org.libreccm.security.PermissionManager;
 import org.libreccm.security.Role;
 import org.librecms.CmsConstants;
 import org.librecms.contentsection.ContentSection;
+import org.librecms.contentsection.privileges.AdminPrivileges;
 
 import java.util.*;
 
@@ -78,7 +80,7 @@ class BaseRoleForm extends BaseForm {
         addAction(new Finish());
         addAction(new Cancel());
 
-        addSecurityListener(CmsConstants.PRIVILEGE_ADMINISTER_ROLES);
+        addSecurityListener(AdminPrivileges.ADMINISTER_ROLES);
     }
 
     private class PrivilegePrinter implements PrintListener {

ccm-cms/src/main/java/com/arsdigita/cms/ui/role/BaseRoleItemPane.java

@@ -30,11 +30,13 @@ import com.arsdigita.kernel.KernelConfig;
 import com.arsdigita.toolbox.ui.ActionGroup;
 import com.arsdigita.toolbox.ui.PropertyList;
 import com.arsdigita.toolbox.ui.Section;
+
 import org.apache.log4j.Logger;
 import org.libreccm.cdi.utils.CdiUtil;
 import org.libreccm.configuration.ConfigurationManager;
 import org.libreccm.security.*;
 import org.librecms.CmsConstants;
+import org.librecms.contentsection.privileges.AdminPrivileges;
 
 import java.util.stream.Collectors;
 
@@ -92,7 +94,7 @@ class BaseRoleItemPane extends BaseItemPane {
 
     private class AdminVisible extends VisibilityComponent {
         AdminVisible(final Component child) {
-            super(child, CmsConstants.PRIVILEGE_ADMINISTER_ROLES);
+            super(child, AdminPrivileges.ADMINISTER_ROLES);
         }
     }
 
@@ -180,7 +182,7 @@ class BaseRoleItemPane extends BaseItemPane {
                 final PageState state = e.getPageState();
                 final PermissionChecker permissionChecker = cdiUtil.findBean(PermissionChecker.class);
 
-                if (!permissionChecker.isPermitted(CmsConstants.PRIVILEGE_ADMINISTER_ROLES)) {
+                if (!permissionChecker.isPermitted(AdminPrivileges.ADMINISTER_ROLES)) {
                     throw new FormProcessException(
                             new GlobalizedMessage("cms.ui.role.insufficient_privileges", CmsConstants.CMS_BUNDLE));
                 }

ccm-cms/src/main/java/com/arsdigita/cms/ui/role/RoleAdminPane.java

@@ -39,19 +39,22 @@ import com.arsdigita.cms.ui.VisibilityComponent;
 import com.arsdigita.toolbox.ui.ActionGroup;
 import com.arsdigita.toolbox.ui.Section;
 import com.arsdigita.util.LockableImpl;
+
 import org.apache.log4j.Logger;
 import org.libreccm.cdi.utils.CdiUtil;
 import org.libreccm.security.Role;
 import org.libreccm.security.RoleRepository;
 import org.librecms.CmsConstants;
 import org.librecms.contentsection.ContentSection;
+import org.librecms.contentsection.privileges.AdminPrivileges;
 
 /**
  * Provides the logic to administer {@link Role roles}.
  *
- * NOTE: Prior, this class managed two {@link ListModelBuilder}.
+ * NOTE: Prior, this class managed two {@link ListModelBuilder}. The reason
- * The reason being, that roles where differentiated between Viewer and Member groups.
+ * being, that roles where differentiated between Viewer and Member groups.
- * Since this is no longer the case, there exists only the {@link RoleListModelBuilder} now.
+ * Since this is no longer the case, there exists only the
+ * {@link RoleListModelBuilder} now.
  *
  * @author <a href="mailto:yannick.buelter@yabue.de">Yannick Bülter</a>
  * @author Justin Ross &lt;jross@redhat.com&gt;
@@ -66,8 +69,8 @@ public class RoleAdminPane extends BaseAdminPane {
     private final List m_roles;
 
     public RoleAdminPane() {
-        m_model = new ParameterSingleSelectionModel
+        m_model = new ParameterSingleSelectionModel(new StringParameter(
-            (new StringParameter(List.SELECTED));
+            List.SELECTED));
         setSelectionModel(m_model);
 
         m_model.addChangeListener(new SelectionListener());
@@ -77,7 +80,6 @@ public class RoleAdminPane extends BaseAdminPane {
         m_roles = new List(new RoleListModelBuilder());
         m_roles.setSelectionModel(m_model);
 
-
         final SimpleContainer left = new SimpleContainer();
         setLeft(left);
 
@@ -102,53 +104,63 @@ public class RoleAdminPane extends BaseAdminPane {
 
             group.setSubject(m_roles);
 
-            final ActionLink link = new ActionLink
+            final ActionLink link = new ActionLink(new Label(gz(
-                    (new Label(gz("cms.ui.role.staff.add")));
+                "cms.ui.role.staff.add")));
 
-            group.addAction(new VisibilityComponent(link, CmsConstants.PRIVILEGE_ADMINISTER_ROLES),
+            group.addAction(new VisibilityComponent(
-                    ActionGroup.ADD);
+                link,
+                AdminPrivileges.ADMINISTER_ROLES),
+                            ActionGroup.ADD);
 
             final RoleAddForm form = new RoleAddForm(m_model);
             getBody().add(form);
             getBody().connect(link, form);
         }
+
     }
 
     private class SelectionListener implements ChangeListener {
+
         @Override
         public final void stateChanged(final ChangeEvent e) {
-            s_log.debug("Selection state changed; I may change " +
+            s_log.debug("Selection state changed; I may change "
-                        "the body's visible pane");
+                            + "the body's visible pane");
 
             final PageState state = e.getPageState();
 
             getBody().reset(state);
 
             if (m_model.isSelected(state)) {
-                s_log.debug("The selection model is selected; displaying " +
+                s_log.debug("The selection model is selected; displaying "
-                            "the item pane");
+                                + "the item pane");
 
                 getBody().push(state, getItemPane());
             }
         }
+
     }
 
     private class SelectionRequestLocal extends RoleRequestLocal {
+
         @Override
         protected final Object initialValue(final PageState state) {
-            final Long id = Long.parseLong(m_model.getSelectedKey(state).toString());
+            final Long id = Long.parseLong(m_model.getSelectedKey(state)
+                .toString());
             final CdiUtil cdiUtil = CdiUtil.createCdiUtil();
-            final RoleRepository roleRepository = cdiUtil.findBean(RoleRepository.class);
+            final RoleRepository roleRepository = cdiUtil.findBean(
+                RoleRepository.class);
 
             return roleRepository.findById(id);
         }
+
     }
 
     /**
-     * This builder provides a list model of the {@link Role roles} which correspond to the {@link ContentSection}
+     * This builder provides a list model of the {@link Role roles} which
-     * in this context.
+     * correspond to the {@link ContentSection} in this context.
      */
-    private static class RoleListModelBuilder extends LockableImpl implements  ListModelBuilder {
+    private static class RoleListModelBuilder extends LockableImpl implements
+        ListModelBuilder {
 
         RoleListModelBuilder() {
             super();
@@ -160,31 +172,37 @@ public class RoleAdminPane extends BaseAdminPane {
 
             return new RoleListModel(section.getRoles());
         }
+
     }
 
     /**
      * Provides a simple delete form to remove a {@link Role}.
      */
     private class DeleteForm extends BaseDeleteForm {
+
         DeleteForm() {
             super(gz("cms.ui.role.delete_prompt"));
 
-            addSecurityListener(CmsConstants.PRIVILEGE_ADMINISTER_ROLES);
+            addSecurityListener(AdminPrivileges.ADMINISTER_ROLES);
         }
 
         @Override
         public final void process(final FormSectionEvent e)
-                throws FormProcessException {
+            throws FormProcessException {
             final PageState state = e.getPageState();
 
             final CdiUtil cdiUtil = CdiUtil.createCdiUtil();
-            final RoleRepository roleRepository = cdiUtil.findBean(RoleRepository.class);
+            final RoleRepository roleRepository = cdiUtil.findBean(
-            final Long id = Long.parseLong(m_model.getSelectedKey(state).toString());
+                RoleRepository.class);
+            final Long id = Long.parseLong(m_model.getSelectedKey(state)
+                .toString());
             final Role role = roleRepository.findById(id);
 
             roleRepository.delete(role);
 
             m_model.clearSelection(state);
         }
+
     }
+
 }

ccm-cms/src/main/java/com/arsdigita/cms/ui/role/RolePartyAddForm.java

@@ -28,10 +28,12 @@ import com.arsdigita.cms.ui.FormSecurityListener;
 import com.arsdigita.cms.ui.PartyAddForm;
 import com.arsdigita.ui.admin.GlobalizationUtil;
 import com.arsdigita.util.Assert;
+
 import org.apache.log4j.Logger;
 import org.libreccm.cdi.utils.CdiUtil;
 import org.libreccm.security.*;
 import org.librecms.CmsConstants;
+import org.librecms.contentsection.privileges.AdminPrivileges;
 
 import java.util.Arrays;
 import java.util.List;
@@ -62,7 +64,7 @@ class RolePartyAddForm extends PartyAddForm {
         m_roles = roles;
 
         getForm().addSubmissionListener
-            (new FormSecurityListener(CmsConstants.PRIVILEGE_ADMINISTER_ROLES));
+            (new FormSecurityListener(AdminPrivileges.ADMINISTER_ROLES));
     }
 
 

ccm-cms/src/main/java/com/arsdigita/cms/ui/workflow/BaseTaskForm.java

@@ -39,6 +39,7 @@ import org.libreccm.cdi.utils.CdiUtil;
 import org.libreccm.workflow.TaskRepository;
 import org.libreccm.workflow.WorkflowManager;
 import org.librecms.CmsConstants;
+import org.librecms.contentsection.privileges.AdminPrivileges;
 import org.librecms.workflow.CmsTaskTypeRepository;
 
 import java.util.HashMap;
@@ -92,7 +93,7 @@ class BaseTaskForm extends BaseForm {
         addAction(new Finish());
         addAction(new Cancel());
 
-        addSecurityListener(CmsConstants.PRIVILEGE_ADMINISTER_WORKFLOW);
+        addSecurityListener(AdminPrivileges.ADMINISTER_WORKFLOW);
         addValidationListener(new ValidationListener());
     }
 

ccm-cms/src/main/java/com/arsdigita/cms/ui/workflow/BaseWorkflowForm.java

@@ -25,6 +25,7 @@ import com.arsdigita.cms.ui.BaseForm;
 import com.arsdigita.globalization.GlobalizedMessage;
 
 import org.librecms.CmsConstants;
+import org.librecms.contentsection.privileges.AdminPrivileges;
 
 /**
  * <a href="mailto:jens.pelzetter@googlemail.com">Jens Pelzetter</a>
@@ -50,7 +51,7 @@ class BaseWorkflowForm extends BaseForm {
         addAction(new Finish());
         addAction(new Cancel());
 
-        addSecurityListener(CmsConstants.PRIVILEGE_ADMINISTER_WORKFLOW);
+        addSecurityListener(AdminPrivileges.ADMINISTER_WORKFLOW);
         addValidationListener(new ValidationListener());
     }
 

ccm-cms/src/main/java/com/arsdigita/cms/ui/workflow/BaseWorkflowItemPane.java

@@ -50,6 +50,7 @@ import org.libreccm.workflow.TaskRepository;
 import org.libreccm.workflow.Workflow;
 import org.libreccm.workflow.WorkflowManager;
 import org.librecms.CmsConstants;
+import org.librecms.contentsection.privileges.AdminPrivileges;
 import org.librecms.workflow.CmsTaskTypeRepository;
 
 import java.math.BigDecimal;
@@ -128,7 +129,7 @@ abstract class BaseWorkflowItemPane extends BaseItemPane {
     protected class AdminVisible extends VisibilityComponent {
 
         public AdminVisible(final Component child) {
-            super(child, CmsConstants.PRIVILEGE_ADMINISTER_WORKFLOW);
+            super(child, AdminPrivileges.ADMINISTER_WORKFLOW);
         }
 
     }
@@ -186,7 +187,7 @@ abstract class BaseWorkflowItemPane extends BaseItemPane {
         TaskDeleteForm() {
             super(new Label(gz("cms.ui.workflow.task.delete_prompt")));
 
-            addSecurityListener(CmsConstants.PRIVILEGE_ADMINISTER_WORKFLOW);
+            addSecurityListener(AdminPrivileges.ADMINISTER_WORKFLOW);
         }
 
         @Override

ccm-cms/src/main/java/com/arsdigita/cms/ui/workflow/TaskAddRole.java

@@ -52,6 +52,7 @@ import org.libreccm.security.RoleRepository;
 import org.libreccm.workflow.TaskAssignment;
 import org.libreccm.workflow.WorkflowManager;
 import org.librecms.CmsConstants;
+import org.librecms.contentsection.privileges.AdminPrivileges;
 
 import java.util.ArrayList;
 import java.util.List;
@@ -158,7 +159,7 @@ class TaskAddRole extends CMSForm {
                 PermissionChecker.class);
 
             if (!permissionChecker.isPermitted(
-                CmsConstants.PRIVILEGE_ADMINISTER_WORKFLOW)) {
+                AdminPrivileges.ADMINISTER_WORKFLOW)) {
                 throw new FormProcessException(
                     new GlobalizedMessage(
                         "cms.ui.workflow.insufficient_privileges",

ccm-cms/src/main/java/com/arsdigita/cms/ui/workflow/TaskItemPane.java

@@ -52,6 +52,7 @@ import org.libreccm.workflow.Task;
 import org.libreccm.workflow.UserTask;
 import org.libreccm.workflow.WorkflowManager;
 import org.librecms.CmsConstants;
+import org.librecms.contentsection.privileges.AdminPrivileges;
 
 import java.util.ArrayList;
 import java.util.List;
@@ -119,13 +120,13 @@ final class TaskItemPane extends BaseItemPane {
             PermissionChecker.class);
 
         return permissionChecker.isPermitted(
-            CmsConstants.PRIVILEGE_ADMINISTER_WORKFLOW);
+            AdminPrivileges.ADMINISTER_WORKFLOW);
     }
 
     private class AdminVisible extends VisibilityComponent {
 
         public AdminVisible(final Component child) {
-            super(child, CmsConstants.PRIVILEGE_ADMINISTER_WORKFLOW);
+            super(child, AdminPrivileges.ADMINISTER_WORKFLOW);
         }
 
     }

ccm-cms/src/main/java/com/arsdigita/cms/ui/workflow/WorkflowAdminPane.java

@@ -28,13 +28,11 @@ import com.arsdigita.cms.ui.VisibilityComponent;
 
 import org.libreccm.cdi.utils.CdiUtil;
 import org.libreccm.workflow.Workflow;
-import org.libreccm.workflow.WorkflowManager;
 import org.libreccm.workflow.WorkflowRepository;
-import org.libreccm.workflow.WorkflowTemplate;
 import org.libreccm.workflow.WorkflowTemplateRepository;
 import org.librecms.CmsConstants;
 
-import java.math.BigDecimal;
+import org.librecms.contentsection.privileges.AdminPrivileges;
 
 /**
  * @author <a href="mailto:jens.pelzetter@googlemail.com">Jens Pelzetter</a>
@@ -60,7 +58,7 @@ public final class WorkflowAdminPane extends BaseAdminPane {
                                          getDeleteLink()));
 
         addAction(new VisibilityComponent(
-            getAddLink(), CmsConstants.PRIVILEGE_ADMINISTER_WORKFLOW));
+            getAddLink(), AdminPrivileges.ADMINISTER_WORKFLOW));
     }
 
     private class DeleteForm extends BaseDeleteForm {
@@ -68,7 +66,7 @@ public final class WorkflowAdminPane extends BaseAdminPane {
         DeleteForm() {
             super(gz("cms.ui.workflow.delete_prompt"));
 
-            addSecurityListener(CmsConstants.PRIVILEGE_ADMINISTER_WORKFLOW);
+            addSecurityListener(AdminPrivileges.ADMINISTER_WORKFLOW);
         }
 
         @Override

ccm-cms/src/main/java/org/librecms/CmsConstants.java

@@ -29,45 +29,27 @@ public class CmsConstants {
     public static final String DB_SCHEMA = "CCM_CMS";
 
     public static final String CMS_BUNDLE = "org.librecms.CmsResources";
-    public static final String CMS_FOLDER_BUNDLE = "com.arsdigita.cms.ui.folder.CMSFolderResources";
+    public static final String CMS_FOLDER_BUNDLE
+                               = "com.arsdigita.cms.ui.folder.CMSFolderResources";
 
-    public static final String CONTENT_CENTER_APP_TYPE = "com.arsdigita.cms.ContentCenter";
+    public static final String CONTENT_CENTER_APP_TYPE
+                               = "com.arsdigita.cms.ContentCenter";
     public static final String CONTENT_CENTER_URL = "/content-center/";
-    public static final String CONTENT_CENTER_DESC_BUNDLE = "org.librecms.contentcenter.ContentCenterResources";
+    public static final String CONTENT_CENTER_DESC_BUNDLE
+                               = "org.librecms.contentcenter.ContentCenterResources";
 
     public static final String CONTENT_SECTION_APP_TYPE
-                               = "org.librecms.contentsection.ContentSection";
+                                   = "org.librecms.contentsection.ContentSection";
     public static final String CONTENT_SECTION_SERVLET_PATH
-                               = "/templates/servlet/content-section/*";
+                                   = "/templates/servlet/content-section/*";
     public static final String CONTENT_SECTION_DESC_BUNDLE
-                               = "org.librecms.contentsection.ContentSectionResources";
+                                   = "org.librecms.contentsection.ContentSectionResources";
 
     public static final String CONTENT_SECTION_PAGE = "/admin";
     public static final String CONTENT_SECTION_ITEM_PAGE = "/item";
 
     public static final String CATEGORIZATION_TYPE_FOLDER = "folder";
 
-    public static final String PRIVILEGE_ADMINISTER_CATEGORIES
-                               = "administer_categories";
-    public static final String PRIVILEGE_ADMINISTER_CONTENT_TYPES
-                               = "administer_content_types";
-    public static final String PRIVILEGE_ADMINISTER_LIFECYLES
-                               = "administer_lifecyles";
-    public static final String PRIVILEGE_ADMINISTER_ROLES = "administer_roles";
-    public static final String PRIVILEGE_ADMINISTER_WORKFLOW
-                               = "administer_workflow";
-    public static final String PRIVILEGE_ITEMS_APPROVE = "approve_items";
-    public static final String PRIVILEGE_ITEMS_PUBLISH = "publish_items";
-    public static final String PRIVILEGE_ITEMS_CATEGORIZE = "categorize_items";
-    public static final String PRIVILEGE_ITEMS_CREATE_NEW = "create_new_items";
-    public static final String PRIVILEGE_ITEMS_DELETE = "delete_items";
-    public static final String PRIVILEGE_ITEMS_EDIT = "edit_items";
-    public static final String PRIVILEGE_ITEMS_PREVIEW = "preview_items";
-    public static final String PRIVILEGE_ITEMS_VIEW_PUBLISHED
-                               = "view_published_items";
-    public static final String PRIVILEGE_APPLY_ALTERNATE_WORKFLOW
-                               = "apply_alternate_workflow";
-
     /**
      * Constant string used as key for creating service package as a legacy
      * application.

ccm-cms/src/main/java/org/librecms/assets/AssetManager.java

@@ -20,10 +20,12 @@ package org.librecms.assets;
 
 import java.util.List;
 import java.util.Optional;
+
 import javax.enterprise.context.RequestScoped;
 import javax.inject.Inject;
 import javax.persistence.EntityManager;
 import javax.transaction.Transactional;
+
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
 import org.libreccm.categorization.CategoryManager;
@@ -36,6 +38,8 @@ import org.librecms.contentsection.ContentSection;
 import org.librecms.contentsection.Folder;
 import org.librecms.contentsection.FolderManager;
 import org.librecms.contentsection.FolderRepository;
+import org.librecms.contentsection.privileges.AssetPrivileges;
+import org.librecms.contentsection.privileges.ItemPrivileges;
 
 /**
  * Provides methods for managing {@link Asset}s, especially sharable
@@ -80,7 +84,7 @@ public class AssetManager {
     @Transactional(Transactional.TxType.REQUIRED)
     public <T extends Asset> T createAsset(
             final String name,
-            @RequiresPrivilege(CmsConstants.PRIVILEGE_ITEMS_EDIT)
+            @RequiresPrivilege(ItemPrivileges.EDIT)
             final AttachmentList attachments,
             final Class<T> type) {
         throw new UnsupportedOperationException("Not implemented yet.");
@@ -104,7 +108,7 @@ public class AssetManager {
     @Transactional(Transactional.TxType.REQUIRED)
     public <T extends Asset> T createAsset(
             final String name,
-            @RequiresPrivilege(CmsConstants.PRIVILEGE_ITEMS_CREATE_NEW)
+            @RequiresPrivilege(AssetPrivileges.CREATE_NEW)
             final Folder folder,
             final Class<T> type) {
         throw new UnsupportedOperationException("Not implemented yet.");
@@ -159,9 +163,9 @@ public class AssetManager {
     @AuthorizationRequired
     @Transactional(Transactional.TxType.REQUIRED)
     public void move(
-            @RequiresPrivilege(CmsConstants.PRIVILEGE_ITEMS_EDIT)
+            @RequiresPrivilege(AssetPrivileges.EDIT)
             final Asset asset,
-            @RequiresPrivilege(CmsConstants.PRIVILEGE_ITEMS_EDIT)
+            @RequiresPrivilege(AssetPrivileges.CREATE_NEW)
             final Folder targetFolder) {
         throw new UnsupportedOperationException("Not implemented yet.");
     }
@@ -175,7 +179,7 @@ public class AssetManager {
     @Transactional(Transactional.TxType.REQUIRED)
     @AuthorizationRequired
     public void copy(final Asset asset,
-                     @RequiresPrivilege(CmsConstants.PRIVILEGE_ITEMS_CREATE_NEW)
+                     @RequiresPrivilege(AssetPrivileges.CREATE_NEW)
                      final Folder targetFolder) {
         throw new UnsupportedOperationException("Not implemented yet.");
     }

ccm-cms/src/main/java/org/librecms/assets/AssetRepository.java

@@ -29,6 +29,7 @@ import org.libreccm.security.AuthorizationRequired;
 import org.libreccm.security.RequiresPrivilege;
 import org.librecms.CmsConstants;
 import org.librecms.contentsection.Folder;
+import org.librecms.contentsection.privileges.AssetPrivileges;
 
 import java.util.List;
 import java.util.Optional;
@@ -89,6 +90,15 @@ public class AssetRepository
         }
     }
 
+    @AuthorizationRequired
+    @Transactional(Transactional.TxType.REQUIRED)
+    @Override
+    public void save(
+        @RequiresPrivilege(AssetPrivileges.EDIT)
+        final Asset asset) {
+        
+    }
+    
     /**
      * Deletes an <strong>unused</strong> Asset. If the {@link Asset} is in use
      * (linked to at least one ContentItem) an {@link AssetInUseException} is
@@ -103,7 +113,7 @@ public class AssetRepository
     @Transactional(Transactional.TxType.REQUIRED)
     @Override
     public void delete(
-        @RequiresPrivilege(CmsConstants.PRIVILEGE_ITEMS_DELETE)
+        @RequiresPrivilege(AssetPrivileges.DELETE)
         final Asset asset) {
 
         if (asset.getItemAttachments().isEmpty()) {

ccm-cms/src/main/java/org/librecms/contentsection/ContentItemL10NManager.java

@@ -26,6 +26,7 @@ import org.libreccm.l10n.LocalizedString;
 import org.libreccm.security.AuthorizationRequired;
 import org.libreccm.security.RequiresPrivilege;
 import org.librecms.CmsConstants;
+import org.librecms.contentsection.privileges.ItemPrivileges;
 
 import java.beans.IntrospectionException;
 import java.beans.Introspector;
@@ -147,7 +148,7 @@ public class ContentItemL10NManager {
     @AuthorizationRequired
     @Transactional(Transactional.TxType.REQUIRED)
     public void addLanguage(
-        @RequiresPrivilege(CmsConstants.PRIVILEGE_ITEMS_EDIT)
+        @RequiresPrivilege(ItemPrivileges.EDIT)
         final ContentItem item,
         final Locale locale) {
 
@@ -218,7 +219,7 @@ public class ContentItemL10NManager {
     @AuthorizationRequired
     @Transactional(Transactional.TxType.REQUIRED)
     public void removeLangauge(
-        @RequiresPrivilege(CmsConstants.PRIVILEGE_ITEMS_EDIT)
+        @RequiresPrivilege(ItemPrivileges.EDIT)
         final ContentItem item,
         final Locale locale) {
 
@@ -265,7 +266,7 @@ public class ContentItemL10NManager {
     @AuthorizationRequired
     @Transactional(Transactional.TxType.REQUIRED)
     public void normalizedLanguages(
-        @RequiresPrivilege(CmsConstants.PRIVILEGE_ITEMS_EDIT)
+        @RequiresPrivilege(ItemPrivileges.EDIT)
         final ContentItem item) {
 
         if (item == null) {

ccm-cms/src/main/java/org/librecms/contentsection/ContentItemManager.java

@@ -47,6 +47,7 @@ import org.libreccm.security.RequiresPrivilege;
 import org.libreccm.workflow.Workflow;
 import org.libreccm.workflow.WorkflowManager;
 import org.librecms.CmsConstants;
+import org.librecms.contentsection.privileges.ItemPrivileges;
 import org.librecms.lifecycle.Lifecycle;
 import org.librecms.lifecycle.LifecycleManager;
 
@@ -125,7 +126,7 @@ public class ContentItemManager {
     public <T extends ContentItem> T createContentItem(
         final String name,
         final ContentSection section,
-        @RequiresPrivilege(CmsConstants.PRIVILEGE_ITEMS_CREATE_NEW)
+        @RequiresPrivilege(ItemPrivileges.CREATE_NEW)
         final Folder folder,
         final Class<T> type) {
 
@@ -174,7 +175,7 @@ public class ContentItemManager {
     public <T extends ContentItem> T createContentItem(
         final String name,
         final ContentSection section,
-        @RequiresPrivilege(CmsConstants.PRIVILEGE_ITEMS_CREATE_NEW)
+        @RequiresPrivilege(ItemPrivileges.CREATE_NEW)
         final Folder folder,
         final WorkflowTemplate workflowTemplate,
         final Class<T> type) {
@@ -250,9 +251,9 @@ public class ContentItemManager {
     @AuthorizationRequired
     @Transactional(Transactional.TxType.REQUIRED)
     public void move(
-        @RequiresPrivilege(CmsConstants.PRIVILEGE_ITEMS_EDIT)
+        @RequiresPrivilege(ItemPrivileges.EDIT)
         final ContentItem item,
-        @RequiresPrivilege(CmsConstants.PRIVILEGE_ITEMS_CREATE_NEW)
+        @RequiresPrivilege(ItemPrivileges.CREATE_NEW)
         final Folder targetFolder) {
         if (item == null) {
             throw new IllegalArgumentException("The item to move can't be null.");
@@ -322,7 +323,7 @@ public class ContentItemManager {
     @SuppressWarnings("unchecked")
     public ContentItem copy(
         final ContentItem item,
-        @RequiresPrivilege(CmsConstants.PRIVILEGE_ITEMS_CREATE_NEW)
+        @RequiresPrivilege(ItemPrivileges.CREATE_NEW)
         final Folder targetFolder) {
         if (item == null) {
             throw new IllegalArgumentException("The item to copy can't be null.");
@@ -563,7 +564,7 @@ public class ContentItemManager {
     @AuthorizationRequired
     @Transactional(Transactional.TxType.REQUIRED)
     public ContentItem publish(
-        @RequiresPrivilege(CmsConstants.PRIVILEGE_ITEMS_PUBLISH)
+        @RequiresPrivilege(ItemPrivileges.PUBLISH)
         final ContentItem item) {
 
         if (item == null) {
@@ -591,7 +592,7 @@ public class ContentItemManager {
     @Transactional(Transactional.TxType.REQUIRED)
     @SuppressWarnings("unchecked")
     public ContentItem publish(
-        @RequiresPrivilege(CmsConstants.PRIVILEGE_ITEMS_PUBLISH)
+        @RequiresPrivilege(ItemPrivileges.PUBLISH)
         final ContentItem item,
         final LifecycleDefinition lifecycleDefinition) {
         if (item == null) {
@@ -787,7 +788,7 @@ public class ContentItemManager {
     @AuthorizationRequired
     @Transactional(Transactional.TxType.REQUIRED)
     public void publish(
-        @RequiresPrivilege(CmsConstants.PRIVILEGE_ITEMS_PUBLISH)
+        @RequiresPrivilege(ItemPrivileges.PUBLISH)
         final Folder folder) {
 
         // Ensure that we are using a fresh folder and that the folder was 
@@ -811,7 +812,7 @@ public class ContentItemManager {
     @AuthorizationRequired
     @Transactional(Transactional.TxType.REQUIRED)
     public void unpublish(
-        @RequiresPrivilege(CmsConstants.PRIVILEGE_ITEMS_PUBLISH)
+        @RequiresPrivilege(ItemPrivileges.PUBLISH)
         final ContentItem item) {
         if (item == null) {
             throw new IllegalArgumentException(
@@ -860,7 +861,7 @@ public class ContentItemManager {
     @AuthorizationRequired
     @Transactional(Transactional.TxType.REQUIRED)
     public void unpublish(
-        @RequiresPrivilege(CmsConstants.PRIVILEGE_ITEMS_PUBLISH)
+        @RequiresPrivilege(ItemPrivileges.PUBLISH)
         final Folder folder) {
 
         // Ensure that we are using a fresh folder and that the folder was 
@@ -910,7 +911,7 @@ public class ContentItemManager {
     @Transactional(Transactional.TxType.REQUIRED)
     @SuppressWarnings({"unchecked"})
     public <T extends ContentItem> Optional<T> getLiveVersion(
-        @RequiresPrivilege(CmsConstants.PRIVILEGE_ITEMS_VIEW_PUBLISHED)
+        @RequiresPrivilege(ItemPrivileges.VIEW_PUBLISHED)
         final ContentItem item,
         final Class<T> type) {
 
@@ -972,7 +973,7 @@ public class ContentItemManager {
     @Transactional(Transactional.TxType.REQUIRED)
     @SuppressWarnings("unchecked")
     public <T extends ContentItem> T getDraftVersion(
-        @RequiresPrivilege(CmsConstants.PRIVILEGE_ITEMS_PREVIEW)
+        @RequiresPrivilege(ItemPrivileges.PREVIEW)
         final ContentItem item,
         final Class<T> type) {
 

ccm-cms/src/main/java/org/librecms/contentsection/ContentSectionManager.java

@@ -44,12 +44,14 @@ import javax.persistence.TypedQuery;
 import javax.transaction.Transactional;
 
 import org.librecms.CmsConstants;
+import org.librecms.contentsection.privileges.AdminPrivileges;
+import org.librecms.contentsection.privileges.AssetPrivileges;
+import org.librecms.contentsection.privileges.ItemPrivileges;
 
 import org.librecms.lifecycle.LifecycleDefinition;
 
 import java.util.Optional;
 
-import static org.librecms.CmsConstants.*;
 import static org.librecms.contentsection.ContentSection.*;
 
 /**
@@ -140,48 +142,69 @@ public class ContentSectionManager {
                                 ALERT_RECIPIENT);
         addRoleToContentSection(section,
                                 AUTHOR,
-                                PRIVILEGE_ITEMS_CATEGORIZE,
+                                ItemPrivileges.CATEGORIZE,
-                                PRIVILEGE_ITEMS_CREATE_NEW,
+                                ItemPrivileges.CREATE_NEW,
-                                PRIVILEGE_ITEMS_EDIT,
+                                ItemPrivileges.EDIT,
-                                PRIVILEGE_ITEMS_VIEW_PUBLISHED,
+                                ItemPrivileges.VIEW_PUBLISHED,
-                                PRIVILEGE_ITEMS_PREVIEW);
+                                ItemPrivileges.PREVIEW,
+                                AssetPrivileges.USE,
+                                AssetPrivileges.CREATE_NEW,
+                                AssetPrivileges.EDIT,
+                                AssetPrivileges.VIEW,
+                                AssetPrivileges.DELETE);
         addRoleToContentSection(section,
                                 EDITOR,
-                                PRIVILEGE_ITEMS_CATEGORIZE,
+                                ItemPrivileges.CATEGORIZE,
-                                PRIVILEGE_ITEMS_CREATE_NEW,
+                                ItemPrivileges.CREATE_NEW,
-                                PRIVILEGE_ITEMS_EDIT,
+                                ItemPrivileges.EDIT,
-                                PRIVILEGE_ITEMS_APPROVE,
+                                ItemPrivileges.APPROVE,
-                                PRIVILEGE_ITEMS_DELETE,
+                                ItemPrivileges.DELETE,
-                                PRIVILEGE_ITEMS_VIEW_PUBLISHED,
+                                ItemPrivileges.VIEW_PUBLISHED,
-                                PRIVILEGE_ITEMS_PREVIEW);
+                                ItemPrivileges.PREVIEW,
+                                AssetPrivileges.USE,
+                                AssetPrivileges.CREATE_NEW,
+                                AssetPrivileges.EDIT,
+                                AssetPrivileges.VIEW,
+                                AssetPrivileges.DELETE);
         addRoleToContentSection(section,
                                 MANAGER,
-                                PRIVILEGE_ADMINISTER_ROLES,
+                                AdminPrivileges.ADMINISTER_ROLES,
-                                PRIVILEGE_ADMINISTER_WORKFLOW,
+                                AdminPrivileges.ADMINISTER_WORKFLOW,
-                                PRIVILEGE_ADMINISTER_LIFECYLES,
+                                AdminPrivileges.ADMINISTER_LIFECYLES,
-                                PRIVILEGE_ADMINISTER_CATEGORIES,
+                                AdminPrivileges.ADMINISTER_CATEGORIES,
-                                PRIVILEGE_ADMINISTER_CONTENT_TYPES,
+                                AdminPrivileges.ADMINISTER_CONTENT_TYPES,
-                                PRIVILEGE_ITEMS_CATEGORIZE,
+                                ItemPrivileges.CATEGORIZE,
-                                PRIVILEGE_ITEMS_CREATE_NEW,
+                                ItemPrivileges.CREATE_NEW,
-                                PRIVILEGE_ITEMS_EDIT,
+                                ItemPrivileges.EDIT,
-                                PRIVILEGE_ITEMS_APPROVE,
+                                ItemPrivileges.APPROVE,
-                                PRIVILEGE_ITEMS_PUBLISH,
+                                ItemPrivileges.PUBLISH,
-                                PRIVILEGE_ITEMS_DELETE,
+                                ItemPrivileges.DELETE,
-                                PRIVILEGE_ITEMS_VIEW_PUBLISHED,
+                                ItemPrivileges.VIEW_PUBLISHED,
-                                PRIVILEGE_ITEMS_PREVIEW);
+                                ItemPrivileges.PREVIEW,
+                                AssetPrivileges.USE,
+                                AssetPrivileges.CREATE_NEW,
+                                AssetPrivileges.EDIT,
+                                AssetPrivileges.VIEW,
+                                AssetPrivileges.DELETE);
         addRoleToContentSection(section,
                                 PUBLISHER,
-                                PRIVILEGE_ITEMS_CATEGORIZE,
+                                ItemPrivileges.CATEGORIZE,
-                                PRIVILEGE_ITEMS_CREATE_NEW,
+                                ItemPrivileges.CREATE_NEW,
-                                PRIVILEGE_ITEMS_EDIT,
+                                ItemPrivileges.EDIT,
-                                PRIVILEGE_ITEMS_APPROVE,
+                                ItemPrivileges.APPROVE,
-                                PRIVILEGE_ITEMS_PUBLISH,
+                                ItemPrivileges.PUBLISH,
-                                PRIVILEGE_ITEMS_DELETE,
+                                ItemPrivileges.DELETE,
-                                PRIVILEGE_ITEMS_VIEW_PUBLISHED,
+                                ItemPrivileges.VIEW_PUBLISHED,
-                                PRIVILEGE_ITEMS_PREVIEW);
+                                ItemPrivileges.PREVIEW,
+                                AssetPrivileges.USE,
+                                AssetPrivileges.CREATE_NEW,
+                                AssetPrivileges.EDIT,
+                                AssetPrivileges.VIEW,
+                                AssetPrivileges.DELETE);
         addRoleToContentSection(section,
                                 CONTENT_READER,
-                                PRIVILEGE_ITEMS_VIEW_PUBLISHED);
+                                ItemPrivileges.VIEW_PUBLISHED,
+                                AssetPrivileges.VIEW);
 
         return section;
     }
@@ -224,8 +247,8 @@ public class ContentSectionManager {
     /**
      * Adds new role to a content section. the new role will not have any
      * members, they have to be added separatly. This operation requires
-     * {@link CmsConstants#PRIVILEGE_ADMINISTER_ROLES} for the provided content
+     * {@link CmsConstants#AdminPrivileges.ADMINISTER_ROLES} for the provided
-     * section.
+     * content section.
      *
      * @param section    The {@link ContentSection} to which the role is added.
      * @param roleName   The name of the new role.
@@ -234,7 +257,7 @@ public class ContentSectionManager {
     @AuthorizationRequired
     @Transactional(Transactional.TxType.REQUIRED)
     public void addRoleToContentSection(
-        @RequiresPrivilege(PRIVILEGE_ADMINISTER_ROLES)
+        @RequiresPrivilege(AdminPrivileges.ADMINISTER_ROLES)
         final ContentSection section,
         final String roleName,
         final String... privileges) {
@@ -252,9 +275,9 @@ public class ContentSectionManager {
         role.setName(String.join("_", section.getLabel(), roleName));
         roleRepo.save(role);
 
-        final Category rootFolder = section.getRootDocumentsFolder();
+//        final Category rootFolder = section.getRootDocumentsFolder();
         for (String privilege : privileges) {
-            permissionManager.grantPrivilege(privilege, role, rootFolder);
+            permissionManager.grantPrivilege(privilege, role, section);
         }
 
         addRoleToContentSection(role, section);
@@ -263,8 +286,8 @@ public class ContentSectionManager {
     /**
      * Associates an existing role to with a content section. This will not
      * grant any permissions for the content section to the role. This operation
-     * requires {@link CmsConstants#PRIVILEGE_ADMINISTER_ROLES} for the provided
+     * requires {@link CmsConstants#AdminPrivileges.ADMINISTER_ROLES} for the
-     * content section.
+     * provided content section.
      *
      * @param role    The role to add.
      * @param section The section the role is associated with.
@@ -273,7 +296,7 @@ public class ContentSectionManager {
     @Transactional(Transactional.TxType.REQUIRED)
     public void addRoleToContentSection(
         final Role role,
-        @RequiresPrivilege(PRIVILEGE_ADMINISTER_ROLES)
+        @RequiresPrivilege(AdminPrivileges.ADMINISTER_ROLES)
         final ContentSection section) {
 
         if (section == null) {
@@ -295,8 +318,8 @@ public class ContentSectionManager {
      * role which are associated with the content section. The role itself is
      * <strong>not</strong> deleted because the role is maybe is used in other
      * places. This operation requires
-     * {@link CmsConstants#PRIVILEGE_ADMINISTER_ROLES} for the provided content
+     * {@link CmsConstants#AdminPrivileges.ADMINISTER_ROLES} for the provided
-     * section.
+     * content section.
      *
      * @param contentSection The section from which the role is removed.
      * @param role           The role to remove from the content section.
@@ -304,7 +327,7 @@ public class ContentSectionManager {
     @AuthorizationRequired
     @Transactional(Transactional.TxType.REQUIRED)
     public void removeRoleFromContentSection(
-        @RequiresPrivilege(PRIVILEGE_ADMINISTER_ROLES)
+        @RequiresPrivilege(AdminPrivileges.ADMINISTER_ROLES)
         final ContentSection contentSection,
         final Role role) {
 
@@ -334,8 +357,8 @@ public class ContentSectionManager {
 
     /**
      * Adds a lifecycle definition to a content section. This operation requires
-     * {@link CmsConstants#PRIVILEGE_ADMINISTER_LIFECYLES} for the provided
+     * {@link CmsConstants#AdminPrivileges.ADMINISTER_LIFECYLES} for the
-     * content section.
+     * provided content section.
      *
      * @param definition The lifecycle definition to add.
      * @param section    The section to which the definition is added.
@@ -344,7 +367,7 @@ public class ContentSectionManager {
     @Transactional(Transactional.TxType.REQUIRED)
     public void addLifecycleDefinitionToContentSection(
         final LifecycleDefinition definition,
-        @RequiresPrivilege(PRIVILEGE_ADMINISTER_LIFECYLES)
+        @RequiresPrivilege(AdminPrivileges.ADMINISTER_LIFECYLES)
         final ContentSection section) {
 
         section.addLifecycleDefinition(definition);
@@ -353,8 +376,8 @@ public class ContentSectionManager {
 
     /**
      * Removes a lifecycle definition from a content section. This operation
-     * requires {@link CmsConstants#PRIVILEGE_ADMINISTER_LIFECYLES} for the
+     * requires {@link CmsConstants#AdminPrivileges.ADMINISTER_LIFECYLES} for
-     * provided content section.
+     * the provided content section.
      *
      * @param definition The definition to remove.
      * @param section    The section from which the definition is removed.
@@ -363,7 +386,7 @@ public class ContentSectionManager {
     @Transactional(Transactional.TxType.REQUIRED)
     public void removeLifecycleDefinitionFromContentSection(
         final LifecycleDefinition definition,
-        @RequiresPrivilege(PRIVILEGE_ADMINISTER_LIFECYLES)
+        @RequiresPrivilege(AdminPrivileges.ADMINISTER_LIFECYLES)
         final ContentSection section) {
 
         section.removeLifecycleDefinition(definition);
@@ -372,7 +395,7 @@ public class ContentSectionManager {
 
     /**
      * Adds a workflow template to a content section. This operation requires
-     * {@link CmsConstants#PRIVILEGE_ADMINISTER_WORKFLOW} for the provided
+     * {@link CmsConstants#AdminPrivileges.ADMINISTER_WORKFLOW} for the provided
      * content section.
      *
      * @param template The template to add.
@@ -382,7 +405,7 @@ public class ContentSectionManager {
     @Transactional(Transactional.TxType.REQUIRED)
     public void addWorkflowTemplateToContentSection(
         final WorkflowTemplate template,
-        @RequiresPrivilege(PRIVILEGE_ADMINISTER_WORKFLOW)
+        @RequiresPrivilege(AdminPrivileges.ADMINISTER_WORKFLOW)
         final ContentSection section) {
 
         section.addWorkflowTemplate(template);
@@ -391,7 +414,7 @@ public class ContentSectionManager {
 
     /**
      * Removes a workflow template from a content section. This operation
-     * requires {@link CmsConstants#PRIVILEGE_ADMINISTER_WORKFLOW} for the
+     * requires {@link CmsConstants#AdminPrivileges.ADMINISTER_WORKFLOW} for the
      * provided content section.
      *
      * @param template The template to remove.
@@ -401,7 +424,7 @@ public class ContentSectionManager {
     @Transactional(Transactional.TxType.REQUIRED)
     public void removeWorkflowTemplateFromContentSection(
         final WorkflowTemplate template,
-        @RequiresPrivilege(PRIVILEGE_ADMINISTER_WORKFLOW)
+        @RequiresPrivilege(AdminPrivileges.ADMINISTER_WORKFLOW)
         final ContentSection section) {
 
         section.removeWorkflowTemplate(template);
@@ -433,8 +456,8 @@ public class ContentSectionManager {
     /**
      * Adds a new {@link ContentType} to a content section, making items of that
      * type available in the content section. This operation requires
-     * {@link CmsConstants#PRIVILEGE_ADMINISTER_CONTENT_TYPES} for the provided
+     * {@link CmsConstants#AdminPrivileges.ADMINISTER_CONTENT_TYPES} for the
-     * content section.
+     * provided content section.
      *
      * @param type             The type to add (a subclass of
      *                         {@link ContentItem}.
@@ -456,7 +479,7 @@ public class ContentSectionManager {
     @Transactional(Transactional.TxType.REQUIRED)
     public ContentType addContentTypeToSection(
         final Class<? extends ContentItem> type,
-        @RequiresPrivilege(CmsConstants.PRIVILEGE_ADMINISTER_CONTENT_TYPES)
+        @RequiresPrivilege(AdminPrivileges.ADMINISTER_CONTENT_TYPES)
         final ContentSection section,
         final LifecycleDefinition defaultLifecycle,
         final WorkflowTemplate defaultWorkflow) {
@@ -557,8 +580,8 @@ public class ContentSectionManager {
     /**
      * Removes an <em>unused</em> {@link ContentType} from a
      * {@link ContentSection}. This operation requires
-     * {@link CmsConstants#PRIVILEGE_ADMINISTER_CONTENT_TYPES} for the provided
+     * {@link CmsConstants#AdminPrivileges.ADMINISTER_CONTENT_TYPES} for the
-     * content section.
+     * provided content section.
      *
      * @param type    The type to remove from the section.
      * @param section The section from which the type is removed.
@@ -573,7 +596,7 @@ public class ContentSectionManager {
     @Transactional(Transactional.TxType.REQUIRED)
     public void removeContentTypeFromSection(
         final Class<? extends ContentItem> type,
-        @RequiresPrivilege(CmsConstants.PRIVILEGE_ADMINISTER_CONTENT_TYPES)
+        @RequiresPrivilege(AdminPrivileges.ADMINISTER_CONTENT_TYPES)
         final ContentSection section) {
 
         if (type == null) {

ccm-cms/src/main/java/org/librecms/contentsection/ContentSectionSetup.java

@@ -30,6 +30,9 @@ import java.util.UUID;
 
 import static org.librecms.CmsConstants.*;
 import static org.librecms.contentsection.ContentSection.*;
+import org.librecms.contentsection.privileges.AdminPrivileges;
+import org.librecms.contentsection.privileges.AssetPrivileges;
+import org.librecms.contentsection.privileges.ItemPrivileges;
 
 /**
  *
@@ -123,52 +126,91 @@ public class ContentSectionSetup extends AbstractCcmApplicationSetup {
 
         grantPermissions(author,
                          rootFolder,
-                         PRIVILEGE_ITEMS_CATEGORIZE,
+                         ItemPrivileges.CATEGORIZE,
-                         PRIVILEGE_ITEMS_CREATE_NEW,
+                         ItemPrivileges.CREATE_NEW,
-                         PRIVILEGE_ITEMS_EDIT,
+                         ItemPrivileges.EDIT,
-                         PRIVILEGE_ITEMS_VIEW_PUBLISHED,
+                         ItemPrivileges.VIEW_PUBLISHED,
-                         PRIVILEGE_ITEMS_PREVIEW);
+                         ItemPrivileges.PREVIEW);
+        
+        grantPermissions(author, 
+                         rootAssetFolder,
+                         AssetPrivileges.USE,
+                         AssetPrivileges.CREATE_NEW,
+                         AssetPrivileges.EDIT,
+                         AssetPrivileges.VIEW,
+                         AssetPrivileges.DELETE);
 
         grantPermissions(editor,
                          rootFolder,
-                         PRIVILEGE_ITEMS_CATEGORIZE,
+                         ItemPrivileges.CATEGORIZE,
-                         PRIVILEGE_ITEMS_CREATE_NEW,
+                         ItemPrivileges.CREATE_NEW,
-                         PRIVILEGE_ITEMS_EDIT,
+                         ItemPrivileges.EDIT,
-                         PRIVILEGE_ITEMS_APPROVE,
+                         ItemPrivileges.APPROVE,
-                         PRIVILEGE_ITEMS_DELETE,
+                         ItemPrivileges.DELETE,
-                         PRIVILEGE_ITEMS_VIEW_PUBLISHED,
+                         ItemPrivileges.VIEW_PUBLISHED,
-                         PRIVILEGE_ITEMS_PREVIEW);
+                         ItemPrivileges.PREVIEW);
+        
+        grantPermissions(editor, 
+                         rootAssetFolder,
+                         AssetPrivileges.USE,
+                         AssetPrivileges.CREATE_NEW,
+                         AssetPrivileges.EDIT,
+                         AssetPrivileges.VIEW,
+                         AssetPrivileges.DELETE);
+
+        grantPermissions(manager,
+                         section,
+                         AdminPrivileges.ADMINISTER_ROLES,
+                         AdminPrivileges.ADMINISTER_WORKFLOW,
+                         AdminPrivileges.ADMINISTER_LIFECYLES,
+                         AdminPrivileges.ADMINISTER_CATEGORIES,
+                         AdminPrivileges.ADMINISTER_CONTENT_TYPES);
         
         grantPermissions(manager,
                          rootFolder,
-                         PRIVILEGE_ADMINISTER_ROLES,
+                         ItemPrivileges.CATEGORIZE,
-                         PRIVILEGE_ADMINISTER_WORKFLOW,
+                         ItemPrivileges.CREATE_NEW,
-                         PRIVILEGE_ADMINISTER_LIFECYLES,
+                         ItemPrivileges.EDIT,
-                         PRIVILEGE_ADMINISTER_CATEGORIES,
+                         ItemPrivileges.APPROVE,
-                         PRIVILEGE_ADMINISTER_CONTENT_TYPES,
+                         ItemPrivileges.PUBLISH,
-                         PRIVILEGE_ITEMS_CATEGORIZE,
+                         ItemPrivileges.DELETE,
-                         PRIVILEGE_ITEMS_CREATE_NEW,
+                         ItemPrivileges.VIEW_PUBLISHED,
-                         PRIVILEGE_ITEMS_EDIT,
+                         ItemPrivileges.PREVIEW);
-                         PRIVILEGE_ITEMS_APPROVE,
+        
-                         PRIVILEGE_ITEMS_PUBLISH,
+        grantPermissions(manager, 
-                         PRIVILEGE_ITEMS_DELETE,
+                         rootAssetFolder,
-                         PRIVILEGE_ITEMS_VIEW_PUBLISHED,
+                         AssetPrivileges.USE,
-                         PRIVILEGE_ITEMS_PREVIEW);
+                         AssetPrivileges.CREATE_NEW,
+                         AssetPrivileges.EDIT,
+                         AssetPrivileges.VIEW,
+                         AssetPrivileges.DELETE);
 
         grantPermissions(publisher,
                          rootFolder,
-                         PRIVILEGE_ITEMS_CATEGORIZE,
+                         ItemPrivileges.CATEGORIZE,
-                         PRIVILEGE_ITEMS_CREATE_NEW,
+                         ItemPrivileges.CREATE_NEW,
-                         PRIVILEGE_ITEMS_EDIT,
+                         ItemPrivileges.EDIT,
-                         PRIVILEGE_ITEMS_APPROVE,
+                         ItemPrivileges.APPROVE,
-                         PRIVILEGE_ITEMS_PUBLISH,
+                         ItemPrivileges.PUBLISH,
-                         PRIVILEGE_ITEMS_DELETE,
+                         ItemPrivileges.DELETE,
-                         PRIVILEGE_ITEMS_VIEW_PUBLISHED,
+                         ItemPrivileges.VIEW_PUBLISHED,
-                         PRIVILEGE_ITEMS_PREVIEW);
+                         ItemPrivileges.PREVIEW);
+        
+        grantPermissions(publisher, 
+                         rootAssetFolder,
+                         AssetPrivileges.USE,
+                         AssetPrivileges.CREATE_NEW,
+                         AssetPrivileges.EDIT,
+                         AssetPrivileges.VIEW,
+                         AssetPrivileges.DELETE);
 
         grantPermissions(contentReader,
                          rootFolder,
-                         PRIVILEGE_ITEMS_VIEW_PUBLISHED);
+                         ItemPrivileges.VIEW_PUBLISHED);
+        
+        grantPermissions(contentReader,
+                         rootAssetFolder,
+                         AssetPrivileges.VIEW);
 
         getEntityManager().persist(alertRecipient);
         getEntityManager().persist(author);

ccm-cms/src/main/java/org/librecms/contentsection/ContentTypeRepository.java

@@ -22,6 +22,7 @@ import org.libreccm.core.AbstractEntityRepository;
 import org.libreccm.security.AuthorizationRequired;
 import org.libreccm.security.RequiresPrivilege;
 import org.librecms.CmsConstants;
+import org.librecms.contentsection.privileges.AdminPrivileges;
 
 import java.util.List;
 import java.util.Optional;
@@ -180,7 +181,7 @@ public class ContentTypeRepository
     @Transactional(Transactional.TxType.REQUIRED)
     @Override
     public void save(
-        @RequiresPrivilege(CmsConstants.PRIVILEGE_ADMINISTER_CONTENT_TYPES)
+        @RequiresPrivilege(AdminPrivileges.ADMINISTER_CONTENT_TYPES)
         final ContentType type) {
 
         super.save(type);
@@ -190,7 +191,7 @@ public class ContentTypeRepository
     @Transactional(Transactional.TxType.REQUIRED)
     @Override
     public void delete(
-        @RequiresPrivilege(CmsConstants.PRIVILEGE_ADMINISTER_CONTENT_TYPES)
+        @RequiresPrivilege(AdminPrivileges.ADMINISTER_CONTENT_TYPES)
         final ContentType type) {
         
         if (isContentTypeInUse(type)) {

ccm-cms/src/main/java/org/librecms/contentsection/FolderRepository.java

@@ -24,7 +24,7 @@ import org.libreccm.categorization.Category;
 import org.libreccm.core.AbstractEntityRepository;
 import org.libreccm.security.AuthorizationRequired;
 import org.libreccm.security.RequiresPrivilege;
-import org.librecms.CmsConstants;
+import org.librecms.contentsection.privileges.ItemPrivileges;
 
 import java.util.List;
 import java.util.Optional;
@@ -186,7 +186,7 @@ public class FolderRepository extends AbstractEntityRepository<Long, Folder> {
     @Transactional(Transactional.TxType.REQUIRED)
     @Override
     public void save(
-        @RequiresPrivilege(CmsConstants.PRIVILEGE_ITEMS_CREATE_NEW)
+        @RequiresPrivilege(ItemPrivileges.CREATE_NEW)
         final Folder folder) {
         
         super.save(folder);
@@ -196,7 +196,7 @@ public class FolderRepository extends AbstractEntityRepository<Long, Folder> {
     @Transactional(Transactional.TxType.REQUIRED)
     @Override
     public void delete(
-        @RequiresPrivilege(CmsConstants.PRIVILEGE_ITEMS_CREATE_NEW)
+        @RequiresPrivilege(ItemPrivileges.CREATE_NEW)
         final Folder folder) {
         
         super.delete(folder);

ccm-cms/src/main/java/org/librecms/contentsection/privileges/AdminPrivileges.java

@@ -0,0 +1,79 @@
+/*
+ * Copyright (C) 2016 LibreCCM Foundation.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
+ * MA 02110-1301  USA
+ */
+package org.librecms.contentsection.privileges;
+
+import org.libreccm.categorization.Category;
+import org.libreccm.categorization.Domain;
+import org.libreccm.web.CcmApplication;
+import org.libreccm.workflow.WorkflowTemplate;
+import org.librecms.contentsection.ContentSection;
+import org.librecms.lifecycle.Lifecycle;
+import org.librecms.lifecycle.LifecycleDefinition;
+
+/**
+ * Constants for privileges allowing administrative actions on a content
+ * section. The privileges defined in this can only be used for
+ * {@link ContentSection}s.
+ *
+ * @author <a href="mailto:jens.pelzetter@googlemail.com">Jens Pelzetter</a>
+ */
+public final class AdminPrivileges {
+
+    /**
+     * Allows the manipulation of the categories (see {@link Category} of the
+     * {@link Domain}s assigned to the {@link ContentSection}.
+     *
+     * @see CcmApplication#domains
+     */
+    public static final String ADMINISTER_CATEGORIES = "administer_categories";
+    /**
+     * Allows editing, adding and removing the {@link ContentType} of a
+     * {@link ContentSection}.
+     *
+     * @see ContentSection#contentTypes
+     */
+    public static final String ADMINISTER_CONTENT_TYPES
+                                   = "administer_content_types";
+    /**
+     * Allows adding, editing and removing {@link LifecycleDefinition}s of a
+     * {@link ContentSection}.
+     *
+     * @see ContentSection#lifecycleDefinitions
+     */
+    public static final String ADMINISTER_LIFECYLES = "administer_lifecyles";
+    /**
+     * Allows manipulation of the {@link Role}s assigned to a
+     * {@link ContentSection}.
+     *
+     * @see ContentSection#roles
+     */
+    public static final String ADMINISTER_ROLES = "administer_roles";
+    /**
+     * Allows manipulation of the {@link WorkflowTemplate}s assigned to a
+     * {@link ContentSection}.
+     * 
+     * @see ContentSection#workflowTemplates
+     */
+    public static final String ADMINISTER_WORKFLOW = "administer_workflow";
+
+    private AdminPrivileges() {
+        //Nothing
+    }
+
+}

ccm-cms/src/main/java/org/librecms/contentsection/privileges/AssetPrivileges.java

@@ -0,0 +1,55 @@
+/*
+ * Copyright (C) 2016 LibreCCM Foundation.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
+ * MA 02110-1301  USA
+ */
+package org.librecms.contentsection.privileges;
+
+/**
+ * Constants for privileges allowing actions on the assets of a content section.
+ * All privileges defined in this class can either be assigned for the complete 
+ * {@link ContentSection} or for a specific assets {@link Folder}.
+ * 
+ * @author <a href="mailto:jens.pelzetter@googlemail.com">Jens Pelzetter</a>
+ */
+public final class AssetPrivileges {
+    
+    /**
+     * Allows the creation of new shared {@link Asset}s.
+     */
+    public static final String CREATE_NEW = "create_new_assets";
+    /**
+     * Allows the removal of unused shared {@link Asset}s.
+     */
+    public static final String DELETE = "delete_assets";
+    /**
+     * Allows the usage of assets (associating them with a content item).
+     */
+    public static final String USE = "use_asset";
+    /**
+     * Allows editing of existing assets.
+     */
+    public static final String EDIT = "edit_asset";
+    /**
+     * Allows the user to view assets.
+     */
+    public static final String VIEW = "view_asset";
+    
+    private AssetPrivileges() {
+        //Nothing
+    }
+    
+}

ccm-cms/src/main/java/org/librecms/contentsection/privileges/ItemPrivileges.java

@@ -0,0 +1,75 @@
+/*
+ * Copyright (C) 2016 LibreCCM Foundation.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
+ * MA 02110-1301  USA
+ */
+package org.librecms.contentsection.privileges;
+
+import org.librecms.contentsection.ContentItem;
+
+/**
+ * Constants for privileges allowing actions on the items of a content section.
+ * All privileges defined in this class can either be assigned for the complete 
+ * {@link ContentSection} or for a specific documents/items {@link Folder}.
+ *
+ * @author <a href="mailto:jens.pelzetter@googlemail.com">Jens Pelzetter</a>
+ */
+public final class ItemPrivileges {
+
+    /**
+     * Allows the user to approve {@link ContentItem}s.
+     */
+    public static final String APPROVE = "approve_items";
+    /**
+     * Allows the user to publish, republish and unpublish {@link ContentItem}.
+     */
+    public static final String PUBLISH = "publish_items";
+    /**
+     * Allows the user to categorise {@link ContentItem}s.
+     */
+    public static final String CATEGORIZE = "categorize_items";
+    /**
+     * Allows the user to create new {@link ContentItem}s.
+     */
+    public static final String CREATE_NEW = "create_new_items";
+    /**
+     * Allows the user to delete {@link ContentItem}s.
+     */
+    public static final String DELETE = "delete_items";
+    /**
+     * Allows the user to edit existing {@link ContentItem}s.
+     */
+    public static final String EDIT = "edit_items";
+    /**
+     * Allows to user to view the draft version of {@link ContentItem}.
+     */
+    public static final String PREVIEW = "preview_items";
+    /**
+     * Allows the user to view the live version of {@link ContentItems}.
+     */
+    public static final String VIEW_PUBLISHED = "view_published_items";
+    /**
+     * Allows the user to apply another {@link Workflow} than the default one to
+     * an {@link ContentItem}.
+     */
+    public static final String APPLY_ALTERNATE_WORKFLOW
+                                   = "apply_alternate_workflow";
+
+    private ItemPrivileges() {
+        //Nothing
+    }
+
+}

ccm-cms/src/main/java/org/librecms/lifecycle/LifecycleManager.java

@@ -23,6 +23,7 @@ import org.apache.logging.log4j.Logger;
 import org.libreccm.security.AuthorizationRequired;
 import org.libreccm.security.RequiresPrivilege;
 import org.librecms.CmsConstants;
+import org.librecms.contentsection.privileges.AdminPrivileges;
 
 import java.util.ArrayList;
 import java.util.List;
@@ -59,7 +60,7 @@ public class LifecycleManager {
 
     @Transactional(Transactional.TxType.REQUIRED)
     @AuthorizationRequired
-    @RequiresPrivilege(CmsConstants.PRIVILEGE_ADMINISTER_LIFECYLES)
+    @RequiresPrivilege(AdminPrivileges.ADMINISTER_LIFECYLES)
     public void addPhaseDefinition(
         final LifecycleDefinition lifecycleDefinition,
         final PhaseDefinition phaseDefinition) {
@@ -72,7 +73,7 @@ public class LifecycleManager {
 
     @Transactional(Transactional.TxType.REQUIRED)
     @AuthorizationRequired
-    @RequiresPrivilege(CmsConstants.PRIVILEGE_ADMINISTER_LIFECYLES)
+    @RequiresPrivilege(AdminPrivileges.ADMINISTER_LIFECYLES)
     public void removePhaseDefinition(
         final LifecycleDefinition lifecycleDefinition,
         final PhaseDefinition phaseDefinition) {
@@ -85,7 +86,7 @@ public class LifecycleManager {
 
     @Transactional(Transactional.TxType.REQUIRED)
     @AuthorizationRequired
-    @RequiresPrivilege(CmsConstants.PRIVILEGE_ADMINISTER_LIFECYLES)
+    @RequiresPrivilege(AdminPrivileges.ADMINISTER_LIFECYLES)
     public Lifecycle createLifecycle(
         final LifecycleDefinition lifecycleDefinition) {
 
@@ -113,7 +114,7 @@ public class LifecycleManager {
 
     @Transactional(Transactional.TxType.REQUIRED)
     @AuthorizationRequired
-    @RequiresPrivilege(CmsConstants.PRIVILEGE_ADMINISTER_LIFECYLES)
+    @RequiresPrivilege(AdminPrivileges.ADMINISTER_LIFECYLES)
     public void startLifecycle(final Lifecycle lifecycle) {
         if (!lifecycle.isStarted()) {
             if (lifecycle.isFinished()) {
@@ -147,7 +148,7 @@ public class LifecycleManager {
 
     @Transactional(Transactional.TxType.REQUIRED)
     @AuthorizationRequired
-    @RequiresPrivilege(CmsConstants.PRIVILEGE_ADMINISTER_LIFECYLES)
+    @RequiresPrivilege(AdminPrivileges.ADMINISTER_LIFECYLES)
     public void nextPhase(final Lifecycle lifecycle) {
         if (lifecycle.isStarted()) {
             int current = -1;
@@ -182,7 +183,7 @@ public class LifecycleManager {
 
     @Transactional(Transactional.TxType.REQUIRED)
     @AuthorizationRequired
-    @RequiresPrivilege(CmsConstants.PRIVILEGE_ADMINISTER_LIFECYLES)
+    @RequiresPrivilege(AdminPrivileges.ADMINISTER_LIFECYLES)
     public void reset(final Lifecycle lifecycle) {
         lifecycle.setStarted(false);
         lifecycle.setFinished(false);

ccm-cms/src/test/java/org/librecms/contentsection/ContentSectionManagerTest.java

@@ -58,6 +58,7 @@ import static org.libreccm.testutils.DependenciesHelpers.*;
 import org.jboss.arquillian.container.test.api.ShouldThrowException;
 import org.libreccm.workflow.WorkflowTemplate;
 import org.libreccm.workflow.WorkflowTemplateRepository;
+import org.librecms.contentsection.privileges.ItemPrivileges;
 import org.librecms.contenttypes.Article;
 import org.librecms.contenttypes.Event;
 import org.librecms.contenttypes.News;
@@ -279,9 +280,9 @@ public class ContentSectionManagerTest {
 
         manager.addRoleToContentSection(section,
                                         "reviewer",
-                                        PRIVILEGE_ITEMS_VIEW_PUBLISHED,
+                                        ItemPrivileges.VIEW_PUBLISHED,
-                                        PRIVILEGE_ITEMS_PREVIEW,
+                                        ItemPrivileges.PREVIEW,
-                                        PRIVILEGE_ITEMS_APPROVE);
+                                        ItemPrivileges.APPROVE);
     }
 
     /**
@@ -301,9 +302,9 @@ public class ContentSectionManagerTest {
     public void addRoleSectionIsNull() {
         manager.addRoleToContentSection(null,
                                         "reviewer",
-                                        PRIVILEGE_ITEMS_VIEW_PUBLISHED,
+                                        ItemPrivileges.VIEW_PUBLISHED,
-                                        PRIVILEGE_ITEMS_PREVIEW,
+                                        ItemPrivileges.PREVIEW,
-                                        PRIVILEGE_ITEMS_APPROVE);
+                                        ItemPrivileges.APPROVE);
     }
 
     /**
@@ -325,9 +326,9 @@ public class ContentSectionManagerTest {
 
         manager.addRoleToContentSection(section,
                                         null,
-                                        PRIVILEGE_ITEMS_VIEW_PUBLISHED,
+                                        ItemPrivileges.VIEW_PUBLISHED,
-                                        PRIVILEGE_ITEMS_PREVIEW,
+                                        ItemPrivileges.PREVIEW,
-                                        PRIVILEGE_ITEMS_APPROVE);
+                                        ItemPrivileges.APPROVE);
     }
 
     /**
@@ -349,9 +350,9 @@ public class ContentSectionManagerTest {
 
         manager.addRoleToContentSection(section,
                                         " ",
-                                        PRIVILEGE_ITEMS_VIEW_PUBLISHED,
+                                        ItemPrivileges.VIEW_PUBLISHED,
-                                        PRIVILEGE_ITEMS_PREVIEW,
+                                        ItemPrivileges.PREVIEW,
-                                        PRIVILEGE_ITEMS_APPROVE);
+                                        ItemPrivileges.APPROVE);
     }
 
     /**