Access control inheritance issue

Question

Hi,I am putting my acls in format allow;jcr:all;product;/content in Day CQ Acl Setup xml file. I need to restrict certain pages for some groups but allow most of the other pages to be editable. All these pages are within the same hierarchy. When i allow access of jcr:all to the parent then those access are being inherited by child pages irrespective of the fact that i have also defined jcr:read for child pages. I moved these permission one after another and reversed the order as well but nothing seems to affect at all. I was using useradmin screen to view my changes and using 5.6.1 AEM instance.There has been an observation where if you provide more access to a group and then remove access then you have to manually change the user permissions from the user admin screen. I downgraded the permission but that did not affect at all as well.I looked at the documentation at link but seems a bit unclear on the inheritance front.When you set allow or deny permission on a given node then 3 scenarios are possible:if the same ACE (Access Control Entry) is being inherited from a parent node and no matching ACE already exists on the node then nothing will be done.if the same ACE is being inherited from a parent node and a matching ACE is already defined on that path then it will be removed.if the same ACE is not being inherited from a parent node then the ACE will be created for that node.Any help will be appreciated.

aanchal-sikka · Accepted Answer

There are multiple options to provide change accesses in a hierarchy.

1. Implementing rep:glob: Often used in a multi-tenant set up, it allows you to allow/deny permission based on Glob Patterns (Regex).

Details available here: http://www.aemcq5tutorials.com/tutorials/aem-permissioning/

This is used in the cases where permission set-up is not dynamic. Its the devs who set-up permissions and not controlled by authors

2. Implementing Closed-user-groups:

This is meant for a dynamic set-up and secured content, where authors can define that which user-groups whould have access to the content.

https://www.youtube.com/watch?v=rIcyN8f0GqI&ab_channel=TechForum

https://experienceleague.adobe.com/docs/experience-manager-65/administering/security/cug.html?lang=en

Regarding to the query around evaluation:

A detailed article is available here: https://experienceleague.adobe.com/docs/experience-manager-65/administering/security/user-group-ac-admin.html?lang=en#resolving-request-and-access-rights

kautuk_sahni · Answer

Did you find the suggestions from users helpful? Please let us know if more information is required. Otherwise, please mark the answer as correct for posterity. If you have found out solution yourself, please share it with the community.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded