Create User and assign Groups to the user using non-admin user. | Community
Skip to main content
B
Boobalan_M
Level 2
August 9, 2016

Create User and assign Groups to the user using non-admin user.

  • August 9, 2016
  • 2 replies
  • 1758 views

Hi All,

Is there any way non-admin groups (Groups/Users doesn't belong to "administrator" group) can create user and assign/remove groups to the users. 

We have created few non-admin groups with users who has all the permissions in the repository but doesn't belong to "administrator" group. The Group/user also has jcr:all permission to the /home/groups and /home/users node. We logged-in as non-admin user and tried to assign some groups to the user in the User Admin console. But we are getting 403 Forbidden exception.

Please find the error stack below:

*ERROR* [0:0:0:0:0:0:0:1 [1470747656075] POST /home/groups/project/c5VRoi06-7UKF3dOMUJU.rw.userprops.html HTTP/1.1] com.adobe.granite.security.user.internal.servlets.AuthorizableServlet Error while processing AuthorizableServlet POST
javax.jcr.AccessDeniedException: OakAccess0000: Access denied
    at org.apache.jackrabbit.oak.api.CommitFailedException.asRepositoryException(CommitFailedException.java:231)
    at org.apache.jackrabbit.oak.api.CommitFailedException.asRepositoryException(CommitFailedException.java:212)
    at org.apache.jackrabbit.oak.jcr.delegate.SessionDelegate.newRepositoryException(SessionDelegate.java:670)
    at org.apache.jackrabbit.oak.jcr.delegate.SessionDelegate.save(SessionDelegate.java:496)
    at org.apache.jackrabbit.oak.jcr.session.SessionImpl$8.performVoid(SessionImpl.java:419)
    at org.apache.jackrabbit.oak.jcr.delegate.SessionDelegate.performVoid(SessionDelegate.java:274)
    at org.apache.jackrabbit.oak.jcr.session.SessionImpl.save(SessionImpl.java:416)
    at sun.reflect.GeneratedMethodAccessor44.invoke(Unknown Source)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
    at java.lang.reflect.Method.invoke(Unknown Source)
    at org.apache.sling.jcr.base.SessionProxyHandler$SessionProxyInvocationHandler.invoke(SessionProxyHandler.java:116)
    at com.sun.proxy.$Proxy7.save(Unknown Source)
    at com.adobe.granite.security.user.internal.servlets.AuthorizableServlet.doPost(AuthorizableServlet.java:728)
    at org.apache.sling.api.servlets.SlingAllMethodsServlet.mayService(SlingAllMethodsServlet.java:149)

 

Any help would be appreciated.

Thanks

This post is no longer active and is closed to new replies. Need help? Start a new post to ask your question.

2 replies

Ratna_Kumar
Ratna_Kumar
Level 10
August 9, 2016

Hi,

You need to have admin privileges for creating any user or assign the groups to the users.

Check this documentation for more info: https://docs.adobe.com/docs/en/aem/6-2/administer/security/security.html

Thanks,
Ratna Kumar.

kautuk_sahni
Community Manager
kautuk_sahniCommunity Manager
Community Manager
August 10, 2016

Adding to Ratna's answer,

Best Practice:-

Avoid assigning access rights on a user-by-user basis. There are several reasons for this:

        You have many more users than groups, so groups simplify the structure.

        Groups help provide an overview over all accounts.

        Inheritance is simpler with groups.

        Users come and go. Groups are long-term.

So always assign Group to a User.

       
administratorsGroup

Group that gives administrator rights to all its members. Only admin is allowed to edit this group.

Has full access rights.

If you set a 'deny-everyone' on a node, the administrators will
only have access if it is enabled again for that group.

Reference Link:- https://docs.adobe.com/docs/en/aem/6-2/administer/security/security.html

Reference Link 2:- https://docs.adobe.com/docs/en/aem/6-2/administer/security/user-group-ac-admin.html

 

~kautuk

Kautuk Sahni
Terms & ConditionsAccessibility statement

Loading footer...