Migrating 5.6.1 ACLs to 6.1 | Community
Skip to main content
trench999
trench999
Level 4
October 16, 2015
Solved

Migrating 5.6.1 ACLs to 6.1

  • October 16, 2015
  • 5 replies
  • 1183 views

We have heard from those that have migrated that ACL migration is not easy with the new security standards in AEM 6.1.   Some are reporting lost ACLs that thye have to recreate.  This is not acceptable for our migration.  We have a very large ACL and need to migrate this into the new secure standards (secured hash for paths, etc).  What is the right way to do this?  Will ACS Commons ACL Package help?

This post is no longer active and is closed to new replies. Need help? Start a new post to ask your question.
Best answer by joerghoh

HI Mark,

you likely mean, that the node name of a principal is longer the id of the principal.

So on AEM 6.0 and older it's /home/users/a/admin, but on 6.1 it's on my box /home/users/a/apa96F-DQwDDhZsnfBDq.

If you migrate properly, there should not any problem. The only problem I see is that a lot of code assumes that it could calculate the path of the username by the principal id and some semi-static prefixes. Which is no longer possible.

kind regards,
Jörg

5 replies

J
Adobe Employee
JustinEd3Adobe Employee
Adobe Employee
October 16, 2015

Hi Mark,

As I replied to you on Twitter, I'm not sure what you mean about "hashed paths" in the context of ACLs. If you are consistently losing ACLs on package installation, be sure you are specifying the right Access Control Handling. It should probably be Override. I think the default is Ingore. You can specify this when building or installing the package.

Regards,

Justin

trench999
trench999Author
Level 4
October 16, 2015

We were just told by another institution that node names change and are no longer the user ID strings.  They are or include some hash value for added path security.  The same institution could not migration the permissions with OOTB migration steps.  I am simply asking how to best avoid this. 

joerghoh
Adobe Employee
joerghohAdobe EmployeeAccepted solution
Adobe Employee
October 16, 2015

HI Mark,

you likely mean, that the node name of a principal is longer the id of the principal.

So on AEM 6.0 and older it's /home/users/a/admin, but on 6.1 it's on my box /home/users/a/apa96F-DQwDDhZsnfBDq.

If you migrate properly, there should not any problem. The only problem I see is that a lot of code assumes that it could calculate the path of the username by the principal id and some semi-static prefixes. Which is no longer possible.

kind regards,
Jörg

trench999
trench999Author
Level 4
October 16, 2015

Thanks.  I was hoping this was a case of a proprietary issue with that organization.  

J
Adobe Employee
JustinEd3Adobe Employee
Adobe Employee
October 16, 2015

Keep in mind that the change Joerg is describing has absolutely nothing to do with ACLs. This is only for users and groups node names/path. The link between an ACL and a user/group was always done through the principal name.

Any code which assumed that the path to a user or group was derivable from the username was buggy and likely to fail on any CQ/AEM version. The only change now is that this code will always fail. Which IMHO is actually much better smiley

Terms & ConditionsAccessibility statement

Loading footer...