Level 2

Solved

Retrieve effective permissions in AEM 6.0 using REST services

Forum|Forum|10 years ago
October 16, 2015
12 replies
4468 views

Hi,

I'm new in the world of AEM. I have installed AEM 6.0 (author and publish instances).

I'm interested to find a way to retrieve effective permissions on a specific repository node by using a REST call.

For this, I have installed the last version of the OSGi Bundle "jackrabbit.accessmanager" (v2.1.2). With this, we can do this call to get the effective permissions for pa particular not in JSON format: http://localhost:4502/content/mynode.eacl.json.

However, its seems that the effective permissions are not correctly computed... it seems that the ACLs defined with restrictions are not correctly resolved. I think that it's something new in AEM 6.0 because it uses the JackRabbit Oak 1.0.0 Repository instead of a JackRabbit 2.0 Repository... and maybe restrictions are a new concept not correctly handled in the "jackrabbit.accessmanager" bundle?!?

In fact, in the default demo Geometrixx, some ACLs are defined for the "Everyone" group with restrictions (path), for example:

everyone - Deny jcr:read - Restrictions rep:glob-libs*/config/*
everyone - Deny jcr:read - Restrictions rep:glob-apps*/config/*
everyone - Allow jcr:read

The effective permissions for all nodes excluding nodes under the path "libs" and "apps" should be "Allow jcr:read", but the call returns for the "content" node for example:

everyone: { principal: "everyone",denied: [ jcr:read ], order: 3 }

I think that the restrictions are not correctly handled by this bundle... maybe it is outdated and not compatible with the JackRabbit Oak 1.0.0 Repository...

Is there an equivalent or something new to get effective permissions with a REST call in AEM 6.0?

Thanks for your help.

Matthieu

This post is no longer active and is closed to new replies. Need help? Start a new post to ask your question.

Best answer by joerghoh

Hi Matthieu,

Automatically migrating permissions from one security model into another one ... that sounds scary. I don't know if it works at all.

To your question: the "rep:glob" (aka "wildcard ACLs")[1] style of ACLs is nothing new in AEM 6.0, it was there also in earlier versions of CQ5 (IIRC I saw it for the first time in 5.3). And I don't know if the effective ACLs can be exposed, because normally there's no need to. The only way I can think of is to create a session with every user (!) and iterate the complete repository (!) with it. Which probbaly takes an incredibly amount of time. You can likely optimize it by looking at the rep:* nodes and assuming, that below them the permissions do not change anymore, but then don't forget the wildcard ACLs (rep:glob), which can take effect on the complete repository.

I would strongly recommend you to engage with Adobe Consulting.

kind regards,
Jörg

[1] http://wiki.apache.org/jackrabbit/AccessControl#Principal-based_ACLs

Show previous replies

Pascale_L_Heure

Hi Jörg,

I explore the possibilities to integrate the data in another application (external). I want to retrieve some specific content nodes (and its attributes), but I also need to replicate the permissions of this node. For this, I need to get the effective permissions not for a specific user but for all defined users. I will do my REST call with an administrator account for example.

Thanks,

Matthieu

joerghoh

Adobe Employee

Hi Matthieu,

Why do you need to get the effective permissions for a specific node? Whenever you access the repository using a specific user, the permissions are actually already checked before you access it. So you don't need to perform a manual check for it. So for 99,999% of all cases you don't need to get this data out of the repo (the remaining might be for audit purposes ...)

kind regards,
Jörg

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded