<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Re: Enhancements to AEM to support restricted user permissions in Adobe Experience Manager Questions</title>
    <link>https://experienceleaguecommunities.adobe.com/t5/adobe-experience-manager/enhancements-to-aem-to-support-restricted-user-permissions/m-p/168013#M92972</link>
    <description>&lt;HTML&gt;&lt;HEAD&gt;&lt;/HEAD&gt;&lt;BODY&gt;&lt;P&gt;Hi,&lt;/P&gt;&lt;P&gt;the annotation thing is "easy" to do, you only need to allow write access to the cq:annotation property, and have read access for everything else. You can do this quite easily using wildcard ACLs [1]. Editing only a section of a page is more tricky, as then this section does always have to have the very same name. Then you can also use wildcard ACLs as well.&lt;/P&gt;&lt;P&gt;The standard (path based) ACLs do not really work here, as the ACL inheritance is not applicable.&lt;/P&gt;&lt;P&gt;kind regards,&lt;BR /&gt;Jörg&lt;/P&gt;&lt;P&gt;&lt;SPAN&gt;[1] &lt;/SPAN&gt;&lt;A class="jive-link-external-small" href="https://forums.adobe.com/external-link.jspa?url=http%3A%2F%2Fwiki.apache.org%2Fjackrabbit%2FAccessControl%23Principal-based_ACLs" rel="nofollow" target="_blank"&gt;http://wiki.apache.org/jackrabbit/AccessControl#Principal-based_ACLs&lt;/A&gt;&lt;SPAN&gt;, look for the rep:glob property&lt;/SPAN&gt;&lt;/P&gt;&lt;/BODY&gt;&lt;/HTML&gt;</description>
    <pubDate>Fri, 16 Oct 2015 02:28:51 GMT</pubDate>
    <dc:creator>Jörg_Hoh</dc:creator>
    <dc:date>2015-10-16T02:28:51Z</dc:date>
    <item>
      <title>Enhancements to AEM to support restricted user permissions</title>
      <link>https://experienceleaguecommunities.adobe.com/t5/adobe-experience-manager/enhancements-to-aem-to-support-restricted-user-permissions/m-p/168011#M92970</link>
      <description>&lt;HTML&gt;&lt;HEAD&gt;&lt;/HEAD&gt;&lt;BODY&gt;&lt;P&gt;Hi,&lt;/P&gt;&lt;P&gt;I get the following requests from clients a lot.&lt;/P&gt;&lt;UL&gt;&lt;LI&gt;The ability to have a role which can't edit a page but can annotate for review&lt;/LI&gt;&lt;LI&gt;The ability to edit only a section of the page&lt;/LI&gt;&lt;/UL&gt;&lt;P&gt;Is it worth raising these as feature requests? &amp;nbsp;Is there any workaround now that is commonly used?&lt;/P&gt;&lt;P&gt;Thanks!&lt;/P&gt;&lt;/BODY&gt;&lt;/HTML&gt;</description>
      <pubDate>Fri, 16 Oct 2015 02:28:51 GMT</pubDate>
      <guid>https://experienceleaguecommunities.adobe.com/t5/adobe-experience-manager/enhancements-to-aem-to-support-restricted-user-permissions/m-p/168011#M92970</guid>
      <dc:creator>Tim_Goodman_BTE</dc:creator>
      <dc:date>2015-10-16T02:28:51Z</dc:date>
    </item>
    <item>
      <title>Re: Enhancements to AEM to support restricted user permissions</title>
      <link>https://experienceleaguecommunities.adobe.com/t5/adobe-experience-manager/enhancements-to-aem-to-support-restricted-user-permissions/m-p/168012#M92971</link>
      <description>&lt;HTML&gt;&lt;HEAD&gt;&lt;/HEAD&gt;&lt;BODY&gt;&lt;P&gt;Hi there,&lt;/P&gt;&lt;P&gt;Thanks for reaching out to Adobe Community.&lt;/P&gt;&lt;P&gt;Right now the permissions on a page are available as per the below doc:&lt;/P&gt;&lt;P&gt;&lt;A href="https://docs.adobe.com/docs/en/aem/6-0/administer/security/security.html#Actions" target="_blank"&gt;https://docs.adobe.com/docs/en/aem/6-0/administer/security/security.html#Actions&lt;/A&gt;&lt;/P&gt;&lt;P&gt;However, you can raise that one as a request if you feel the need of&amp;nbsp;such features pretty often.&lt;/P&gt;&lt;P&gt;Thanks!&lt;/P&gt;&lt;/BODY&gt;&lt;/HTML&gt;</description>
      <pubDate>Fri, 16 Oct 2015 02:28:51 GMT</pubDate>
      <guid>https://experienceleaguecommunities.adobe.com/t5/adobe-experience-manager/enhancements-to-aem-to-support-restricted-user-permissions/m-p/168012#M92971</guid>
      <dc:creator>shekhardhiman</dc:creator>
      <dc:date>2015-10-16T02:28:51Z</dc:date>
    </item>
    <item>
      <title>Re: Enhancements to AEM to support restricted user permissions</title>
      <link>https://experienceleaguecommunities.adobe.com/t5/adobe-experience-manager/enhancements-to-aem-to-support-restricted-user-permissions/m-p/168013#M92972</link>
      <description>&lt;HTML&gt;&lt;HEAD&gt;&lt;/HEAD&gt;&lt;BODY&gt;&lt;P&gt;Hi,&lt;/P&gt;&lt;P&gt;the annotation thing is "easy" to do, you only need to allow write access to the cq:annotation property, and have read access for everything else. You can do this quite easily using wildcard ACLs [1]. Editing only a section of a page is more tricky, as then this section does always have to have the very same name. Then you can also use wildcard ACLs as well.&lt;/P&gt;&lt;P&gt;The standard (path based) ACLs do not really work here, as the ACL inheritance is not applicable.&lt;/P&gt;&lt;P&gt;kind regards,&lt;BR /&gt;Jörg&lt;/P&gt;&lt;P&gt;&lt;SPAN&gt;[1] &lt;/SPAN&gt;&lt;A class="jive-link-external-small" href="https://forums.adobe.com/external-link.jspa?url=http%3A%2F%2Fwiki.apache.org%2Fjackrabbit%2FAccessControl%23Principal-based_ACLs" rel="nofollow" target="_blank"&gt;http://wiki.apache.org/jackrabbit/AccessControl#Principal-based_ACLs&lt;/A&gt;&lt;SPAN&gt;, look for the rep:glob property&lt;/SPAN&gt;&lt;/P&gt;&lt;/BODY&gt;&lt;/HTML&gt;</description>
      <pubDate>Fri, 16 Oct 2015 02:28:51 GMT</pubDate>
      <guid>https://experienceleaguecommunities.adobe.com/t5/adobe-experience-manager/enhancements-to-aem-to-support-restricted-user-permissions/m-p/168013#M92972</guid>
      <dc:creator>Jörg_Hoh</dc:creator>
      <dc:date>2015-10-16T02:28:51Z</dc:date>
    </item>
    <item>
      <title>Re: Enhancements to AEM to support restricted user permissions</title>
      <link>https://experienceleaguecommunities.adobe.com/t5/adobe-experience-manager/enhancements-to-aem-to-support-restricted-user-permissions/m-p/168014#M92973</link>
      <description>&lt;HTML&gt;&lt;HEAD&gt;&lt;/HEAD&gt;&lt;BODY&gt;&lt;P&gt;Thanks - yes often clients ask for more granular access - e.g. access to only edit a single parsys or component on a particular page. &amp;nbsp;&lt;/P&gt;&lt;P&gt;I think the use case of being able to annotate without edit would be very common&lt;/P&gt;&lt;/BODY&gt;&lt;/HTML&gt;</description>
      <pubDate>Fri, 16 Oct 2015 02:28:51 GMT</pubDate>
      <guid>https://experienceleaguecommunities.adobe.com/t5/adobe-experience-manager/enhancements-to-aem-to-support-restricted-user-permissions/m-p/168014#M92973</guid>
      <dc:creator>Tim_Goodman_BTE</dc:creator>
      <dc:date>2015-10-16T02:28:51Z</dc:date>
    </item>
    <item>
      <title>Re: Enhancements to AEM to support restricted user permissions</title>
      <link>https://experienceleaguecommunities.adobe.com/t5/adobe-experience-manager/enhancements-to-aem-to-support-restricted-user-permissions/m-p/168015#M92974</link>
      <description>&lt;HTML&gt;&lt;HEAD&gt;&lt;/HEAD&gt;&lt;BODY&gt;&lt;P&gt;Thanks&amp;nbsp;&lt;SPAN style="color: rgb(79, 80, 81); font-family: adobe-clean, 'Helvetica Neue', Arial, sans-serif; font-size: 14px; line-height: normal;"&gt;Jörg&lt;/SPAN&gt;&lt;/P&gt;&lt;P&gt;It's good to know that Principle&amp;nbsp;ACLs with wildcards can be utilised to achieve annotation capability, although I'm going to state that these look a bit tricky for a&amp;nbsp;System Administrator to configure&amp;nbsp;in their current state. &amp;nbsp;&lt;/P&gt;&lt;P&gt;I'm trying to think of the best implementation - Maybe create a script or package that could be run by a Sys Admin.&lt;/P&gt;&lt;P&gt;It would be great if the product could be enhanced to support this as a usable function&lt;/P&gt;&lt;P&gt;Regards,&lt;/P&gt;&lt;P&gt;Tim&lt;/P&gt;&lt;/BODY&gt;&lt;/HTML&gt;</description>
      <pubDate>Fri, 16 Oct 2015 02:28:51 GMT</pubDate>
      <guid>https://experienceleaguecommunities.adobe.com/t5/adobe-experience-manager/enhancements-to-aem-to-support-restricted-user-permissions/m-p/168015#M92974</guid>
      <dc:creator>Tim_Goodman_BTE</dc:creator>
      <dc:date>2015-10-16T02:28:51Z</dc:date>
    </item>
    <item>
      <title>Re: Enhancements to AEM to support restricted user permissions</title>
      <link>https://experienceleaguecommunities.adobe.com/t5/adobe-experience-manager/enhancements-to-aem-to-support-restricted-user-permissions/m-p/168016#M92975</link>
      <description>&lt;HTML&gt;&lt;HEAD&gt;&lt;/HEAD&gt;&lt;BODY&gt;&lt;P&gt;Hi,&lt;/P&gt;&lt;P&gt;Well, is setting the ACLs the job of a system admin in your case? I would see it as a developer task to create a content package which contains such aspects &lt;img class="lia-deferred-image lia-image-emoji" src="https://experienceleaguecommunities.adobe.com/html/@31B4D6D7B3510763F3CBB2AAB7997408/emoticons/1f642.png" alt=":slightly_smiling_face:" title=":slightly_smiling_face:" /&gt;&lt;/P&gt;&lt;P&gt;What exactly do you think should be part of the product?&lt;/P&gt;&lt;P&gt;kind regards,&lt;BR /&gt;Jörg&lt;/P&gt;&lt;/BODY&gt;&lt;/HTML&gt;</description>
      <pubDate>Fri, 16 Oct 2015 02:28:51 GMT</pubDate>
      <guid>https://experienceleaguecommunities.adobe.com/t5/adobe-experience-manager/enhancements-to-aem-to-support-restricted-user-permissions/m-p/168016#M92975</guid>
      <dc:creator>Jörg_Hoh</dc:creator>
      <dc:date>2015-10-16T02:28:51Z</dc:date>
    </item>
    <item>
      <title>Re: Enhancements to AEM to support restricted user permissions</title>
      <link>https://experienceleaguecommunities.adobe.com/t5/adobe-experience-manager/enhancements-to-aem-to-support-restricted-user-permissions/m-p/168017#M92976</link>
      <description>&lt;HTML&gt;&lt;HEAD&gt;&lt;/HEAD&gt;&lt;BODY&gt;&lt;P&gt;Hi Jorg,&amp;nbsp;&lt;/P&gt;&lt;P&gt;I'm just trying a simple test for this using AEM6.1:&lt;/P&gt;&lt;OL&gt;&lt;LI&gt;Create a new group, which is a member of "Authors"&lt;/LI&gt;&lt;LI&gt;using CRXDE, add &amp;nbsp;the custom ACL&amp;nbsp;deny write permission, with exception of *cq:annotations&lt;/LI&gt;&lt;/OL&gt;&lt;P&gt;[img]repository permissions.png[/img]&lt;/P&gt;&lt;P&gt;It doesn't seem to work - Was this what you were expecting?&lt;/P&gt;&lt;P&gt;Also, I have noticed that if I try to remove the ACL that I added from CRXDE, I get a 500 error with the associated log message&lt;/P&gt;&lt;PRE class="prettyprint linenums" data-language=""&gt;09.06.2015 16:26:35.065 *ERROR* [qtp1418927216-807] com.day.crx.delite.impl.servlets.ACEServlet Error occur removing acl entry javax.jcr.security.AccessControlException: Cannot remove AccessControlEntry org.apache.jackrabbit.oak.security.authorization.accesscontrol.AccessControlManagerImpl$Entry@270be638 at org.apache.jackrabbit.oak.security.authorization.accesscontrol.ACL.removeAccessControlEntry(ACL.java:79) at org.apache.jackrabbit.oak.security.authorization.accesscontrol.AccessControlManagerImpl.setPrincipalBasedAcl(AccessControlManagerImpl.java:253) at org.apache.jackrabbit.oak.security.authorization.accesscontrol.AccessControlManagerImpl.setPolicy(AccessControlManagerImpl.java:207) at org.apache.jackrabbit.oak.jcr.delegate.AccessControlManagerDelegator$8.perform(AccessControlManagerDelegator.java:124) at org.apache.jackrabbit.oak.jcr.delegate.AccessControlManagerDelegator$8.perform(AccessControlManagerDelegator.java:121) at org.apache.jackrabbit.oak.jcr.delegate.SessionDelegate.perform(SessionDelegate.java:216) at org.apache.jackrabbit.oak.jcr.delegate.AccessControlManagerDelegator.setPolicy(AccessControlManagerDelegator.java:121) at org.apache.jackrabbit.oak.jcr.delegate.JackrabbitAccessControlManagerDelegator.setPolicy(JackrabbitAccessControlManagerDelegator.java:151) at com.day.crx.delite.impl.servlets.ACEServlet.removeEntry(ACEServlet.java:430) at com.day.crx.delite.impl.servlets.ACEServlet.doService(ACEServlet.java:104) at com.day.crx.delite.impl.AbstractServlet.service(AbstractServlet.java:52)&lt;/PRE&gt;&lt;P&gt;Any ideas??&lt;/P&gt;&lt;/BODY&gt;&lt;/HTML&gt;</description>
      <pubDate>Fri, 16 Oct 2015 02:28:51 GMT</pubDate>
      <guid>https://experienceleaguecommunities.adobe.com/t5/adobe-experience-manager/enhancements-to-aem-to-support-restricted-user-permissions/m-p/168017#M92976</guid>
      <dc:creator>Tim_Goodman_BTE</dc:creator>
      <dc:date>2015-10-16T02:28:51Z</dc:date>
    </item>
    <item>
      <title>Re: Enhancements to AEM to support restricted user permissions</title>
      <link>https://experienceleaguecommunities.adobe.com/t5/adobe-experience-manager/enhancements-to-aem-to-support-restricted-user-permissions/m-p/168018#M92977</link>
      <description>&lt;HTML&gt;&lt;HEAD&gt;&lt;/HEAD&gt;&lt;BODY&gt;&lt;P&gt;Hi Tim,&lt;/P&gt;&lt;P&gt;I think, that you actually deny the write access to cq:annotations &lt;img class="lia-deferred-image lia-image-emoji" src="https://experienceleaguecommunities.adobe.com/html/@31B4D6D7B3510763F3CBB2AAB7997408/emoticons/1f642.png" alt=":slightly_smiling_face:" title=":slightly_smiling_face:" /&gt; So it should be a allow policy here.&lt;/P&gt;&lt;P&gt;Regarding the stacktrace: Do you have any "caused by" statement in the stacktrace? The code looks like, that there is there is no ACL at all to remove (the ACLs are hold in a ArrayList and the remove() operation on that ArrayList returns "false").&lt;/P&gt;&lt;P&gt;Jörg&lt;/P&gt;&lt;/BODY&gt;&lt;/HTML&gt;</description>
      <pubDate>Fri, 16 Oct 2015 02:28:51 GMT</pubDate>
      <guid>https://experienceleaguecommunities.adobe.com/t5/adobe-experience-manager/enhancements-to-aem-to-support-restricted-user-permissions/m-p/168018#M92977</guid>
      <dc:creator>Jörg_Hoh</dc:creator>
      <dc:date>2015-10-16T02:28:51Z</dc:date>
    </item>
    <item>
      <title>Re: Enhancements to AEM to support restricted user permissions</title>
      <link>https://experienceleaguecommunities.adobe.com/t5/adobe-experience-manager/enhancements-to-aem-to-support-restricted-user-permissions/m-p/168019#M92978</link>
      <description>&lt;HTML&gt;&lt;HEAD&gt;&lt;/HEAD&gt;&lt;BODY&gt;&lt;P&gt;OK - thanks. &amp;nbsp;I couldn't get the permissions to work with either allow or deny, and ordered above or below a matching statement (see image)&lt;/P&gt;&lt;P&gt;Using the Allow - I received errors both times when editing Annotations - e.g. Access denied&lt;/P&gt;&lt;P&gt;[img]ACL Test.png[/img]&lt;/P&gt;&lt;P&gt;Also, I upgraded to the GA version of AEM6.1 (I didn't realise I was using the beta) - and the ordering/deleting issues of ACLs appears to be fixed&lt;/P&gt;&lt;P&gt;Are you able to try it quickly and see if it will work?&lt;/P&gt;&lt;P&gt;Many Thanks,&lt;/P&gt;&lt;P&gt;Tim&lt;/P&gt;&lt;/BODY&gt;&lt;/HTML&gt;</description>
      <pubDate>Fri, 16 Oct 2015 02:28:51 GMT</pubDate>
      <guid>https://experienceleaguecommunities.adobe.com/t5/adobe-experience-manager/enhancements-to-aem-to-support-restricted-user-permissions/m-p/168019#M92978</guid>
      <dc:creator>Tim_Goodman_BTE</dc:creator>
      <dc:date>2015-10-16T02:28:51Z</dc:date>
    </item>
    <item>
      <title>Re: Enhancements to AEM to support restricted user permissions</title>
      <link>https://experienceleaguecommunities.adobe.com/t5/adobe-experience-manager/enhancements-to-aem-to-support-restricted-user-permissions/m-p/168020#M92979</link>
      <description>&lt;HTML&gt;&lt;HEAD&gt;&lt;/HEAD&gt;&lt;BODY&gt;&lt;P&gt;Hi Tim&lt;/P&gt;&lt;P&gt;I cannot reproduce your test. I created a user "atest" with a wildcard ACL on *cq:annotations* for the path /content/geometrixx/en/services. And then I added read permissions on / for it. Using the CRXDE I am able to create and update a property "cq:annotations" on /content/geometrixx/en/services/jcr:content.&lt;/P&gt;&lt;P&gt;Jörg&lt;/P&gt;&lt;/BODY&gt;&lt;/HTML&gt;</description>
      <pubDate>Fri, 16 Oct 2015 02:28:51 GMT</pubDate>
      <guid>https://experienceleaguecommunities.adobe.com/t5/adobe-experience-manager/enhancements-to-aem-to-support-restricted-user-permissions/m-p/168020#M92979</guid>
      <dc:creator>Jörg_Hoh</dc:creator>
      <dc:date>2015-10-16T02:28:51Z</dc:date>
    </item>
    <item>
      <title>Re: Enhancements to AEM to support restricted user permissions</title>
      <link>https://experienceleaguecommunities.adobe.com/t5/adobe-experience-manager/enhancements-to-aem-to-support-restricted-user-permissions/m-p/168021#M92980</link>
      <description>&lt;HTML&gt;&lt;HEAD&gt;&lt;/HEAD&gt;&lt;BODY&gt;&lt;P&gt;Thanks&amp;nbsp;Jörg&lt;/P&gt;&lt;P&gt;Does that mean that you were able to restrict permissions to allowing edit of annotations only? &amp;nbsp;Are you able to share the permission list you setup?&lt;/P&gt;&lt;P&gt;Kind Regards,&lt;/P&gt;&lt;P&gt;Tim&lt;/P&gt;&lt;/BODY&gt;&lt;/HTML&gt;</description>
      <pubDate>Fri, 16 Oct 2015 02:28:51 GMT</pubDate>
      <guid>https://experienceleaguecommunities.adobe.com/t5/adobe-experience-manager/enhancements-to-aem-to-support-restricted-user-permissions/m-p/168021#M92980</guid>
      <dc:creator>Tim_Goodman_BTE</dc:creator>
      <dc:date>2015-10-16T02:28:51Z</dc:date>
    </item>
    <item>
      <title>Re: Enhancements to AEM to support restricted user permissions</title>
      <link>https://experienceleaguecommunities.adobe.com/t5/adobe-experience-manager/enhancements-to-aem-to-support-restricted-user-permissions/m-p/168022#M92981</link>
      <description>&lt;HTML&gt;&lt;HEAD&gt;&lt;/HEAD&gt;&lt;BODY&gt;&lt;P&gt;Thank you for quick reply. But that's exactly what I tried.&amp;nbsp;&lt;/P&gt;&lt;P&gt;1) Gave read permission to all pages.&amp;nbsp;&lt;/P&gt;&lt;P&gt;2) Then added allow policy for the group with rep:glob as /*/cq:annotations/* &amp;nbsp;&amp;nbsp;&lt;/P&gt;&lt;P&gt;Still I get access denied, also edit is enabled for the all pages. Any specific example would be nice to&amp;nbsp;&lt;/P&gt;&lt;/BODY&gt;&lt;/HTML&gt;</description>
      <pubDate>Mon, 30 Jan 2017 21:14:42 GMT</pubDate>
      <guid>https://experienceleaguecommunities.adobe.com/t5/adobe-experience-manager/enhancements-to-aem-to-support-restricted-user-permissions/m-p/168022#M92981</guid>
      <dc:creator>bswx</dc:creator>
      <dc:date>2017-01-30T21:14:42Z</dc:date>
    </item>
    <item>
      <title>Re: Enhancements to AEM to support restricted user permissions</title>
      <link>https://experienceleaguecommunities.adobe.com/t5/adobe-experience-manager/enhancements-to-aem-to-support-restricted-user-permissions/m-p/168023#M92982</link>
      <description>&lt;HTML&gt;&lt;HEAD&gt;&lt;/HEAD&gt;&lt;BODY&gt;&lt;P&gt;This &lt;EM&gt;can &lt;/EM&gt;be done with normal path-based ACLs, but you need to allow more than just access to cq:annotations.&lt;CODE&gt;&lt;BR /&gt;&lt;/CODE&gt;&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;EDIT: I forgot to mention, the permissions below are on the /content node as allow with jcr:read &amp;amp; rep:write base permissions, and restrictions based on the lists below.&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;You need to allow write for the following rep:globs&lt;/P&gt;&lt;UL&gt;&lt;LI&gt;/*/cq:annotations&lt;/LI&gt;&lt;LI&gt;/*/cq:annotations/*&lt;/LI&gt;&lt;/UL&gt;&lt;P&gt;You also need to allow write for the following rep:itemNames&lt;/P&gt;&lt;UL&gt;&lt;LI&gt;cq:lastModified&lt;/LI&gt;&lt;LI&gt;cq:lastModifiedBy&lt;/LI&gt;&lt;/UL&gt;&lt;P&gt;I also added these rep:itemNames for good measure&lt;/P&gt;&lt;UL&gt;&lt;LI&gt;jcr:lastModified&lt;/LI&gt;&lt;LI&gt;jcr:lastModifiedBy&lt;/LI&gt;&lt;/UL&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;The rep:itemNames are needed because when AEM makes annotations updates the cq:lastModified/cq:lastModifiedBy for the page when an annotation is changed (add, modify, delete).&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;To create them you need crx/de or a similarly powerful tool for ACL management. With crx/de, I have 6 entries for permissions, one for each of the 6 items above.&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;&lt;A href="https://experienceleaguecommunities.adobe.com/people/bswx"&gt;bswx&lt;/A&gt;​ &amp;amp; &lt;A href="https://experienceleaguecommunities.adobe.com/people/omallianz"&gt;omallianz&lt;/A&gt;, this might be something you are interested in as well.&lt;/P&gt;&lt;/BODY&gt;&lt;/HTML&gt;</description>
      <pubDate>Thu, 14 Feb 2019 20:39:43 GMT</pubDate>
      <guid>https://experienceleaguecommunities.adobe.com/t5/adobe-experience-manager/enhancements-to-aem-to-support-restricted-user-permissions/m-p/168023#M92982</guid>
      <dc:creator>paul_bjorkstran</dc:creator>
      <dc:date>2019-02-14T20:39:43Z</dc:date>
    </item>
    <item>
      <title>Re: Enhancements to AEM to support restricted user permissions</title>
      <link>https://experienceleaguecommunities.adobe.com/t5/adobe-experience-manager/enhancements-to-aem-to-support-restricted-user-permissions/m-p/168024#M92983</link>
      <description>&lt;HTML&gt;&lt;HEAD&gt;&lt;/HEAD&gt;&lt;BODY&gt;&lt;P&gt;&lt;A href="https://experienceleaguecommunities.adobe.com/people/paul.bjorkstrand"&gt;paul.bjorkstrand&lt;/A&gt;​ thanks, I will check this out.&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;&lt;SPAN style="text-decoration: line-through;"&gt;Update: Thanks &lt;A href="https://experienceleaguecommunities.adobe.com/people/paul.bjorkstrand"&gt;paul.bjorkstrand&lt;/A&gt;​, checked this and worked well.&lt;/SPAN&gt;&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;Sorry guys, I made some confusion on this. when I checked this last time, I had already given write permission on everything below jcr:content and this worked. However if you just add above 6 acls as mentioned by Paul, it doesn't work. fyi, below is the representation of rep:poilicy node&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;{ &lt;/P&gt;&lt;P&gt;&amp;nbsp;&amp;nbsp; "jcr:primaryType":"rep:ACL",&lt;/P&gt;&lt;P&gt;&amp;nbsp;&amp;nbsp; "allow":{ &lt;/P&gt;&lt;P&gt;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; "jcr:primaryType":"rep:GrantACE",&lt;/P&gt;&lt;P&gt;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; "rep:principalName":"annotations-group-example",&lt;/P&gt;&lt;P&gt;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; "rep:privileges":[ &lt;/P&gt;&lt;P&gt;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; "jcr:read"&lt;/P&gt;&lt;P&gt;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; ]&lt;/P&gt;&lt;P&gt;&amp;nbsp;&amp;nbsp; },&lt;/P&gt;&lt;P&gt;&amp;nbsp;&amp;nbsp; "allow13":{ &lt;/P&gt;&lt;P&gt;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; "jcr:primaryType":"rep:GrantACE",&lt;/P&gt;&lt;P&gt;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; "rep:principalName":"annotations-group-example",&lt;/P&gt;&lt;P&gt;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; "rep:privileges":[ &lt;/P&gt;&lt;P&gt;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; "rep:write"&lt;/P&gt;&lt;P&gt;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; ],&lt;/P&gt;&lt;P&gt;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; "rep:restrictions":{ &lt;/P&gt;&lt;P&gt;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; "jcr:primaryType":"rep:Restrictions",&lt;/P&gt;&lt;P&gt;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; "rep:glob":"/*/cq:annotations"&lt;/P&gt;&lt;P&gt;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; }&lt;/P&gt;&lt;P&gt;&amp;nbsp;&amp;nbsp; },&lt;/P&gt;&lt;P&gt;&amp;nbsp;&amp;nbsp; "allow14":{ &lt;/P&gt;&lt;P&gt;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; "jcr:primaryType":"rep:GrantACE",&lt;/P&gt;&lt;P&gt;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; "rep:principalName":"annotations-group-example",&lt;/P&gt;&lt;P&gt;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; "rep:privileges":[ &lt;/P&gt;&lt;P&gt;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; "rep:write"&lt;/P&gt;&lt;P&gt;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; ],&lt;/P&gt;&lt;P&gt;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; "rep:restrictions":{ &lt;/P&gt;&lt;P&gt;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; "jcr:primaryType":"rep:Restrictions",&lt;/P&gt;&lt;P&gt;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; "rep:glob":"/*/cq:annotations/*"&lt;/P&gt;&lt;P&gt;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; }&lt;/P&gt;&lt;P&gt;&amp;nbsp;&amp;nbsp; },&lt;/P&gt;&lt;P&gt;&amp;nbsp;&amp;nbsp; "allow15":{ &lt;/P&gt;&lt;P&gt;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; "jcr:primaryType":"rep:GrantACE",&lt;/P&gt;&lt;P&gt;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; "rep:principalName":"annotations-group-example",&lt;/P&gt;&lt;P&gt;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; "rep:privileges":[ &lt;/P&gt;&lt;P&gt;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; "rep:write"&lt;/P&gt;&lt;P&gt;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; ],&lt;/P&gt;&lt;P&gt;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; "rep:restrictions":{ &lt;/P&gt;&lt;P&gt;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; "jcr:primaryType":"rep:Restrictions",&lt;/P&gt;&lt;P&gt;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; "rep:itemNames":[ &lt;/P&gt;&lt;P&gt;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; "cq:lastModified"&lt;/P&gt;&lt;P&gt;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; ]&lt;/P&gt;&lt;P&gt;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; }&lt;/P&gt;&lt;P&gt;&amp;nbsp;&amp;nbsp; },&lt;/P&gt;&lt;P&gt;&amp;nbsp;&amp;nbsp; "allow16":{ &lt;/P&gt;&lt;P&gt;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; "jcr:primaryType":"rep:GrantACE",&lt;/P&gt;&lt;P&gt;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; "rep:principalName":"annotations-group-example",&lt;/P&gt;&lt;P&gt;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; "rep:privileges":[ &lt;/P&gt;&lt;P&gt;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; "rep:write"&lt;/P&gt;&lt;P&gt;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; ],&lt;/P&gt;&lt;P&gt;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; "rep:restrictions":{ &lt;/P&gt;&lt;P&gt;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; "jcr:primaryType":"rep:Restrictions",&lt;/P&gt;&lt;P&gt;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; "rep:itemNames":[ &lt;/P&gt;&lt;P&gt;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; "cq:lastModifiedBy"&lt;/P&gt;&lt;P&gt;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; ]&lt;/P&gt;&lt;P&gt;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; }&lt;/P&gt;&lt;P&gt;&amp;nbsp;&amp;nbsp; },&lt;/P&gt;&lt;P&gt;&amp;nbsp;&amp;nbsp; "allow17":{ &lt;/P&gt;&lt;P&gt;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; "jcr:primaryType":"rep:GrantACE",&lt;/P&gt;&lt;P&gt;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; "rep:principalName":"annotations-group-example",&lt;/P&gt;&lt;P&gt;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; "rep:privileges":[ &lt;/P&gt;&lt;P&gt;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; "rep:write"&lt;/P&gt;&lt;P&gt;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; ],&lt;/P&gt;&lt;P&gt;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; "rep:restrictions":{ &lt;/P&gt;&lt;P&gt;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; "jcr:primaryType":"rep:Restrictions",&lt;/P&gt;&lt;P&gt;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; "rep:itemNames":[ &lt;/P&gt;&lt;P&gt;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; "jcr:lastModified"&lt;/P&gt;&lt;P&gt;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; ]&lt;/P&gt;&lt;P&gt;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; }&lt;/P&gt;&lt;P&gt;&amp;nbsp;&amp;nbsp; },&lt;/P&gt;&lt;P&gt;&amp;nbsp;&amp;nbsp; "allow18":{ &lt;/P&gt;&lt;P&gt;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; "jcr:primaryType":"rep:GrantACE",&lt;/P&gt;&lt;P&gt;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; "rep:principalName":"annotations-group-example",&lt;/P&gt;&lt;P&gt;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; "rep:privileges":[ &lt;/P&gt;&lt;P&gt;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; "rep:write"&lt;/P&gt;&lt;P&gt;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; ],&lt;/P&gt;&lt;P&gt;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; "rep:restrictions":{ &lt;/P&gt;&lt;P&gt;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; "jcr:primaryType":"rep:Restrictions",&lt;/P&gt;&lt;P&gt;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; "rep:itemNames":[ &lt;/P&gt;&lt;P&gt;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; "jcr:lastModifiedBy"&lt;/P&gt;&lt;P&gt;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; ]&lt;/P&gt;&lt;P&gt;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; }&lt;/P&gt;&lt;P&gt;&amp;nbsp;&amp;nbsp; }&lt;/P&gt;&lt;P&gt;}&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;As a workaround, we did something like this:&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;# Allows user to annotate on the pages(wildcard for everything below jcr:content, excluding jcr:content itself) but blocks modifying page properties by restricting access on jcr:content node. See also &lt;A href="https://jackrabbit.apache.org/oak/docs/security/authorization/restriction.html" title="https://jackrabbit.apache.org/oak/docs/security/authorization/restriction.html"&gt;Jackrabbit Oak – Restriction Management&lt;/A&gt; &lt;/P&gt;&lt;P&gt;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; - path: /content/we-retail/en&lt;/P&gt;&lt;P&gt;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; permission: allow&lt;/P&gt;&lt;P&gt;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; privileges: rep:write&lt;/P&gt;&lt;P&gt;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; restrictions:&lt;/P&gt;&lt;P&gt;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; repGlob: '/*/jcr:content/*'&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;This will give a permission to create, edit, modify everything below jcr:content(excluding jcr:content). &lt;/P&gt;&lt;/BODY&gt;&lt;/HTML&gt;</description>
      <pubDate>Tue, 19 Feb 2019 12:59:03 GMT</pubDate>
      <guid>https://experienceleaguecommunities.adobe.com/t5/adobe-experience-manager/enhancements-to-aem-to-support-restricted-user-permissions/m-p/168024#M92983</guid>
      <dc:creator>omallianz</dc:creator>
      <dc:date>2019-02-19T12:59:03Z</dc:date>
    </item>
    <item>
      <title>Re: Enhancements to AEM to support restricted user permissions</title>
      <link>https://experienceleaguecommunities.adobe.com/t5/adobe-experience-manager/enhancements-to-aem-to-support-restricted-user-permissions/m-p/168025#M92984</link>
      <description>&lt;HTML&gt;&lt;HEAD&gt;&lt;/HEAD&gt;&lt;BODY&gt;&lt;P&gt;Hi ,&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;I have a user with only read permissions and then added all the 6 permissions mentioned above for the user in the crx/de at the /content node.&lt;/P&gt;&lt;P&gt;Now , I am able to edit and update the existing annotation but i am still unable to add a new annotation. Logs show "Access denied". &lt;/P&gt;&lt;P&gt;Is there anything that I am still missing ? &lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;Thanks in advance&lt;/P&gt;&lt;/BODY&gt;&lt;/HTML&gt;</description>
      <pubDate>Thu, 07 Mar 2019 13:59:29 GMT</pubDate>
      <guid>https://experienceleaguecommunities.adobe.com/t5/adobe-experience-manager/enhancements-to-aem-to-support-restricted-user-permissions/m-p/168025#M92984</guid>
      <dc:creator>padminik5129032</dc:creator>
      <dc:date>2019-03-07T13:59:29Z</dc:date>
    </item>
    <item>
      <title>Re: Enhancements to AEM to support restricted user permissions</title>
      <link>https://experienceleaguecommunities.adobe.com/t5/adobe-experience-manager/enhancements-to-aem-to-support-restricted-user-permissions/m-p/168026#M92985</link>
      <description>&lt;HTML&gt;&lt;HEAD&gt;&lt;/HEAD&gt;&lt;BODY&gt;&lt;P&gt;Can you share the screenshots of rep:policy node?&lt;/P&gt;&lt;/BODY&gt;&lt;/HTML&gt;</description>
      <pubDate>Thu, 07 Mar 2019 14:11:19 GMT</pubDate>
      <guid>https://experienceleaguecommunities.adobe.com/t5/adobe-experience-manager/enhancements-to-aem-to-support-restricted-user-permissions/m-p/168026#M92985</guid>
      <dc:creator>omallianz</dc:creator>
      <dc:date>2019-03-07T14:11:19Z</dc:date>
    </item>
  </channel>
</rss>

