Your achievements

Level 1

0% to

Level 2

Tip /
Sign in

Sign in to Community

to gain points, level up, and earn exciting badges like the new
Bedrock Mission!

Learn more

View all

Sign in to view all badges

SOLVED

User Groups limited to specific DAM folders

Avatar

Level 2

I am new to user admin in AEM as a CS and have a request to create user groups that can only see a specific project in the DAM. Right now we are working with three project folders for testing purposes, but the final work will include up to 75 or more project folders.

 

My DAM top level folders:

  • /content/dam/projectX/...
  • /content/dam/projectY/...
  • /content/dam/projectZ/...

I need to have a user group that can read /projectX but should not even be able to see the other project folders due to client confidentiality. Additionally, there will be users that have access to more than one project, but not all projects so they might need to see X and Z, but not Y for example.

 

I have created a user group with the path /content/dam/projectX given "jcr:read" access, but when I login with a user in that group it still sees /projectY and /projectZ. I even tried setting the read access on a lower subfolder inside of /projectX but the user can still see the entire DAM folder structure with the other projects visible.

 

I feel like using denies wouldn't help because when a user is in two groups (X and Z) they would block/deny each other?

 

Any help would be appreciated, thanks!!

1 Accepted Solution

Avatar

Correct answer by
Level 3

Hello @Kate_Sumbler ,

To provide access to specific folder to specific user groups, please try the following

  1. Create a User group (e.g. group-projectx)
  2. Navigate to permissions page (http://localhost:4502/security/permissions.html) and add the ACE's as below

achennapragada_1-1659573953877.png

 

 

Using the above approach users will have access to specific folders only( in above case : content/dam/projectx) and will not have access to any other folders or any new folders that will be created in DAM as we are not denying other folders and explicitly giving permissions to specific folder 

 

In this way the user groups can be configured to specific folders based on the requirement 

 

There are multiple ways to configure user groups and permissions in AEM and is dependent on the business requirements. Couple of approaches below 

There are also ways to automate user groups creation. Request you to please try exploring these options before implementing the final solution.

View solution in original post

4 Replies

Avatar

Correct answer by
Level 3

Hello @Kate_Sumbler ,

To provide access to specific folder to specific user groups, please try the following

  1. Create a User group (e.g. group-projectx)
  2. Navigate to permissions page (http://localhost:4502/security/permissions.html) and add the ACE's as below

achennapragada_1-1659573953877.png

 

 

Using the above approach users will have access to specific folders only( in above case : content/dam/projectx) and will not have access to any other folders or any new folders that will be created in DAM as we are not denying other folders and explicitly giving permissions to specific folder 

 

In this way the user groups can be configured to specific folders based on the requirement 

 

There are multiple ways to configure user groups and permissions in AEM and is dependent on the business requirements. Couple of approaches below 

There are also ways to automate user groups creation. Request you to please try exploring these options before implementing the final solution.

Avatar

Level 2

(edited to remove error)

 

Thank you, I just tried this out and it is now working as I expect!

Avatar

Level 3

Hi @Kate_Sumbler ,

Can you please edit the deny rule by removing the additional quotes there? ""content"" -> "content" in ACE-> rep:global=content

Avatar

Level 2

Yes, I just noticed that after reviewing again and removed the additional quotes. Everything is working as I would like now, thank you!