Expand my Community achievements bar.

Don’t miss the AEM Skill Exchange in SF on Nov 14—hear from industry leaders, learn best practices, and enhance your AEM strategy with practical tips.
Read More & Register today!
SOLVED

Access control inheritance issue

Avatar

Former Community Member
10/15/15 7:26:23 PM

Hi,

I am putting my acls in format allow;jcr:all;product;/content in Day CQ Acl Setup xml file. I need to restrict certain pages for some groups but allow most of the other pages to be editable. All these pages are within the same hierarchy. When i allow access of jcr:all to the parent then those access are being inherited by child pages irrespective of the fact that i have also defined jcr:read for child pages. I moved these permission one after another and reversed the order as well but nothing seems to affect at all. I was using useradmin screen to view my changes and using 5.6.1 AEM instance.

There has been an observation where if you provide more access to a group and then remove access then you have to manually change the user permissions from the user admin screen. I downgraded the permission but that did not affect at all as well.

I looked at the documentation at link but seems a bit unclear on the inheritance front.

  1. When you set allow or deny permission on a given node then 3 scenarios are possible:
    1. if the same ACE (Access Control Entry) is being inherited from a parent node and no matching ACE already exists on the node then nothing will be done.
    2. if the same ACE is being inherited from a parent node and a matching ACE is already defined on that path then it will be removed.
    3. if the same ACE is not being inherited from a parent node then the ACE will be created for that node.

Any help will be appreciated.

Views

826

Replies

2

Total Likes

Translate
Translate
1 Accepted Solution

Avatar

Correct answer by
Community Advisor
Community Advisor
12/10/23 3:14:00 AM

There are multiple options to provide change accesses in a hierarchy.

 

1. Implementing rep:glob: Often used in a multi-tenant set up, it allows you to allow/deny permission based on Glob Patterns (Regex).

Details available here: http://www.aemcq5tutorials.com/tutorials/aem-permissioning/ 

 

This is used in the cases where permission set-up is not dynamic. Its the devs who set-up permissions and not controlled by authors

 

 

2. Implementing Closed-user-groups:

This is meant for a dynamic set-up and secured content, where authors can define that which user-groups whould have access to the content.

https://www.youtube.com/watch?v=rIcyN8f0GqI&ab_channel=TechForum

https://experienceleague.adobe.com/docs/experience-manager-65/administering/security/cug.html?lang=e... 

 

Regarding to the query around evaluation:

A detailed article is available here: https://experienceleague.adobe.com/docs/experience-manager-65/administering/security/user-group-ac-a...

 

Aanchal Sikka

View solution in original post

Views

262

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply
2 Replies

Avatar

Correct answer by
Community Advisor
Community Advisor
12/10/23 3:14:00 AM

There are multiple options to provide change accesses in a hierarchy.

 

1. Implementing rep:glob: Often used in a multi-tenant set up, it allows you to allow/deny permission based on Glob Patterns (Regex).

Details available here: http://www.aemcq5tutorials.com/tutorials/aem-permissioning/ 

 

This is used in the cases where permission set-up is not dynamic. Its the devs who set-up permissions and not controlled by authors

 

 

2. Implementing Closed-user-groups:

This is meant for a dynamic set-up and secured content, where authors can define that which user-groups whould have access to the content.

https://www.youtube.com/watch?v=rIcyN8f0GqI&ab_channel=TechForum

https://experienceleague.adobe.com/docs/experience-manager-65/administering/security/cug.html?lang=e... 

 

Regarding to the query around evaluation:

A detailed article is available here: https://experienceleague.adobe.com/docs/experience-manager-65/administering/security/user-group-ac-a...

 

Aanchal Sikka

Views

263

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply

Avatar

Administrator
Administrator
12/11/23 12:21:46 AM

Did you find the suggestions from users helpful? Please let us know if more information is required. Otherwise, please mark the answer as correct for posterity. If you have found out solution yourself, please share it with the community.



Kautuk Sahni

Views

247

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Related Conversations
I want to restrict access to AEMaaCS dev and stage via a password. Solved

Views

85

Likes

0

Replies

2
Adobe Certification Exam Prep Portal asking for access code Solved

Views

147

Likes

0

Replies

4
Issue Setting Up AEM SDK Local Environment for Practice Solved

Views

640

Likes

0

Replies

16
caching Issue Solved

Views

261

Likes

0

Replies

4
Access data attribute from component's HTL in Touch UI dialogs context Solved

Views

341

Likes

0

Replies

4