Adobe Experience Manager Sites & More

alexanderw22637 · 2/4/16

Hi all together,

our editors are currently facing a strange behaviour if they try to do a rollout. After selecting the rollout targets (about 90) i see in the error.log's AccessDeniedException from oak:

04.02.2016 11:59:31.800 *ERROR* [ [1454583522997] POST /bin/wcmcommand HTTP/1.1] com.day.cq.wcm.msm.impl.RolloutManagerImpl Failed to save changes {}, revert
javax.jcr.AccessDeniedException: OakAccess0000: Access denied

[...]

Caused by: org.apache.jackrabbit.oak.api.CommitFailedException: OakAccess0000: Access denied

[...]

04.02.2016 11:59:31.803 *ERROR* [ [1454583522997] POST /bin/wcmcommand HTTP/1.1] com.day.cq.wcm.msm.impl.commands.RolloutCommand Error during roll-out.
com.day.cq.wcm.api.WCMException: javax.jcr.AccessDeniedException: OakAccess0000: Access denied
at com.day.cq.wcm.msm.impl.RolloutManagerImpl.save(RolloutManagerImpl.java:1059)

[...]

Caused by: org.apache.jackrabbit.oak.api.CommitFailedException: OakAccess0000: Access denied
at org.apache.jackrabbit.oak.security.authorization.permission.PermissionValidator.checkPermissions(PermissionValidator.java:212)

(The full StackTrace is in the attached file)

Can someone tell me which path will be editied and though the AccessDeniedException occures?

Many thanks for any support.

smacdonald2008 · 2/4/16

Do they have the correct permissions do perform this operation? The Access Denied message suggests that there is a permission issue.

Jitendra_S_Toma · 2/4/16

Definitely, it is a permission issue as stated by @Scott.

In order to verify it, rollout one page at a time. Just a guess, you may not have privilege to modify all the LiveCopy hierarchies.

Jitendra

alexanderw22637 · 2/4/16

Well the user do have all permissions on /content. So it has to be on some other path(s), but the log does it not mention. So how could i debug it?

Jitendra_S_Toma · 2/5/16

We shouldn't be checking permission on the /content itself. Verify on live copy site and as I said, test with one page to debug it.

Jitendra

alexanderw22637 · 2/5/16

Hi,

sorry, it was not that clear. The user do have jcr:all on /content an all the subpages, so the live copy site is included.

Kunal_Gaba_ · 2/5/16

As per the following documentation https://www.day.com/maven/jsr170/javadocs/jcr-2.0/javax/jcr/security/Privilege.html#JCR_ALL, the jcr:All aggregates the following privileges-

jcr:read
jcr:write
jcr:readAccessControl
jcr:modifyAccessControl
jcr:lockManagement
jcr:versionManagement
jcr:nodeTypeManagement
jcr:retentionManagement
jcr:lifecycleManagement

It does not include the privilege to delete the nodes. As per the exception stack-trace you are getting access denied error on delete. Please provide delete privileges by giving the following privileges along with jcr:All - jcr:removeNode and jcr:removeChildNodes

alexanderw22637 · 2/7/16

Yes that's correct, but the Adobe AEM Documentation (https://docs.adobe.com/docs/en/aem/6-1/administer/security/user-group-ac-admin.html#Privileges) says, that jcr:all "This is an aggregate privilege that contains all other predefined privileges.". I also checked the privileges on the system and jcr:all includes jcr:removeNode and jcr:removeChildNodes

Any other ideas?

Adobe Experience Manager Sites & More

Access denied during rollout

Learn

Documentation

Community

Support

Resources

Adobe account

Adobe