Access denied during rollout | Community
Skip to main content
A
alexanderw22637
Level 2
February 4, 2016

Access denied during rollout

  • February 4, 2016
  • 2 replies
  • 3449 views

Hi all together,

our editors are currently facing a strange behaviour if they try to do a rollout. After selecting the rollout targets (about 90) i see in the error.log's AccessDeniedException from oak:

04.02.2016 11:59:31.800 *ERROR* [ [1454583522997] POST /bin/wcmcommand HTTP/1.1] com.day.cq.wcm.msm.impl.RolloutManagerImpl Failed to save changes {}, revert
javax.jcr.AccessDeniedException: OakAccess0000: Access denied

[...]

Caused by: org.apache.jackrabbit.oak.api.CommitFailedException: OakAccess0000: Access denied

[...]

04.02.2016 11:59:31.803 *ERROR* [ [1454583522997] POST /bin/wcmcommand HTTP/1.1] com.day.cq.wcm.msm.impl.commands.RolloutCommand Error during roll-out.
com.day.cq.wcm.api.WCMException: javax.jcr.AccessDeniedException: OakAccess0000: Access denied
    at com.day.cq.wcm.msm.impl.RolloutManagerImpl.save(RolloutManagerImpl.java:1059)

[...]

Caused by: org.apache.jackrabbit.oak.api.CommitFailedException: OakAccess0000: Access denied
    at org.apache.jackrabbit.oak.security.authorization.permission.PermissionValidator.checkPermissions(PermissionValidator.java:212)

(The full StackTrace is in the attached file)

Can someone tell me which path will be editied and though the AccessDeniedException occures?

Many thanks for any support.

This post is no longer active and is closed to new replies. Need help? Start a new post to ask your question.

2 replies

smacdonald2008
smacdonald2008
Level 10
February 4, 2016

Do they have the correct permissions do perform this operation? The Access Denied message suggests that there is a permission issue.

Jitendra_S_Toma
Jitendra_S_Toma
Level 10
February 5, 2016

Definitely, it is a permission issue as stated by @Scott. 

In order to verify it, rollout one page at a time. Just a guess, you may not have privilege to modify all the LiveCopy hierarchies.

Jitendra

A
alexanderw22637Author
Level 2
February 5, 2016

Well the user do have all permissions on /content. So it has to be on some other path(s), but the log does it not mention. So how could i debug it?

A
alexanderw22637Author
Level 2
February 8, 2016

As per the following documentation https://www.day.com/maven/jsr170/javadocs/jcr-2.0/javax/jcr/security/Privilege.html#JCR_ALL, the jcr:All aggregates the following privileges- 

  • jcr:read
  • jcr:write
  • jcr:readAccessControl
  • jcr:modifyAccessControl
  • jcr:lockManagement
  • jcr:versionManagement
  • jcr:nodeTypeManagement
  • jcr:retentionManagement
  • jcr:lifecycleManagement

It does not include the privilege to delete the nodes. As per the exception stack-trace you are getting access denied error on delete. Please provide delete privileges by giving the following privileges along with jcr:All - jcr:removeNode and jcr:removeChildNodes


Yes that's correct, but the Adobe AEM Documentation (https://docs.adobe.com/docs/en/aem/6-1/administer/security/user-group-ac-admin.html#Privileges) says, that jcr:all "This is an aggregate privilege that contains all other predefined privileges.". I also checked the privileges on the system and jcr:all includes jcr:removeNode and jcr:removeChildNodes

Any other ideas?

Terms & ConditionsAccessibility statement

Loading footer...