Your achievements

Level 1

0% to

Level 2

Tip /
Sign in

Sign in to Community

to gain points, level up, and earn exciting badges like the new
Bedrock Mission!

Learn more

View all

Sign in to view all badges

Access denied during rollout

Avatar

Level 2

Hi all together,

our editors are currently facing a strange behaviour if they try to do a rollout. After selecting the rollout targets (about 90) i see in the error.log's AccessDeniedException from oak:

04.02.2016 11:59:31.800 *ERROR* [ [1454583522997] POST /bin/wcmcommand HTTP/1.1] com.day.cq.wcm.msm.impl.RolloutManagerImpl Failed to save changes {}, revert
javax.jcr.AccessDeniedException: OakAccess0000: Access denied

[...]

Caused by: org.apache.jackrabbit.oak.api.CommitFailedException: OakAccess0000: Access denied

[...]

04.02.2016 11:59:31.803 *ERROR* [ [1454583522997] POST /bin/wcmcommand HTTP/1.1] com.day.cq.wcm.msm.impl.commands.RolloutCommand Error during roll-out.
com.day.cq.wcm.api.WCMException: javax.jcr.AccessDeniedException: OakAccess0000: Access denied
    at com.day.cq.wcm.msm.impl.RolloutManagerImpl.save(RolloutManagerImpl.java:1059)

[...]

Caused by: org.apache.jackrabbit.oak.api.CommitFailedException: OakAccess0000: Access denied
    at org.apache.jackrabbit.oak.security.authorization.permission.PermissionValidator.checkPermissions(PermissionValidator.java:212)

(The full StackTrace is in the attached file)

Can someone tell me which path will be editied and though the AccessDeniedException occures?

Many thanks for any support.

7 Replies

Avatar

Level 10

Do they have the correct permissions do perform this operation? The Access Denied message suggests that there is a permission issue.

Avatar

Level 9

Definitely, it is a permission issue as stated by @Scott. 

In order to verify it, rollout one page at a time. Just a guess, you may not have privilege to modify all the LiveCopy hierarchies.

Jitendra

Avatar

Level 2

Well the user do have all permissions on /content. So it has to be on some other path(s), but the log does it not mention. So how could i debug it?

Avatar

Level 9

We shouldn't be checking permission on the /content itself. Verify on live copy site and as I said, test with one page to debug it.

Jitendra

Avatar

Level 2

Hi,

sorry, it was not that clear. The user do have jcr:all on /content an all the subpages, so the live copy site is included.

Avatar

Level 10

As per the following documentation https://www.day.com/maven/jsr170/javadocs/jcr-2.0/javax/jcr/security/Privilege.html#JCR_ALL, the jcr:All aggregates the following privileges- 

  • jcr:read
  • jcr:write
  • jcr:readAccessControl
  • jcr:modifyAccessControl
  • jcr:lockManagement
  • jcr:versionManagement
  • jcr:nodeTypeManagement
  • jcr:retentionManagement
  • jcr:lifecycleManagement

It does not include the privilege to delete the nodes. As per the exception stack-trace you are getting access denied error on delete. Please provide delete privileges by giving the following privileges along with jcr:All - jcr:removeNode and jcr:removeChildNodes

Avatar

Level 2

Yes that's correct, but the Adobe AEM Documentation (https://docs.adobe.com/docs/en/aem/6-1/administer/security/user-group-ac-admin.html#Privileges) says, that jcr:all "This is an aggregate privilege that contains all other predefined privileges.". I also checked the privileges on the system and jcr:all includes jcr:removeNode and jcr:removeChildNodes

Any other ideas?