SOLVED
ACL Permission - Editor Level - Edit existing content - Prevent add or remove content
Hello Friends,
What I am trying to accomplish: I am attempting to create an "Editor" access level in AEM Sites 6.5*. This level would have permission to edit text/components/content within a path they are given access but not add new components nor delete components. I've searched the internet, this forum, but nothing has pointed me in the right direction.
What I have done: I have been approaching this with an ACL - demonstrated in the below screenshot. I have a root path where the ACL is applied, and below that root page are child pages with no additional ACL applied.
What worked: I succeeded in accomplishing this for all of the child pages within a given content path. An "editor" is able to modify text/components/content on child pages but receive an error if they attempt to add/delete a component from the page. This is acceptable to me.
What didn't work: The root page where my ACL is applied allows an "editor" to add/remove components from the page in addition to the desired edit capability.
What I have tried: Modifying the glob/permissions below, but no combination achieves my desired result. I either end up with no access to edit anything, full access to add/remove, or, parent full access and child edit access.
Below is the ACL I have setup that ALMOST works.
Any insight or guidance anyone may have would be greatly appreciated.
Thanks,
Tom.
1 Accepted Solution
Correct answer by
@arunpatidar - Thanks! It didn't exactly have the answer, but it slowed me down enough to think about the problem more! The solution may not be ideal but does seem to work for our scenarios.
Solution:
Create an editor group, give "modify" access to the desired path, then create two ACL deny rules for jcr:removeNode, jcr:addChildNodes, with the following restrictions: rep:glob="/*/jcr:content/*" and rep:glob="/jcr:content/*"
Outcome: The result is the user in the editor group only being able to edit existing components on the page but being prevented from adding or removing any components.
Tom.
Can you please check if this helps?
https://jackrabbit.apache.org/oak/docs/security/authorization/restriction.html
Arun Patidar
Correct answer by
@arunpatidar - Thanks! It didn't exactly have the answer, but it slowed me down enough to think about the problem more! The solution may not be ideal but does seem to work for our scenarios.
Solution:
Create an editor group, give "modify" access to the desired path, then create two ACL deny rules for jcr:removeNode, jcr:addChildNodes, with the following restrictions: rep:glob="/*/jcr:content/*" and rep:glob="/jcr:content/*"
Outcome: The result is the user in the editor group only being able to edit existing components on the page but being prevented from adding or removing any components.
Tom.
