Expand my Community achievements bar.

SOLVED

ACL Permissions

Avatar

Level 1

I have content structure like - /content/A , /content/B, /content/C
and user groups  AuthorA, AuthorB and AuthorC.
UserGroup AuthorA has allow access for /content/A and deny for/content/B & deny for /content/C
similarly AuthorB has allow access for /content/B and deny for/content/A & deny for /content/C

and Author C has allow access for /content/C and deny for/content/A & deny for /content/B

we have a  user -testUser,
testUser is part of usergroup AuthorA and AuthorB but testUser is only able to access /content/A
How can we make testuser to acces /content/B also because it is part of usergroup AuthorB as well

Thanks
Ankit

1 Accepted Solution

Avatar

Correct answer by
Level 6

Hi @ankitachauri ,

 

Approach 1 (In case deny rules cannot be reverted. Wherever possible you should use only allow and avoid deny):

You can do an ACL re-ordering using crx/de (Access Control tab) or crx/explorer (Access Control Editor) interface in case it is an on-premise AEM instance.

 

You need to ensure that for each of your groups, deny rules are on top and allow rules are at the bottom so that allow takes priority over deny.

e.g. You would be seeing something like this initially. Notice deny at the end.

Screenshot (1997).png

Update this to move deny at the top and any allow rules below it.

Screenshot (1998).png

This should fix your current problem.

 

Approach 2 (Recommended from long-term perspective):

Explicitly allow only the necessary content path and do not give access to the other nodes. For this, you need to set a rep:glob at the parent node with value "" and then add the permission only to the child node intended as shown below. With this you no longer need the deny rules.

Capture1.PNGCapture.PNG

 

 

 

Thanks,

Ram

View solution in original post

3 Replies

Avatar

Community Advisor

Hi @ankitachauri ,

It seems like the current setup you have done is giving each user group access to only one content path and denying access to the other two.

One possible reason for this could be that the user group AuthorA has been granted access to /content/A and denied access to /content/B and /content/C.

Similarly, user group AuthorB has been granted access to /content/B and denied access to /content/A and /content/C. Since testUser is a member of both user groups, they are being denied access to /content/B due to the deny rule in user group AuthorA.

 

Solution: 

You can give explicit allow access to /content/B for testUser.

You can also create a new user group that gives access to both /content/A and /content/B and assign testUser to that group.

 

Note:

Explicit access to a user would take precedence over the group access

Avatar

Community Advisor

@ankitachauri Seems like your scenario doesn't have any possible solution untill you do below things

 

1. Create a seperate group and add the necessary permissions

2. remove deny all groups and add the permissions to users (Which is not recommanded)

3. We might need to do a custom groups which can allow multiple groups and deny others. 

Avatar

Correct answer by
Level 6

Hi @ankitachauri ,

 

Approach 1 (In case deny rules cannot be reverted. Wherever possible you should use only allow and avoid deny):

You can do an ACL re-ordering using crx/de (Access Control tab) or crx/explorer (Access Control Editor) interface in case it is an on-premise AEM instance.

 

You need to ensure that for each of your groups, deny rules are on top and allow rules are at the bottom so that allow takes priority over deny.

e.g. You would be seeing something like this initially. Notice deny at the end.

Screenshot (1997).png

Update this to move deny at the top and any allow rules below it.

Screenshot (1998).png

This should fix your current problem.

 

Approach 2 (Recommended from long-term perspective):

Explicitly allow only the necessary content path and do not give access to the other nodes. For this, you need to set a rep:glob at the parent node with value "" and then add the permission only to the child node intended as shown below. With this you no longer need the deny rules.

Capture1.PNGCapture.PNG

 

 

 

Thanks,

Ram