Adobe Experience Manager Sites & More

ankitachauri · 1/15/23

I have content structure like - /content/A , /content/B, /content/C
and user groups AuthorA, AuthorB and AuthorC.
UserGroup AuthorA has allow access for /content/A and deny for/content/B & deny for /content/C
similarly AuthorB has allow access for /content/B and deny for/content/A & deny for /content/C

and Author C has allow access for /content/C and deny for/content/A & deny for /content/B

we have a user -testUser,
testUser is part of usergroup AuthorA and AuthorB but testUser is only able to access /content/A
How can we make testuser to acces /content/B also because it is part of usergroup AuthorB as well

Thanks
Ankit

rampai · 1/16/23

Hi @ankitachauri ,

Approach 1 (In case deny rules cannot be reverted. Wherever possible you should use only allow and avoid deny):

You can do an ACL re-ordering using crx/de (Access Control tab) or crx/explorer (Access Control Editor) interface in case it is an on-premise AEM instance.

You need to ensure that for each of your groups, deny rules are on top and allow rules are at the bottom so that allow takes priority over deny.

e.g. You would be seeing something like this initially. Notice deny at the end.

Update this to move deny at the top and any allow rules below it.

This should fix your current problem.

Approach 2 (Recommended from long-term perspective):

Explicitly allow only the necessary content path and do not give access to the other nodes. For this, you need to set a rep:glob at the parent node with value "" and then add the permission only to the child node intended as shown below. With this you no longer need the deny rules.

Thanks,

Ram

View solution in original post

Anmol_Bhardwaj · 1/15/23

Hi @ankitachauri ,

It seems like the current setup you have done is giving each user group access to only one content path and denying access to the other two.

One possible reason for this could be that the user group AuthorA has been granted access to /content/A and denied access to /content/B and /content/C.

Similarly, user group AuthorB has been granted access to /content/B and denied access to /content/A and /content/C. Since testUser is a member of both user groups, they are being denied access to /content/B due to the deny rule in user group AuthorA.

Solution:

You can give explicit allow access to /content/B for testUser.

You can also create a new user group that gives access to both /content/A and /content/B and assign testUser to that group.

Note:

Explicit access to a user would take precedence over the group access

Jagadeesh_Prakash · 1/16/23

@ankitachauri Seems like your scenario doesn't have any possible solution untill you do below things

1. Create a seperate group and add the necessary permissions

2. remove deny all groups and add the permissions to users (Which is not recommanded)

3. We might need to do a custom groups which can allow multiple groups and deny others.

rampai · 1/16/23

Hi @ankitachauri ,

Approach 1 (In case deny rules cannot be reverted. Wherever possible you should use only allow and avoid deny):

You can do an ACL re-ordering using crx/de (Access Control tab) or crx/explorer (Access Control Editor) interface in case it is an on-premise AEM instance.

You need to ensure that for each of your groups, deny rules are on top and allow rules are at the bottom so that allow takes priority over deny.

e.g. You would be seeing something like this initially. Notice deny at the end.

Update this to move deny at the top and any allow rules below it.

This should fix your current problem.

Approach 2 (Recommended from long-term perspective):

Explicitly allow only the necessary content path and do not give access to the other nodes. For this, you need to set a rep:glob at the parent node with value "" and then add the permission only to the child node intended as shown below. With this you no longer need the deny rules.

Thanks,

Ram

Adobe Experience Manager Sites & More

ACL Permissions

Learn

Documentation

Community

Support

Resources

Adobe account

Adobe