Expand my Community achievements bar.

Don’t miss the AEM Skill Exchange in SF on Nov 14—hear from industry leaders, learn best practices, and enhance your AEM strategy with practical tips.
SOLVED

Add user group access in publish environment

Avatar

Level 6

I need to show some html content based on user's group. I am able to do this in author environment but how do I control it in publisher and domain level?

I am using a boolean variable in sightly to show/hide content. This variable is in sling model where I am checking user's group name.

1 Accepted Solution

Avatar

Correct answer by
Community Advisor

The component where we are using the service user.

@component(service = AssetDownloadService.class)
public class AssetDownloadServiceImpl implements AssetDownloadService {

    protected static final Logger LOGGER = LoggerFactory.getLogger(AssetDownloadServiceImpl.class);

    @reference
    private ResourceResolverService resourceResolverService;


    private boolean isAsset(String resourcePath, String propertyName) {
        try (ResourceResolver resourceResolver = resourceResolverService.getResourceResolver()) {
            Resource resource = resourceResolver.getResource(resourcePath);
            if (resource == null) return false;

            String fileReference = resource.getValueMap().get(propertyName, StringUtils.EMPTY);
            Resource damImageResource = resourceResolver.getResource(fileReference);
            return isBynderAsset(damImageResource);
        } catch (RuntimeException ex) {
            LOGGER.error("Exception occurred in isBynderAsset due to {}",ex.getMessage(), ex);
        }

        return false;
    }

}

 

The ResourceResolverService

@component(service = ResourceResolverService.class, property = {
        Constants.SERVICE_DESCRIPTION + "=ResourceResolver Provider for Service User"
})
public class ResourceResolverServiceImpl implements ResourceResolverService {

    @reference
    ResourceResolverFactory resolverFactory;

    private final Logger logger = LoggerFactory.getLogger(ResourceResolverServiceImpl.class);

    @Override
    public ResourceResolver getResourceResolver() {
        Map<String, Object> params = new HashMap<>();
        params.put(resolverFactory.SUBSERVICE, "reader-user");
        try {
            return resolverFactory.getServiceResourceResolver(params);
        } catch (LoginException e) {
            logger.error("error due to : {}", e.getMessage(), e);
        }

        return null;
    }

    @Override
    public ResourceResolver getResourceResolverWriter() {
        Map<String, Object> params = new HashMap<>();
        params.put(resolverFactory.SUBSERVICE, "writer-user");
        try {
            return resolverFactory.getServiceResourceResolver(params);
        } catch (LoginException e) {
            logger.error("error due to : {}", e.getMessage(), e);
        }

        return null;
    }

}

 You can replicate this service user from author. and for extra permissions you can use the netcentric acl tool. Or you can set permissions manualy.

View solution in original post

6 Replies

Avatar

Community Advisor

Hi,


I don't fully understand your question, but let me try to explain how this will work. In the Sling model, you can obtain the user who has started the session that reaches your Sling model. In other words, you can determine which user has logged into AEM, and thus, retrieve its details, such as the group[1]. If you use this same Sling model in the publish instance, you will have to "enable" AEM login publicly for this to work properly.

By default, in the publish instance, the anonymous user is the session used if no other user has started a session. That being said, if you need that Sling Model to work in publish, you will have to log into AEM. This scenario is how the WKND site works. You can refer to that if you need to mimic that functionality. If, on the other hand, you have a custom login, then you will have to rely on other methods to capture that user's information in the Sling model.

 

Hope this clarifies your doubts.

[1]. How to get the group in slingModel: https://experienceleaguecommunities.adobe.com/t5/adobe-experience-manager/how-to-fetch-users-of-a-gr...

[2]. Wkdn example: https://experienceleague.adobe.com/docs/experience-manager-learn/getting-started-wknd-tutorial-devel... 



Esteban Bustamante

Avatar

Level 2

Hi @EstebanBustamante 

we dont have any login method enabled in publisher. In sling model I am checking for user's group. Thanks, i will have to setup the login for publish enviroment.

Avatar

Community Advisor

Hi @Shaheena_Sheikh 

 Access Control Lists (ACLs) available for replication. Please refer to the documentation around User Administration [1] and check for the "Replicate" action.

 

In addition to that, please make sure to manage your ACLs on a group level and avoid assigning permissions to single users (emphasizing/clearing. My recommendation is to start with the OOTB groups. Doing so, it is important to only deny on the initial level of your hierarchy (deny as much as possible without breaking anything with regards to general system functionality for the users). Starting from there, more specific groups should allow what ever is required for their respective business use cases. Avoid denying ACLs on deeper levels of the group hierarchy as this will make things much more complex and you might end up with unexpected results (although I admit that it's not 100% avoidable for certain, rare cases).

 

Hope that helps!

 

[1] https://experienceleague.adobe.com/docs/experience-manager-65/administering/security/security.html#a...

[2] https://sling.apache.org/documentation/bundles/repository-initialization.html

[3] https://github.com/Netcentric/accesscontroltool

[4] https://experienceleague.adobe.com/docs/experience-manager-65/administering/security/security.html?l...



Avatar

Community Advisor

Its working on author because on author you are logged in as a admin and admin have all the access.
On publish your user is anonymous and when you are trying to read permission anonymous user dont have access to read user groups.

If you are using any login user then you can set permission from useradmin to the user group.

 

You can create a service/system user for this type of thing. And from the code you can read user groups using the service/system user.

Please checkout this link https://experienceleague.adobe.com/docs/experience-manager-learn/forms/adaptive-forms/service-user-t...

Avatar

Level 6

Hi @kaikubad ,

if i create service user, how can i use that in publish env? 

Avatar

Correct answer by
Community Advisor

The component where we are using the service user.

@component(service = AssetDownloadService.class)
public class AssetDownloadServiceImpl implements AssetDownloadService {

    protected static final Logger LOGGER = LoggerFactory.getLogger(AssetDownloadServiceImpl.class);

    @reference
    private ResourceResolverService resourceResolverService;


    private boolean isAsset(String resourcePath, String propertyName) {
        try (ResourceResolver resourceResolver = resourceResolverService.getResourceResolver()) {
            Resource resource = resourceResolver.getResource(resourcePath);
            if (resource == null) return false;

            String fileReference = resource.getValueMap().get(propertyName, StringUtils.EMPTY);
            Resource damImageResource = resourceResolver.getResource(fileReference);
            return isBynderAsset(damImageResource);
        } catch (RuntimeException ex) {
            LOGGER.error("Exception occurred in isBynderAsset due to {}",ex.getMessage(), ex);
        }

        return false;
    }

}

 

The ResourceResolverService

@component(service = ResourceResolverService.class, property = {
        Constants.SERVICE_DESCRIPTION + "=ResourceResolver Provider for Service User"
})
public class ResourceResolverServiceImpl implements ResourceResolverService {

    @reference
    ResourceResolverFactory resolverFactory;

    private final Logger logger = LoggerFactory.getLogger(ResourceResolverServiceImpl.class);

    @Override
    public ResourceResolver getResourceResolver() {
        Map<String, Object> params = new HashMap<>();
        params.put(resolverFactory.SUBSERVICE, "reader-user");
        try {
            return resolverFactory.getServiceResourceResolver(params);
        } catch (LoginException e) {
            logger.error("error due to : {}", e.getMessage(), e);
        }

        return null;
    }

    @Override
    public ResourceResolver getResourceResolverWriter() {
        Map<String, Object> params = new HashMap<>();
        params.put(resolverFactory.SUBSERVICE, "writer-user");
        try {
            return resolverFactory.getServiceResourceResolver(params);
        } catch (LoginException e) {
            logger.error("error due to : {}", e.getMessage(), e);
        }

        return null;
    }

}

 You can replicate this service user from author. and for extra permissions you can use the netcentric acl tool. Or you can set permissions manualy.