Add user group access in publish environment | Community
Skip to main content
S
Shaheena_Sheikh
Level 6
January 24, 2024
Solved

Add user group access in publish environment

  • January 24, 2024
  • 3 replies
  • 1091 views

I need to show some html content based on user's group. I am able to do this in author environment but how do I control it in publisher and domain level?

I am using a boolean variable in sightly to show/hide content. This variable is in sling model where I am checking user's group name.

This post is no longer active and is closed to new replies. Need help? Start a new post to ask your question.
Best answer by kaikubad

The component where we are using the service user.

@8220494(service = AssetDownloadService.class) public class AssetDownloadServiceImpl implements AssetDownloadService { protected static final Logger LOGGER = LoggerFactory.getLogger(AssetDownloadServiceImpl.class); @3214626 private ResourceResolverService resourceResolverService; private boolean isAsset(String resourcePath, String propertyName) { try (ResourceResolver resourceResolver = resourceResolverService.getResourceResolver()) { Resource resource = resourceResolver.getResource(resourcePath); if (resource == null) return false; String fileReference = resource.getValueMap().get(propertyName, StringUtils.EMPTY); Resource damImageResource = resourceResolver.getResource(fileReference); return isBynderAsset(damImageResource); } catch (RuntimeException ex) { LOGGER.error("Exception occurred in isBynderAsset due to {}",ex.getMessage(), ex); } return false; } }

 

The ResourceResolverService

@8220494(service = ResourceResolverService.class, property = { Constants.SERVICE_DESCRIPTION + "=ResourceResolver Provider for Service User" }) public class ResourceResolverServiceImpl implements ResourceResolverService { @3214626 ResourceResolverFactory resolverFactory; private final Logger logger = LoggerFactory.getLogger(ResourceResolverServiceImpl.class); @9944223 public ResourceResolver getResourceResolver() { Map<String, Object> params = new HashMap<>(); params.put(resolverFactory.SUBSERVICE, "reader-user"); try { return resolverFactory.getServiceResourceResolver(params); } catch (LoginException e) { logger.error("error due to : {}", e.getMessage(), e); } return null; } @9944223 public ResourceResolver getResourceResolverWriter() { Map<String, Object> params = new HashMap<>(); params.put(resolverFactory.SUBSERVICE, "writer-user"); try { return resolverFactory.getServiceResourceResolver(params); } catch (LoginException e) { logger.error("error due to : {}", e.getMessage(), e); } return null; } }

 You can replicate this service user from author. and for extra permissions you can use the netcentric acl tool. Or you can set permissions manualy.

3 replies

EstebanBustamante
Community Advisor and Adobe Champion
EstebanBustamanteCommunity Advisor and Adobe Champion
Community Advisor and Adobe Champion
January 24, 2024

Hi,


I don't fully understand your question, but let me try to explain how this will work. In the Sling model, you can obtain the user who has started the session that reaches your Sling model. In other words, you can determine which user has logged into AEM, and thus, retrieve its details, such as the group[1]. If you use this same Sling model in the publish instance, you will have to "enable" AEM login publicly for this to work properly.

By default, in the publish instance, the anonymous user is the session used if no other user has started a session. That being said, if you need that Sling Model to work in publish, you will have to log into AEM. This scenario is how the WKND site works. You can refer to that if you need to mimic that functionality. If, on the other hand, you have a custom login, then you will have to rely on other methods to capture that user's information in the Sling model.

 

Hope this clarifies your doubts.

[1]. How to get the group in slingModel: https://experienceleaguecommunities.adobe.com/t5/adobe-experience-manager/how-to-fetch-users-of-a-group-through-java-code/m-p/168443

[2]. Wkdn example: https://experienceleague.adobe.com/docs/experience-manager-learn/getting-started-wknd-tutorial-develop/overview.html 

Esteban Bustamante
    S
    Shaheena_Sk
    Level 4
    January 25, 2024

    Hi @estebanbustamante 

    we dont have any login method enabled in publisher. In sling model I am checking for user's group. Thanks, i will have to setup the login for publish enviroment.

      Raja_Reddy
      Community Advisor
      Raja_ReddyCommunity Advisor
      Community Advisor
      January 24, 2024

      Hi @shaheena_sheikh 

       Access Control Lists (ACLs) available for replication. Please refer to the documentation around User Administration [1] and check for the "Replicate" action.

       

      In addition to that, please make sure to manage your ACLs on a group level and avoid assigning permissions to single users (emphasizing/clearing. My recommendation is to start with the OOTB groups. Doing so, it is important to only deny on the initial level of your hierarchy (deny as much as possible without breaking anything with regards to general system functionality for the users). Starting from there, more specific groups should allow what ever is required for their respective business use cases. Avoid denying ACLs on deeper levels of the group hierarchy as this will make things much more complex and you might end up with unexpected results (although I admit that it's not 100% avoidable for certain, rare cases).

       

      Hope that helps!

       

      [1] https://experienceleague.adobe.com/docs/experience-manager-65/administering/security/security.html#a...

      [2] https://sling.apache.org/documentation/bundles/repository-initialization.html

      [3] https://github.com/Netcentric/accesscontroltool

      [4] https://experienceleague.adobe.com/docs/experience-manager-65/administering/security/security.html?l...

        kaikubad
        Community Advisor
        kaikubadCommunity Advisor
        Community Advisor
        January 25, 2024

        Its working on author because on author you are logged in as a admin and admin have all the access.
        On publish your user is anonymous and when you are trying to read permission anonymous user dont have access to read user groups.

        If you are using any login user then you can set permission from useradmin to the user group.

         

        You can create a service/system user for this type of thing. And from the code you can read user groups using the service/system user.

        Please checkout this link https://experienceleague.adobe.com/docs/experience-manager-learn/forms/adaptive-forms/service-user-tutorial-develop.html?lang=en

          S
          Shaheena_SheikhAuthor
          Level 6
          January 29, 2024

          Hi @kaikubad ,

          if i create service user, how can i use that in publish env? 

            kaikubad
            Community Advisor
            kaikubadCommunity AdvisorAccepted solution
            Community Advisor
            January 29, 2024

            The component where we are using the service user.

            @8220494(service = AssetDownloadService.class) public class AssetDownloadServiceImpl implements AssetDownloadService { protected static final Logger LOGGER = LoggerFactory.getLogger(AssetDownloadServiceImpl.class); @3214626 private ResourceResolverService resourceResolverService; private boolean isAsset(String resourcePath, String propertyName) { try (ResourceResolver resourceResolver = resourceResolverService.getResourceResolver()) { Resource resource = resourceResolver.getResource(resourcePath); if (resource == null) return false; String fileReference = resource.getValueMap().get(propertyName, StringUtils.EMPTY); Resource damImageResource = resourceResolver.getResource(fileReference); return isBynderAsset(damImageResource); } catch (RuntimeException ex) { LOGGER.error("Exception occurred in isBynderAsset due to {}",ex.getMessage(), ex); } return false; } }

             

            The ResourceResolverService

            @8220494(service = ResourceResolverService.class, property = { Constants.SERVICE_DESCRIPTION + "=ResourceResolver Provider for Service User" }) public class ResourceResolverServiceImpl implements ResourceResolverService { @3214626 ResourceResolverFactory resolverFactory; private final Logger logger = LoggerFactory.getLogger(ResourceResolverServiceImpl.class); @9944223 public ResourceResolver getResourceResolver() { Map<String, Object> params = new HashMap<>(); params.put(resolverFactory.SUBSERVICE, "reader-user"); try { return resolverFactory.getServiceResourceResolver(params); } catch (LoginException e) { logger.error("error due to : {}", e.getMessage(), e); } return null; } @9944223 public ResourceResolver getResourceResolverWriter() { Map<String, Object> params = new HashMap<>(); params.put(resolverFactory.SUBSERVICE, "writer-user"); try { return resolverFactory.getServiceResourceResolver(params); } catch (LoginException e) { logger.error("error due to : {}", e.getMessage(), e); } return null; } }

             You can replicate this service user from author. and for extra permissions you can use the netcentric acl tool. Or you can set permissions manualy.

              Terms & ConditionsAccessibility statement

              Loading footer...