AEM 6.3 Cannot create groups with service user

Question

Hoping someone on here can help me out of a conundrum.

We are trying to remove all Admin sessions from our application, but are stuck with a few due to JCR Access Denied exceptions. Specifically, when we try to create AEM groups or users with a service user we get an Access Denied exception. Here is a piece of code written to isolate the problem:

private void testUserCreation2() {
  String groupName = "TestingGroup1";
  Session session = null;
  ResourceResolver resourceResolver = null;
  String createdGroupName = null;
  try {
      Map<String, Object> param = new HashMap<String, Object>();
      param.put(ResourceResolverFactory.SUBSERVICE, "userManagementService");
      resourceResolver = resourceResolverFactory.getServiceResourceResolver(param);
      session = resourceResolver.adaptTo(Session.class);

      // Create UserManager Object
      final UserManager userManager = AccessControlUtil.getUserManager(session);

      // Create a Group
      LOGGER.info("Attempting to create group: "+groupName+" with user "+session.getUserID());
      if (userManager.getAuthorizable(groupName) == null) {

          Group createdGroup = userManager.createGroup(new Principal() {
          
            @Override
            public String getName() {
              return groupName;
            }
          }, "/home/groups/testing");
          
          createdGroupName = createdGroup.getPath();
          session.save();

          LOGGER.info("Group successfully created: "+createdGroupName);
      } else {
          LOGGER.info("Group already exists");
      }
  } catch (Exception e) {
      LOGGER.error("Error while attempting to create group.",e);
  } finally {
      if (session != null && session.isLive()) {
          session.logout();
      }
      if (resourceResolver != null)
          resourceResolver.close();
  }      
}

Notice that I'm using a subservice name titled userManagementService, which maps to a user titled fwi-admin-user. Since fwi-admin-user is a service user, I cannot add it to the administrators group (This seems to be a design limitation on AEM). However, I have confirmed that the user has full permissions to the entire repository via the useradmin UI.

Unfortunately, I still get the following error when I invoke this code:

2020-06-22 17:46:56.017 INFO [za.co.someplace.forms.core.servlets.IntegrationTestServlet] Attempting to create group: TestingGroup1 with user fwi-admin-user 2020-06-22 17:46:56.025 ERROR [za.co.someplace.forms.core.servlets.IntegrationTestServlet] Error while attempting to create group. javax.jcr.AccessDeniedException: OakAccess0000: Access denied at org.apache.jackrabbit.oak.api.CommitFailedException.asRepositoryException(CommitFailedException.java:231) at org.apache.jackrabbit.oak.api.CommitFailedException.asRepositoryException(CommitFailedException.java:212) at org.apache.jackrabbit.oak.jcr.delegate.SessionDelegate.newRepositoryException(SessionDelegate.java:670) at org.apache.jackrabbit.oak.jcr.delegate.SessionDelegate.save(SessionDelegate.java:496)

Is this an AEM bug, or am I doing something wrong here?

Thanks in advance

arunpatidar · Accepted Answer

Your service user should be part of user-administrators group or administrator group to do user management task.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded