Your achievements

Level 1

0% to

Level 2

Tip /
Sign in

Sign in to Community

to gain points, level up, and earn exciting badges like the new
BedrockMission!

Learn more

View all

Sign in to view all badges

SOLVED

AEM 6.3 Cannot create groups with service user

Greg_Fullard
Level 2
Level 2

Hoping someone on here can help me out of a conundrum.

We are trying to remove all Admin sessions from our application, but are stuck with a few due to JCR Access Denied exceptions. Specifically, when we try to create AEM groups or users with a service user we get an Access Denied exception. Here is a piece of code written to isolate the problem:

private void testUserCreation2() {
  String groupName = "TestingGroup1";
  Session session = null;
  ResourceResolver resourceResolver = null;
  String createdGroupName = null;
  try {
      Map<String, Object> param = new HashMap<String, Object>();
      param.put(ResourceResolverFactory.SUBSERVICE, "userManagementService");
      resourceResolver = resourceResolverFactory.getServiceResourceResolver(param);
      session = resourceResolver.adaptTo(Session.class);

      // Create UserManager Object
      final UserManager userManager = AccessControlUtil.getUserManager(session);

      // Create a Group
      LOGGER.info("Attempting to create group: "+groupName+" with user "+session.getUserID());
      if (userManager.getAuthorizable(groupName) == null) {

          Group createdGroup = userManager.createGroup(new Principal() {
          
            @Override
            public String getName() {
              return groupName;
            }
          }, "/home/groups/testing");
          
          createdGroupName = createdGroup.getPath();
          session.save();

          LOGGER.info("Group successfully created: "+createdGroupName);
      } else {
          LOGGER.info("Group already exists");
      }
  } catch (Exception e) {
      LOGGER.error("Error while attempting to create group.",e);
  } finally {
      if (session != null && session.isLive()) {
          session.logout();
      }
      if (resourceResolver != null)
          resourceResolver.close();
  }      
}

Notice that I'm using a subservice name titled userManagementService, which maps to a user titled fwi-admin-user. Since fwi-admin-user is a service user, I cannot add it to the administrators group (This seems to be a design limitation on AEM). However, I have confirmed that the user has full permissions to the entire repository via the useradmin UI.

Unfortunately, I still get the following error when I invoke this code:

2020-06-22 17:46:56.017 INFO [za.co.someplace.forms.core.servlets.IntegrationTestServlet] Attempting to create group: TestingGroup1 with user fwi-admin-user 2020-06-22 17:46:56.025 ERROR [za.co.someplace.forms.core.servlets.IntegrationTestServlet] Error while attempting to create group. javax.jcr.AccessDeniedException: OakAccess0000: Access denied at org.apache.jackrabbit.oak.api.CommitFailedException.asRepositoryException(CommitFailedException.java:231) at org.apache.jackrabbit.oak.api.CommitFailedException.asRepositoryException(CommitFailedException.java:212) at org.apache.jackrabbit.oak.jcr.delegate.SessionDelegate.newRepositoryException(SessionDelegate.java:670) at org.apache.jackrabbit.oak.jcr.delegate.SessionDelegate.save(SessionDelegate.java:496)

Is this an AEM bug, or am I doing something wrong here?

Thanks in advance

1 Accepted Solution
Arun_Patidar
Correct answer by
Community Advisor
Community Advisor

Your service user should be part of user-administrators group or administrator group to do user management task.

View solution in original post

3 Replies
Arun_Patidar
Correct answer by
Community Advisor
Community Advisor

Your service user should be part of user-administrators group or administrator group to do user management task.

View solution in original post

Greg_Fullard
Level 2
Level 2
Tx Arun. Weirdly, I was NOT able to add my user to the administrators froup using the old useradmin interface (It didn't give an error, but simply did not persist). However when doing it via the user management section of the new Admin interface it work well. Really appreciate.
Arun_Patidar
Community Advisor
Community Advisor
I know, if you add administrator group to user, it will not reflect but if you add user to administrator group then it works with old/classic UI as well.