Expand my Community achievements bar.

AEM permission changes are not taking effect

Avatar

Level 2

Hi All,

 

We have observed one issue where the permission changes on a particular path are not getting saved or not able to overwrite permission changes.

Consider there are two paths within DAM pathA and pathB. When we add permission changes to any of the group on pathA the changes work and for pathB it's not working.

Ex:

/content/dam/site/categoryOne/pathA

/content/dam/site/categoryOne/pathB

 

The group hierarchical order is groupOne->parentGroup->everyone

everyone -> deny for for Read, Modify, Create operations

parentGroup -> deny for Read, Allow for Modify, Create operations

 

When we try to provide the read permission with groupOne to the pathA it works properly

for pathB the read option set doesn't work. The read permission is non effective on pathB for groupOne.

In AEM the effective permission take effective by considering the local entry first and then hierarchical permissions.

Somehow it's not working and we don't see any errors in the logs as well. We did try with giving read permission from parentGroup on pathB but still it's not working. 

Has anyone faced this kind of issue and how can we fix this?

 

Thanks

 

7 Replies

Avatar

Community Advisor

@user00295 : Can you please confirm if this is correct

parentGroup -> deny for Read, Allow for Modify, Create operations

You have set Deny for Read and Allowed to Modify and Create, this doesn't seem right. Can you remove this Deny for read as this should not have any effect.

Also, check if the user you are checking with has any permission given outside of Group as well.

In general re-check if this is being followed: https://experienceleague.adobe.com/docs/experience-manager-65/content/security/user-group-ac-admin.h...

thanks.

Avatar

Level 2

Hi Kamal,

 

We have tried correcting the parentGroup permission to have read operation changed to "Allow" but somehow it is also not taking effective or save is happening for this as well.

The path /content/dam/site/categoryOne/pathB has "deny" as effective and "read" as non effective permission. So we tried setting the parentGroup with read permission but still the change is not happening or not taking effective.

The changes are done form an admin account.

the document shared is also referred and as per the doc the local permission should take precedence but it's not happening.

 

Thanks

 

Avatar

Community Advisor

Is there any other group which may be overriding these permissions?

Avatar

Community Advisor

Hi @user00295 

  1. Verify the permission inheritance: Check if the permission inheritance is correctly set up for both pathA and pathB. Ensure that the parent folders have the appropriate permissions set and that the inheritance is enabled for the child folders.

  2. Check for conflicting permissions: Make sure there are no conflicting permissions set on the pathB or its parent folders. Conflicting permissions can override the desired permissions. Check if there are any deny permissions set at a higher level that might be affecting the effective permissions on pathB.

  3. Check the permission order: Verify the order of the permission entries for the groupOne and parentGroup. Ensure that the permission entry for groupOne is listed before the parentGroup in the permission order. The effective permissions are determined based on the order of the permission entries.

  4. Test with a different user/group: Try applying the read permission to pathB for a different user or group to see if the issue is specific to groupOne or if it affects all permissions on pathB. This can help identify if the issue is related to the specific group or if it is a broader issue.

  5. Check for custom code or workflows: If you have any custom code or workflows that modify permissions, review them to ensure they are not interfering with the permission changes on pathB. Check for any custom logic that might be overriding or conflicting with the desired permissions.

  6. Review logs and error messages: Check the AEM logs for any relevant error messages or warnings related to permissions. Enable debug logging if necessary to get more detailed information about the permission changes and their effectiveness.



Avatar

Level 2

Hi @Raja_Reddy ,

 

Thanks for the detailed checks to be performed.

  1. Permission inheritance is there for both pathA and pathB
  2. Deny permissions are not explicitly set means there are no "deny" entries in rep:Policy but default permission when "read" or any operation is not checked 
  3. Order is groupOne->parentGroup->everyone
  4. Tested with other groups and it seems for pathB the response if same for others groups as well 
  5. No custom code or workflows that modify the permissions
  6. Errors or exceptins are not thrown while modifying the permissios.
    1. .cqactions gives 200 response after update and payload also has all the requested changes

 

Avatar

Administrator

@user00295 Did you find the suggestions from users helpful? Please let us know if more information is required. Otherwise, please mark the answer as correct for posterity. If you have found out solution yourself, please share it with the community.



Kautuk Sahni

Avatar

Level 2

Hi @kautuk_sahni ,

 

The suggestions were helpful but the issue remains same and have got Adobe support engaged to get the issue resolved. Will update here after the fix.