Expand my Community achievements bar.

Don’t miss the AEM Skill Exchange in SF on Nov 14—hear from industry leaders, learn best practices, and enhance your AEM strategy with practical tips.
Read More & Register today!

AEM permission changes are not taking effect

Avatar

Level 2
Level 2
2/12/24 2:13:07 AM

Hi All,

 

We have observed one issue where the permission changes on a particular path are not getting saved or not able to overwrite permission changes.

Consider there are two paths within DAM pathA and pathB. When we add permission changes to any of the group on pathA the changes work and for pathB it's not working.

Ex:

/content/dam/site/categoryOne/pathA

/content/dam/site/categoryOne/pathB

 

The group hierarchical order is groupOne->parentGroup->everyone

everyone -> deny for for Read, Modify, Create operations

parentGroup -> deny for Read, Allow for Modify, Create operations

 

When we try to provide the read permission with groupOne to the pathA it works properly

for pathB the read option set doesn't work. The read permission is non effective on pathB for groupOne.

In AEM the effective permission take effective by considering the local entry first and then hierarchical permissions.

Somehow it's not working and we don't see any errors in the logs as well. We did try with giving read permission from parentGroup on pathB but still it's not working. 

Has anyone faced this kind of issue and how can we fix this?

 

Thanks

 

Views

793

Replies

7
Sign in to like this content

Total Likes

Translate
Translate
7 Replies

Avatar

Community Advisor
Community Advisor
2/12/24 2:23:39 AM

@user00295 : Can you please confirm if this is correct

parentGroup -> deny for Read, Allow for Modify, Create operations

You have set Deny for Read and Allowed to Modify and Create, this doesn't seem right. Can you remove this Deny for read as this should not have any effect.

Also, check if the user you are checking with has any permission given outside of Group as well.

In general re-check if this is being followed: https://experienceleague.adobe.com/docs/experience-manager-65/content/security/user-group-ac-admin.h...

thanks.

Views

776

Replies

2
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Level 2
Level 2
2/12/24 2:39:08 AM
In response to Kamal_Kishor

Hi Kamal,

 

We have tried correcting the parentGroup permission to have read operation changed to "Allow" but somehow it is also not taking effective or save is happening for this as well.

The path /content/dam/site/categoryOne/pathB has "deny" as effective and "read" as non effective permission. So we tried setting the parentGroup with read permission but still the change is not happening or not taking effective.

The changes are done form an admin account.

the document shared is also referred and as per the doc the local permission should take precedence but it's not happening.

 

Thanks

 

Views

765

Replies

1
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Community Advisor
Community Advisor
2/12/24 3:37:58 AM
In response to user00295

Is there any other group which may be overriding these permissions?

Views

746

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Community Advisor
Community Advisor
2/12/24 9:39:08 PM

Hi @user00295 

  1. Verify the permission inheritance: Check if the permission inheritance is correctly set up for both pathA and pathB. Ensure that the parent folders have the appropriate permissions set and that the inheritance is enabled for the child folders.

  2. Check for conflicting permissions: Make sure there are no conflicting permissions set on the pathB or its parent folders. Conflicting permissions can override the desired permissions. Check if there are any deny permissions set at a higher level that might be affecting the effective permissions on pathB.

  3. Check the permission order: Verify the order of the permission entries for the groupOne and parentGroup. Ensure that the permission entry for groupOne is listed before the parentGroup in the permission order. The effective permissions are determined based on the order of the permission entries.

  4. Test with a different user/group: Try applying the read permission to pathB for a different user or group to see if the issue is specific to groupOne or if it affects all permissions on pathB. This can help identify if the issue is related to the specific group or if it is a broader issue.

  5. Check for custom code or workflows: If you have any custom code or workflows that modify permissions, review them to ensure they are not interfering with the permission changes on pathB. Check for any custom logic that might be overriding or conflicting with the desired permissions.

  6. Review logs and error messages: Check the AEM logs for any relevant error messages or warnings related to permissions. Enable debug logging if necessary to get more detailed information about the permission changes and their effectiveness.



Views

715

Replies

1
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Level 2
Level 2
2/15/24 3:47:29 AM
In response to Raja_Reddy

Hi @Raja_Reddy ,

 

Thanks for the detailed checks to be performed.

  1. Permission inheritance is there for both pathA and pathB
  2. Deny permissions are not explicitly set means there are no "deny" entries in rep:Policy but default permission when "read" or any operation is not checked 
  3. Order is groupOne->parentGroup->everyone
  4. Tested with other groups and it seems for pathB the response if same for others groups as well 
  5. No custom code or workflows that modify the permissions
  6. Errors or exceptins are not thrown while modifying the permissios.
    1. .cqactions gives 200 response after update and payload also has all the requested changes

 

Views

683

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Administrator
Administrator
2/16/24 2:44:17 AM

@user00295 Did you find the suggestions from users helpful? Please let us know if more information is required. Otherwise, please mark the answer as correct for posterity. If you have found out solution yourself, please share it with the community.



Kautuk Sahni

Views

661

Replies

1
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Level 2
Level 2
2/26/24 11:14:04 PM
In response to kautuk_sahni

Hi @kautuk_sahni ,

 

The suggestions were helpful but the issue remains same and have got Adobe support engaged to get the issue resolved. Will update here after the fix.

 

Views

586

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Related Conversations
Adobe Developers Live, November 2024, Session | Extension Manager for AEM

Views

137

Likes

0

Replies

0
Adobe Developers Live, November 2024, Session | Bringing AI and Personalization to AEM Edge Delivery Services

Views

156

Likes

0

Replies

0
Rejection flow in AEM translation Project

Views

101

Likes

0

Replies

0
Adobe Developers Live, November 2024, On-Demand Session | Energizing Adobe Commerce with AEM Assets and Gen AI

Views

87

Likes

0

Replies

0
Adobe Developers Live, November 2024, On-Demand Session | CDN & WAF configuration in AEM Cloud Service

Views

77

Likes

0

Replies

0