AEM6 - User is member of two groups which have rules that exclude each other | Community
Skip to main content
johndoe42
johndoe42
Level 2
October 16, 2015
Solved

AEM6 - User is member of two groups which have rules that exclude each other

  • October 16, 2015
  • 8 replies
  • 2764 views

Hi everyone

I'm currently having a problem with permissions for a user who is a member of two groups which have read rules that exclude the other group.

E. g. the structure might be /content/internet/country1/... and /content/internet/country2/... For both countries there is a reader group that has read rights for the respective country while all other countries are denied (e.g. 100-reader-country1 can only read /content/internet/country1/.. & 100-reader-country2 can only read /content/internet/country2/...). There are other groups like 200-contributor-country1 (inherites from 100-reader-country1 and adds write/update/delete rights) and 300-approver-country1 (inherits from 200-contributor-country1 and adds replication rights) . This is working fine as long as a user is only a member of a group that belongs to a single country. As soon as such a user is a member of two different country groups he gets denied to both countries (e.g. 100-reader-country1 denies him to read /content/internet/country2/... and 100-reader-country2 denies him to read /content/internet/country1/...).

Is there a way to allow a user who is a member of 300-approver-country1 & 300-approver-country2 access to those two country sites w/o creating an extra group for this use case? 

Any help is much appreciated.

    This post is no longer active and is closed to new replies. Need help? Start a new post to ask your question.
    Best answer by ogill

    Hi,

    as per [1], you should use deny sparingly. Usually I would give read rights to a group[2], groupA, groupB for:

    /content/site/A

    /content/site/B

    There is no need to deny groupB, as it has no access rights on site A by default. In this way if you have a user that requires access to both sites, you simply add them to both groups. Or am I missing something in your requirements?

    Regards,

    Opkar

     

    [1] https://docs.adobe.com/docs/en/cq/5-6-1/administering/security.html 

    [2] https://docs.adobe.com/docs/en/cq/5-6-1/administering/security.html#Best%20Practices

    8 replies

    O
    Adobe Employee
    ogillAdobe EmployeeAccepted solution
    Adobe Employee
    October 16, 2015

    Hi,

    as per [1], you should use deny sparingly. Usually I would give read rights to a group[2], groupA, groupB for:

    /content/site/A

    /content/site/B

    There is no need to deny groupB, as it has no access rights on site A by default. In this way if you have a user that requires access to both sites, you simply add them to both groups. Or am I missing something in your requirements?

    Regards,

    Opkar

     

    [1] https://docs.adobe.com/docs/en/cq/5-6-1/administering/security.html 

    [2] https://docs.adobe.com/docs/en/cq/5-6-1/administering/security.html#Best%20Practices

      johndoe42
      johndoe42Author
      Level 2
      October 16, 2015

      Dear Opkar

      Thank you very much for your response. However I am still not sure how this is supposed to work. Let's take a vanilla AEM6 instance and take a look at /content/geometrixx. Let's assume we would like to have language dependent user groups:

      - group E can read /content/geometrixx/en but none of the other languages

      - group D can read /content/geometrixx/de but none of the other languages

      - group F can read /content/geometrixx/fr but none of the other languages

      In this case it would not be enough to just grant them the read rights to the aforementioned nodes (/en,/de,/fr). They will also need to be able to read /content and /content/geometrixx. As soon as I grant them the read rights for /content the read rights get inherited by the child nodes and the users of those two groups can read all languages and not just the one they got assigned to by group membership. 

      I am not sure what I am missing here. How can I assign read rights for those language nodes to user groups without the usage of deny rules?

      Thank you very much for your help.

        Lokesh_Shivalingaiah
        Lokesh_Shivalingaiah
        Level 10
        October 16, 2015

        in this case, it depends on the order in which the rules are applied.

        You can understand this by looking at rep:policy node at each of your project node and the order of permissions applied under each of these policy node

        johndoe42
        johndoe42Author
        Level 2
        October 16, 2015

        Hi bsloki

        Thanks for the response. Unfortunately I'm still not sure how to solve my initial question. Let's assume we have assigned the permissions in the correct order and everything is working fine. My requirement is now to have single users that are members of group E and D. Both groups have mutually exclusive permissions and I cannot see how the order would make a difference then.

        My actual situation is even more complex than this. We have several companies (aka brands) which have multiple country sites each. Usually authors are assigned to one country of one company/brand. But some power users are allowed to take care of multiple countries (e.g. all German speaking countries, all French speaking countries, all countries in Southern America ...) of a single brand. And then there are even more advanced power users which are even allowed to edit content across company/brand borders (e.g. edit the content of the website of a certain country across all companies/brands). And to top it off there is also a distinction between readers (R), contributors (CRUD) and approvers (CRUD + replicate).

        Keeping track of the right order for the whole set of possible combinations is probably close to impossible or at least impractible for sure. Since I doubt that we are the first to have such requirements I was hoping that someone else had already solved this problem. But based on your answers I fear the only practical solution is to create specialized user groups for the power users and only use inheritance for authors that work within a single country.

        If I understood something wrong that you've tried to tell me please feel free to correct me. I'm eager to hear a better solution if there is any.

        Cheers & thanks for your help,

          joerghoh
          Adobe Employee
          joerghohAdobe Employee
          Adobe Employee
          October 16, 2015

          Hi,

          The problem is, that you put all your ACLs into single groups, which leads of course to contradicting permissions. Let's try this approach:

          • Create a "deny-all" group, which implements deny-read to /content/internet/* (basically all countries)
          • Create a "read-country-A" group, which has read permissions to /content/internet/countryA
          • Create a "read-country-b" group, which has read permissions on /content/internet/countryB

          Now the situation is much easier, because you easily model your requirements. Every user will be in group "deny-all" by default, and this group is the grouplist at the very top. That means, that every different ACL added by another group is overwriting it.

          And this is, what the best practices are: Have a "deny all" group in front of every other group, and then have groups, which only add permissions on top. In that case you just have to make sure, that the "deny-all" is the very first one, and for the others the order doesn't matter.

          HTH,
          Jörg

            O
            Adobe Employee
            ogillAdobe Employee
            Adobe Employee
            October 16, 2015

            Hi,

            here is an article which explains a solution for a scenario similar to yours[1], it also builds on Jeorg's explanation. 

            Regards,

            Opkar

            [1] http://aempodcast.com/2015/permissions/setting-permissions-smooth-aem-authoring-experience/#.VeVbb9NVhBc

            Lokesh_Shivalingaiah
            Lokesh_Shivalingaiah
            Level 10
            October 16, 2015

            I agree with @josh.. 'Deny' first is the approach we need to follow.

            johndoe42
            johndoe42Author
            Level 2
            October 16, 2015

            Hi

            Thank you all very much for your help. I will have a look at the postcast and the deny-all approach and hopefully will get this resolved. I'll report back once I checked all the info you gave me and did some testing.

            Thank you guys.

            Cheers

            Terms & ConditionsAccessibility statement

            Loading footer...