Hi everyone
I'm currently having a problem with permissions for a user who is a member of two groups which have read rules that exclude the other group.
E. g. the structure might be /content/internet/country1/... and /content/internet/country2/... For both countries there is a reader group that has read rights for the respective country while all other countries are denied (e.g. 100-reader-country1 can only read /content/internet/country1/.. & 100-reader-country2 can only read /content/internet/country2/...). There are other groups like 200-contributor-country1 (inherites from 100-reader-country1 and adds write/update/delete rights) and 300-approver-country1 (inherits from 200-contributor-country1 and adds replication rights) . This is working fine as long as a user is only a member of a group that belongs to a single country. As soon as such a user is a member of two different country groups he gets denied to both countries (e.g. 100-reader-country1 denies him to read /content/internet/country2/... and 100-reader-country2 denies him to read /content/internet/country1/...).
Is there a way to allow a user who is a member of 300-approver-country1 & 300-approver-country2 access to those two country sites w/o creating an extra group for this use case?
Any help is much appreciated.
Solved! Go to Solution.
Hi,
as per [1], you should use deny sparingly. Usually I would give read rights to a group[2], groupA, groupB for:
/content/site/A
/content/site/B
There is no need to deny groupB, as it has no access rights on site A by default. In this way if you have a user that requires access to both sites, you simply add them to both groups. Or am I missing something in your requirements?
Regards,
Opkar
[1] https://docs.adobe.com/docs/en/cq/5-6-1/administering/security.html
[2] https://docs.adobe.com/docs/en/cq/5-6-1/administering/security.html#Best%20Practices
Hi,
as per [1], you should use deny sparingly. Usually I would give read rights to a group[2], groupA, groupB for:
/content/site/A
/content/site/B
There is no need to deny groupB, as it has no access rights on site A by default. In this way if you have a user that requires access to both sites, you simply add them to both groups. Or am I missing something in your requirements?
Regards,
Opkar
[1] https://docs.adobe.com/docs/en/cq/5-6-1/administering/security.html
[2] https://docs.adobe.com/docs/en/cq/5-6-1/administering/security.html#Best%20Practices
Dear Opkar
Thank you very much for your response. However I am still not sure how this is supposed to work. Let's take a vanilla AEM6 instance and take a look at /content/geometrixx. Let's assume we would like to have language dependent user groups:
- group E can read /content/geometrixx/en but none of the other languages
- group D can read /content/geometrixx/de but none of the other languages
- group F can read /content/geometrixx/fr but none of the other languages
In this case it would not be enough to just grant them the read rights to the aforementioned nodes (/en,/de,/fr). They will also need to be able to read /content and /content/geometrixx. As soon as I grant them the read rights for /content the read rights get inherited by the child nodes and the users of those two groups can read all languages and not just the one they got assigned to by group membership.
I am not sure what I am missing here. How can I assign read rights for those language nodes to user groups without the usage of deny rules?
Thank you very much for your help.
in this case, it depends on the order in which the rules are applied.
You can understand this by looking at rep:policy node at each of your project node and the order of permissions applied under each of these policy node
Views
Replies
Total Likes
Hi bsloki
Thanks for the response. Unfortunately I'm still not sure how to solve my initial question. Let's assume we have assigned the permissions in the correct order and everything is working fine. My requirement is now to have single users that are members of group E and D. Both groups have mutually exclusive permissions and I cannot see how the order would make a difference then.
My actual situation is even more complex than this. We have several companies (aka brands) which have multiple country sites each. Usually authors are assigned to one country of one company/brand. But some power users are allowed to take care of multiple countries (e.g. all German speaking countries, all French speaking countries, all countries in Southern America ...) of a single brand. And then there are even more advanced power users which are even allowed to edit content across company/brand borders (e.g. edit the content of the website of a certain country across all companies/brands). And to top it off there is also a distinction between readers (R), contributors (CRUD) and approvers (CRUD + replicate).
Keeping track of the right order for the whole set of possible combinations is probably close to impossible or at least impractible for sure. Since I doubt that we are the first to have such requirements I was hoping that someone else had already solved this problem. But based on your answers I fear the only practical solution is to create specialized user groups for the power users and only use inheritance for authors that work within a single country.
If I understood something wrong that you've tried to tell me please feel free to correct me. I'm eager to hear a better solution if there is any.
Cheers & thanks for your help,
Hi,
The problem is, that you put all your ACLs into single groups, which leads of course to contradicting permissions. Let's try this approach:
Now the situation is much easier, because you easily model your requirements. Every user will be in group "deny-all" by default, and this group is the grouplist at the very top. That means, that every different ACL added by another group is overwriting it.
And this is, what the best practices are: Have a "deny all" group in front of every other group, and then have groups, which only add permissions on top. In that case you just have to make sure, that the "deny-all" is the very first one, and for the others the order doesn't matter.
HTH,
Jörg
Hi,
here is an article which explains a solution for a scenario similar to yours[1], it also builds on Jeorg's explanation.
Regards,
Opkar
Views
Replies
Total Likes
I agree with @josh.. 'Deny' first is the approach we need to follow.
Views
Replies
Total Likes
Hi
Thank you all very much for your help. I will have a look at the postcast and the deny-all approach and hopefully will get this resolved. I'll report back once I checked all the info you gave me and did some testing.
Thank you guys.
Cheers
Views
Replies
Total Likes
Views
Likes
Replies
Views
Likes
Replies