Adobe Experience Manager Sites & More

Dear Opkar

Thank you very much for your response. However I am still not sure how this is supposed to work. Let's take a vanilla AEM6 instance and take a look at /content/geometrixx. Let's assume we would like to have language dependent user groups:

- group E can read /content/geometrixx/en but none of the other languages

- group D can read /content/geometrixx/de but none of the other languages

- group F can read /content/geometrixx/fr but none of the other languages

In this case it would not be enough to just grant them the read rights to the aforementioned nodes (/en,/de,/fr). They will also need to be able to read /content and /content/geometrixx. As soon as I grant them the read rights for /content the read rights get inherited by the child nodes and the users of those two groups can read all languages and not just the one they got assigned to by group membership. 

I am not sure what I am missing here. How can I assign read rights for those language nodes to user groups without the usage of deny rules?

Thank you very much for your help.

in this case, it depends on the order in which the rules are applied.

You can understand this by looking at rep:policy node at each of your project node and the order of permissions applied under each of these policy node

Hi bsloki

Thanks for the response. Unfortunately I'm still not sure how to solve my initial question. Let's assume we have assigned the permissions in the correct order and everything is working fine. My requirement is now to have single users that are members of group E and D. Both groups have mutually exclusive permissions and I cannot see how the order would make a difference then.

My actual situation is even more complex than this. We have several companies (aka brands) which have multiple country sites each. Usually authors are assigned to one country of one company/brand. But some power users are allowed to take care of multiple countries (e.g. all German speaking countries, all French speaking countries, all countries in Southern America ...) of a single brand. And then there are even more advanced power users which are even allowed to edit content across company/brand borders (e.g. edit the content of the website of a certain country across all companies/brands). And to top it off there is also a distinction between readers (R), contributors (CRUD) and approvers (CRUD + replicate).

Keeping track of the right order for the whole set of possible combinations is probably close to impossible or at least impractible for sure. Since I doubt that we are the first to have such requirements I was hoping that someone else had already solved this problem. But based on your answers I fear the only practical solution is to create specialized user groups for the power users and only use inheritance for authors that work within a single country.

If I understood something wrong that you've tried to tell me please feel free to correct me. I'm eager to hear a better solution if there is any.

Cheers & thanks for your help,

Hi,

The problem is, that you put all your ACLs into single groups, which leads of course to contradicting permissions. Let's try this approach:

• Create a "deny-all" group, which implements deny-read to /content/internet/* (basically all countries)
• Create a "read-country-A" group, which has read permissions to /content/internet/countryA
• Create a "read-country-b" group, which has read permissions on /content/internet/countryB

Now the situation is much easier, because you easily model your requirements. Every user will be in group "deny-all" by default, and this group is the grouplist at the very top. That means, that every different ACL added by another group is overwriting it.

And this is, what the best practices are: Have a "deny all" group in front of every other group, and then have groups, which only add permissions on top. In that case you just have to make sure, that the "deny-all" is the very first one, and for the others the order doesn't matter.

HTH,
Jörg

Hi,

here is an article which explains a solution for a scenario similar to yours[1], it also builds on Jeorg's explanation. 

Regards,

Opkar

[1] http://aempodcast.com/2015/permissions/setting-permissions-smooth-aem-authoring-experience/#.VeVbb9N...

I agree with @josh.. 'Deny' first is the approach we need to follow.

Hi

Thank you all very much for your help. I will have a look at the postcast and the deny-all approach and hopefully will get this resolved. I'll report back once I checked all the info you gave me and did some testing.

Thank you guys.

Cheers