Expand my Community achievements bar.

Apply folder permission

Avatar

Level 4

 

We’re working on a project that requires a new folder to be created under /conf/project2, and we need to grant read permissions (ACL) to all users via code or OSGi configuration.

For this use case, do we need to create a new system user with read permissions for the required path?

Could you please share a sample implementation to handle this scenario?

10 Replies

Avatar

Community Advisor

@s1101v 

 

It depends on your use-case & how the ACLs are maintained by your project today.

 

Regarding type of user: Who should be able to access this /conf node? Is it a service or is it a normal user?

Depending on your answer, you should provide access. A service would use a system user.

 

How to set ACL?

How are the ACLs being set by your project? Prefer following the same approach.

If its a new project then you have multiple options:

- Netcentric ACL Tools (In this case ACLs are added to the codebase via YAML files)

- The repo-init scripts. These are OSGI configurations.

 

The details on tools and their comparison is available here: https://techrevel.blog/2024/03/04/from-setup-to-migration-the-best-tools-for-acl-management-in-aem/ 

 


Aanchal Sikka

Avatar

Level 4

Thank you for your reply. This is not a new project; we are simply adding a new folder to the existing one. The access is only required for normal users, who need read permissions. Additionally, we are not using Netcentric ACL tools in our project. Could you please advise on how to handle this use case?

Avatar

Community Advisor

@s1101v  - Can you please mention the use case that, like you want to access the templates/CF or anything specific inside the /conf folder. You could give permissions to users to specific template or CF Model from User Management.

Avatar

Level 4

Actually, we need to grant access through code rather than manually via user management.

Avatar

Community Advisor

Hi @s1101v 

 

Here are few important points while handling users, groups and permissions in AEM:

 

1. System user is created in case there is a requirement to read/write/update anything in repository using your code within bundle to handle some use cases.

2. User mapping OSGI configuration is required to use that system user permission in your code.

3. If permissions are required only to access repo or some part of repo directly by user after user logins then you create a non system user.

4. Now, if a same set of permissions are shared by more than one user, then it is best to create a group and grant required permissions to group and add users as its members.

 

Sample code to create get system user in AEM can be through resourceResolverFactory and you can refer ACS commons code for creation of folder:

https://github.com/Adobe-Consulting-Services/acs-aem-commons/blob/master/bundle/src/main/java/com/ad...

 

public static ResourceResolver getResourceResolver(final ResourceResolverFactory resourceResolverFactory,
final String subService) {
ResourceResolver resourceResolver = null;
if (null != resourceResolverFactory && null != subService) {
try {
final Map<String, Object> authInfo = new HashMap<>();
authInfo.put(ResourceResolverFactory.SUBSERVICE, subService);
resourceResolver = resourceResolverFactory.getServiceResourceResolver(authInfo);
} catch (final LoginException loginException) {
LOGGER.error(
"getResourceResolver() : Exception while getting resource resolver for subservice {} : {}",
subService, loginException);
}
}
return resourceResolver;
}


Avatar

Level 4

Thank you for your reply. The access is required for the end-user accessing the site, and we only need to provide read access to the path /conf/project1. Regarding the suggestion below, do we need to create a non-system user for this use case?

"3. If permissions are required only to access repo or some part of repo directly by user after user logins then you create a non system user."

Avatar

Community Advisor

Hi @s1101v 

 

If access is required by end user, then user is required to login or not?
1. If user is required to login and then need access, create a user group and add users to that group.

2. If user will not login, then user belongs to everyone group and you need to grand read permissions to everyone group. But do think twice if you are required to provide read access to /conf/project directly or if possible provide access to its sub folders or only to sub folders which require the access. 


 

Hope it resolves the issue.

Thanks

Nupur

Avatar

Community Advisor

Hi @s1101v - If I understand your question correctly. The end user browsing the site needs to read some data stored under the /conf/project2?

 

If yes - you can simply create a system user with a read access to the desired folder and use it to obtain a Service Resource Resolver object that can render the desired data and present to the user browsing the site. Here's an example of how to achieve that: https://medium.com/@toimrank/aem-service-user-mapping-and-resourceresolver-bd4a15d8cff2

 

Pls do let me know, if my understanding here is incorrect.

 

Regards,

Avatar

Community Advisor

Hi @s1101v I hope I am not missing the context.

 

It seems we can use CUG applied to the folder and add a given user group to it. Assuming when user logs in via LDAP or similar mechanism their group can be identified and if the group is allowed for the folder it will allow access to contents under /conf/project1. For others it should redirect as per permissions.