Apply folder permission

@s1101v 

It depends on your use-case & how the ACLs are maintained by your project today.

Regarding type of user: Who should be able to access this /conf node? Is it a service or is it a normal user?

Depending on your answer, you should provide access. A service would use a system user.

How to set ACL?

How are the ACLs being set by your project? Prefer following the same approach.

If its a new project then you have multiple options:

- Netcentric ACL Tools (In this case ACLs are added to the codebase via YAML files)

- The repo-init scripts. These are OSGI configurations.

The details on tools and their comparison is available here: https://techrevel.blog/2024/03/04/from-setup-to-migration-the-best-tools-for-acl-management-in-aem/ 

@s1101v  - Can you please mention the use case that, like you want to access the templates/CF or anything specific inside the /conf folder. You could give permissions to users to specific template or CF Model from User Management.

Hi @s1101v 

Here are few important points while handling users, groups and permissions in AEM:

1. System user is created in case there is a requirement to read/write/update anything in repository using your code within bundle to handle some use cases.

2. User mapping OSGI configuration is required to use that system user permission in your code.

3. If permissions are required only to access repo or some part of repo directly by user after user logins then you create a non system user.

4. Now, if a same set of permissions are shared by more than one user, then it is best to create a group and grant required permissions to group and add users as its members.

Sample code to create get system user in AEM can be through resourceResolverFactory and you can refer ACS commons code for creation of folder:

https://github.com/Adobe-Consulting-Services/acs-aem-commons/blob/master/bundle/src/main/java/com/adobe/acs/commons/mcp/impl/processes/AssetFolderCreator.java

public static ResourceResolver getResourceResolver(final ResourceResolverFactory resourceResolverFactory,
                                                   final String subService) {
    ResourceResolver resourceResolver = null;
    if (null != resourceResolverFactory && null != subService) {
        try {
            final Map<String, Object> authInfo = new HashMap<>();
            authInfo.put(ResourceResolverFactory.SUBSERVICE, subService);
            resourceResolver = resourceResolverFactory.getServiceResourceResolver(authInfo);
        } catch (final LoginException loginException) {
            LOGGER.error(
                "getResourceResolver() : Exception while getting resource resolver for subservice {} : {}",
                subService, loginException);
        }
    }
    return resourceResolver;
}

Hi @s1101v - If I understand your question correctly. The end user browsing the site needs to read some data stored under the /conf/project2?

If yes - you can simply create a system user with a read access to the desired folder and use it to obtain a Service Resource Resolver object that can render the desired data and present to the user browsing the site. Here's an example of how to achieve that: https://medium.com/@toimrank/aem-service-user-mapping-and-resourceresolver-bd4a15d8cff2

Pls do let me know, if my understanding here is incorrect.

Regards,

Hi @s1101v I hope I am not missing the context.

It seems we can use CUG applied to the folder and add a given user group to it. Assuming when user logs in via LDAP or similar mechanism their group can be identified and if the group is allowed for the folder it will allow access to contents under /conf/project1. For others it should redirect as per permissions.

@s1101v Did you find the suggestions helpful? Please let us know if you need more information. If a response worked, kindly mark it as correct for posterity; alternatively, if you found a solution yourself, we’d appreciate it if you could share it with the community. Thank you!