Expand my Community achievements bar.

Don’t miss the AEM Skill Exchange in SF on Nov 14—hear from industry leaders, learn best practices, and enhance your AEM strategy with practical tips.
SOLVED

base permissions to custom group - AEM screen empty

Avatar

Level 5

hi all,

I have given the below yaml config for base group but it is throwing up an empty page on /aem/start.html - Any help?

- group_config:
- proj-base:
path: equinix
- ace_config:
- proj-base:
- path: /
permission: allow
privileges: jcr:read
repGlob: ""
- path: /libs
permission: allow
privileges: jcr:read
- path: /apps
permission: allow
privileges: jcr:read
- path: /var
permission: allow
privileges: jcr:read
- path: /etc
permission: allow
privileges: jcr:read
- path: /home
permission: allow
privileges: jcr:read
- path: /conf
permission: allow
privileges: jcr:read
repGlob: ""
- path: /content
permission: allow
privileges: jcr:read
- path: /content/dam
permission: allow
privileges: jcr:read
repGlob: ""
- path: /content
permission: deny
privileges: jcr:removeNode,jcr:removeChildNodes,crx:replicate
1 Accepted Solution

Avatar

Correct answer by
Community Advisor

@aem_noob - Please remove and re-test

- path: /libs/cq/core/content/nav/tools/security
permission: deny
privileges: jcr:read

View solution in original post

10 Replies

Avatar

Community Advisor

Hello @aem_noob 

 

I guess you are trying to use Netcentric ACL Tool.

It should execute the yaml file soon after deployment. Or by trigerring it manually via Security > Netcentric ACL Tool 

reference:https://blogs.perficient.com/2020/04/23/getting-started-with-the-netcentric-access-control-tool/

 

Also, for creating Base groups, try to reuse OOTB AEM groups like authors, contributors etc. This will assure you have the basic permissions needed for browsing through the UI. 


Aanchal Sikka

Avatar

Level 5

The yaml is being executed but the console is empty. We have been asked to give allow permissions at root level to all the parent folders & not use OTB groups.

Avatar

Community Advisor

These permissions are working fine for a base group as validated on a netcentric.

Do you have some other permissions as well on your YAML file?

Can you attach the logs from the server?

Avatar

Level 5
- path: /content/dam/collections
permission: allow
privileges: jcr:write,crx:replicate
- path: /libs/dam/gui/content/reports
permission: allow
privileges: jcr:read
- path: /libs/dam/gui/content/nav/tools/assets/assetreports
permission: allow
privileges: jcr:read
- path: /libs/cq/core/content/nav/tools/security
permission: deny
privileges: jcr:read
- path: /libs/cq/workflow/admin/console/content
permission: deny
privileges: jcr:read
- path: /libs/cq/workflow/admin/console/content/instances
permission: allow
privileges: jcr:read
- path: /libs/cq/workflow/admin/console/content/models
permission: deny
privileges: jcr:read

Avatar

Correct answer by
Community Advisor

@aem_noob - Please remove and re-test

- path: /libs/cq/core/content/nav/tools/security
permission: deny
privileges: jcr:read

Avatar

Community Advisor

@aem_noob 

 

If you have a Cloud instance, you would not be able to set permissions via Netcentric on any /libs path.

 

For /libs, please use repo-init scripts


Aanchal Sikka

Avatar

Level 5

I am able to restrict read access for various tools and options via netcentric @aanchal-sikka

Avatar

Community Advisor

Thanks @aem_noob for sharing the information. Glad to know that Netcentric also works with /libs on AEMaaCS server


Aanchal Sikka

Avatar

Administrator

@aem_noob Did you find the suggestions from users helpful? Please let us know if more information is required. Otherwise, please mark the answer as correct for posterity. If you have found out solution yourself, please share it with the community.



Kautuk Sahni