1. What is the best means of providing granular access at the page level?
2. What is the best means of providing access down to the field level?
3. What is the difference between ACL's and ACP's, (i.e. Access Control Policies)?
I'm assuming that in most general cases, using ACL's is the best option to provide access to pages, (i.e. by setting up groups, and then specifying the Actions allowed by that group), but depending on the requirements, in some cases it might be best to implement it in LDAP. If there are other architectural alternatives, please share them along with your recommendation for typical AEM best practice.
Solved! Go to Solution.
Views
Replies
Total Likes
Hi,
To 1) and 2): Try to avoid to put access control down to a page level; it is possible and there are usecases for it, but doing so gives makes you a lot of work to define, implement and maintain it. It is constant work! And while technically you can even implement access control down to a property level: Don't do it.
To 3): The term "ACL" in the AEM world is the only existing one; even other products might have different approaches and implementations, ACLs as a list of ACEs is the only implementation.
ACLs are defined within the content and are not assigned and stored with the principal; so LDAP can be a very good choice as protocol to connect to an external IDP, but it doesn't allow you to define ACLs.
Jörg
Views
Replies
Total Likes
Hi,
To 1) and 2): Try to avoid to put access control down to a page level; it is possible and there are usecases for it, but doing so gives makes you a lot of work to define, implement and maintain it. It is constant work! And while technically you can even implement access control down to a property level: Don't do it.
To 3): The term "ACL" in the AEM world is the only existing one; even other products might have different approaches and implementations, ACLs as a list of ACEs is the only implementation.
ACLs are defined within the content and are not assigned and stored with the principal; so LDAP can be a very good choice as protocol to connect to an external IDP, but it doesn't allow you to define ACLs.
Jörg
Views
Replies
Total Likes
Thanks Jorg!
Views
Replies
Total Likes
Jörg Hoh wrote...
Hi,
To 1) and 2): Try to avoid to put access control down to a page level; it is possible and there are usecases for it, but doing so gives makes you a lot of work to define, implement and maintain it. It is constant work! And while technically you can even implement access control down to a property level: Don't do it.
To 3): The term "ACL" in the AEM world is the only existing one; even other products might have different approaches and implementations, ACLs as a list of ACEs is the only implementation.
ACLs are defined within the content and are not assigned and stored with the principal; so LDAP can be a very good choice as protocol to connect to an external IDP, but it doesn't allow you to define ACLs.
Jörg
Jorg, can you or someone else give a couple of examples as to the constant work that would be required for page level access? What type of events, changes trigger work? E.g., for page level access, you'd have to do it for every new page? Is that what you're referring to? Please give additional examples, (especially real life), if you have them.
If you really do need page level access control, is there a better way than implementing ACL's on a page? What is the best practice for use-cases where that level of security is really required.
Views
Replies
Total Likes
Hi,
if you want to use ACLs per page as general solution for your usecase, you'll run into problems.
I don't have good real life examples for complex permission systems, because I always tell customers to avoid them. Implement what's necessary and make sure that your content structure supports your permission structure. Then you can often have the case, that after the initial setup of permissions no adjustments to them are required for quite some time, until requirements change.
So can you elaborate on your usecase? I would like to understand the details and the reason why you think that page-level ACLs are the best solution for it.
Cheers,
Jörg
Views
Replies
Total Likes
Views
Likes
Replies