Expand my Community achievements bar.

Adobe Summit 2025: AEM Session Recordings Are Live! Missed a session or want to revisit your favorites? Watch the latest recordings now.
Watch Now!

Mark Solution

This conversation has been locked due to inactivity. Please create a new post.

SOLVED

Closed User Group (CUG) not working as expected and allowing all users to login

Avatar

Level 3
Level 3
1/19/21 1:31:29 PM
 
 

I am testing out Closed User Group (CUG). I followed basic steps for adding CUG for a page (https://experienceleague.adobe.com/docs/experience-manager-64/administering/security/cug.html#securi...). After following the steps, it adds restrictions to the page and requires login to the page as expected. However, it allows every valid users to login in the page. 

 

To elaborate, if I have group G1 having user U1 part of group and add G1 under Closed User Group from page properties, it should only allow U1 to login to the restricted page. However, it allows other users (U2, U3 for example) as well to access CUG restricted page which is not an expected scenario. To summarize, it allows all valid users to login to the CUG restricted page. To add, I am testing from publisher side, so no dispatcher changes would come into affect here. 

Topics

Topics help categorize Community content and increase your ability to discover relevant content.

Experience Manager

Views

1.9K

Replies

3
Sign in to like this content

Total Likes

Translate
Translate
1 Accepted Solution

Avatar

Correct answer by
Level 3
Level 3
2/15/21 12:43:29 PM

Adding my update for the issue for someone who visits this.

So, CUG will allow the users (U2, U3) to login and will not send error response for "authentication". And it will set the login-token cookie. However, since the user is not authorized to view the content for the page, it will show up 404 page. In your case, if you have setup a default 404 page, it will show up content from that page after setting the login-token cookie. Now since the default 404 page content might be part of /apps/<your-site>, you will need to give read permission (to U2 and U3, make sure you don't mess up ACLs on publishers) to that path as well (pretty much the issue I had where the 404 page content was not being rendered properly). 

To summarize, even if the user is not "authorized" to view the content since it is not part of group G1, it will set the login-token cookie but render 404 page. If the user is part of group G1, it will show up the content of the page. I had all the required permissions set from /content/ but read permission under /apps/<site> were missing which is holding some default designs.

View solution in original post

Views

1.7K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply
3 Replies

Avatar

Level 10
Level 10
1/20/21 6:35:56 AM

Hi @chintan97patel,

Could you please share the level of permissions for U2 and U3 and its groups, if any associated to the same.

Also, just as an additional check, cross check the CUG group and its users/permissions from being in Publish instance. 

 

Views

1.8K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Community Advisor
Community Advisor
1/21/21 10:46:42 AM

Hi,

Can you please confirm:

  • Page has only one group(G1), you can varify from crxde as wll the principals stored in rep:cugPolicy node
  • User U2 and U3 does not have any group(or at least Group G1)
  • anonymous user can't access the protected page as well
Arun Patidar

AEM LinksLinkedIn

Views

1.8K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Correct answer by
Level 3
Level 3
2/15/21 12:43:29 PM

Adding my update for the issue for someone who visits this.

So, CUG will allow the users (U2, U3) to login and will not send error response for "authentication". And it will set the login-token cookie. However, since the user is not authorized to view the content for the page, it will show up 404 page. In your case, if you have setup a default 404 page, it will show up content from that page after setting the login-token cookie. Now since the default 404 page content might be part of /apps/<your-site>, you will need to give read permission (to U2 and U3, make sure you don't mess up ACLs on publishers) to that path as well (pretty much the issue I had where the 404 page content was not being rendered properly). 

To summarize, even if the user is not "authorized" to view the content since it is not part of group G1, it will set the login-token cookie but render 404 page. If the user is part of group G1, it will show up the content of the page. I had all the required permissions set from /content/ but read permission under /apps/<site> were missing which is holding some default designs.

Views

1.7K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply
Related Conversations
Custom Index not getting picked

Views

100

Like

1

Replies

4
Style Tab not visible in dialog when component is added using data-sly-resource

Views

70

Likes

0

Replies

1
Need best authentication model to access content

Views

71

Likes

0

Replies

1
How do access unifi's <<learningmanager.adobe.com/unifilearning>> at home? unable to access this website for some reason.

Views

72

Likes

0

Replies

2
Smart Crop auto not working in Core image v3 component

Views

79

Likes

0

Replies

1