Adobe Experience Manager Sites & More

lone_Ranger · 6/4/24

Hi,

I have a requirement that

we need to combine 2 or 3 groups and create 1 user.

ex - User1, User2, User3

User1 has access to delete but - delete allow

User2 does not have delete access - delete deny

But requirement is when we combined user1 and user2 - delete option should be there. But it is giving priority to deny.

I am using Netcentric AC tools and ... permisison are granted through yaml file.

Is it Possible do something like this?

Thanks in advance

arunpatidar · 6/4/24

Hi @lone_Ranger
Not sure, it going to work with just merging groups.

you may need to separate a group for deny and add only when needed.

Please check this https://experienceleaguecommunities.adobe.com/t5/adobe-experience-manager/aem6-user-is-member-of-two...

Arun Patidar

View solution in original post

arunpatidar · 6/4/24

Hi @lone_Ranger
Not sure, it going to work with just merging groups.

you may need to separate a group for deny and add only when needed.

Please check this https://experienceleaguecommunities.adobe.com/t5/adobe-experience-manager/aem6-user-is-member-of-two...

Arun Patidar

gkalyan · 6/4/24

@lone_Ranger

Adobe documentation asks to use Deny sparingly. As far as possible use only Allow.

If a user is a member of more than one group, the Deny statements from one group may cancel the Allow statement from another group or the opposite way. It is hard to keep an overview when such a thing happens and can easily lead to unforeseen results, whereas Allow assignments do not cause such conflicts.

Here is the reference doc for the above statement - https://experienceleague.adobe.com/en/docs/experience-manager-65/content/security/security

Here is a link for deny best practices - https://experienceleague.adobe.com/en/docs/experience-manager-65/content/security/security#best-prac...