Expand my Community achievements bar.

Don’t miss the AEM Skill Exchange in SF on Nov 14—hear from industry leaders, learn best practices, and enhance your AEM strategy with practical tips.
SOLVED

Content-Author Permissions

Avatar

Level 1

Hello there,

I have read the docs below regarding user admin and security but they seem a bit thin of real use case examples.  I would like to remove admin access from my user and only allow them content-authoring access.  However if i do so they cannot edit the page - it is blank, no sidekick, nothing.  Am i missing something obvious?

Many thanks,

Nick

http://dev.day.com/docs/en/cq/current/administering/security.html

http://dev.day.com/docs/en/cq/current/core/administering/user_group_ac_admin.html#How%20Access%20Rig...

1 Accepted Solution

Avatar

Correct answer by
Level 8

I would recommend that you take a look at the access.log and see what path is generating a 404. Then go take a look at the user in question and see if you can see which group is causing a restriction to that path. 

One of the things that the LDAP connector will do is automatically add groups to users - its possible if the LDAP connector is adding a new group to your LDAP users that group might have deny permissions on it that are overriding the standard group permissions. 

Even if that's not it the LDAP connector itself is unlikely to causing this, either permissions of the existing groups have been changed some how, or the LDAP connector is adding groups to the users and those groups are overriding the standard groups. So I would look at the users in question and verify that their group assignments are unchanged and that they still have all the right groups and don't have any new groups. 

View solution in original post

7 Replies

Avatar

Level 8

So are you talking about changing the user's group assignments? When you removed the administrator group did you replace it with another group (like contributor)? If you want the user to be able to edit a page they have to be a member of at least one group that has read and modify permissions for the page in question.  

Avatar

Level 1

Thanks for replying.

Yes group assignments.  The user is a member of contributors and authors which have read and modify permissions to the content/website folder and subfolders. When i login the siteadmin page is blank and if i go to http:/localhost:4502/cf#/content/site it too is blank.  However if i login as admin both these pages are displayed.  Do permissions need to be applied anywhere else?  I am only using the geometrixx website.  Thanks again.

Avatar

Level 8

The author also needs to have access to the application bits that render the content for authoring, so that means all the geometrixx apps, page components, etc, also the website admin app under /libs....

 

scott

Avatar

Level 1

Thanks Scott.

Could you be more specific with regard to the dir locations?

It seems that the problem starts when i enabled ldap logins.  Since then the existing author/contributor groups don't work as they did beforehand.  Any ideas? 

Avatar

Correct answer by
Level 8

I would recommend that you take a look at the access.log and see what path is generating a 404. Then go take a look at the user in question and see if you can see which group is causing a restriction to that path. 

One of the things that the LDAP connector will do is automatically add groups to users - its possible if the LDAP connector is adding a new group to your LDAP users that group might have deny permissions on it that are overriding the standard group permissions. 

Even if that's not it the LDAP connector itself is unlikely to causing this, either permissions of the existing groups have been changed some how, or the LDAP connector is adding groups to the users and those groups are overriding the standard groups. So I would look at the users in question and verify that their group assignments are unchanged and that they still have all the right groups and don't have any new groups. 

Avatar

Level 8

I'm not familiar with LDAP integration so I won't be able to help much, except to do the obvious and point you to the LDAP docs:

https://dev.day.com/docs/en/cq/current/core/administering/ldap_authentication.html#Setting%20Access%...

 

scott

Avatar

Level 1

Thanks for the response.  The user is a member of content-authors and when i access http://usb-aemaut01:4502/cf#/content/geometrixx-outdoors/en.html  i see a load of 304 reponses.  Apart from at the end where there is a 404 on a security node.

10.24.206.76 - nicholas.carn 12/Sep/2013:09:07:34 -0400 "GET /libs/cq/security/userinfo.json?cq_ck=1378991255127 HTTP/1.1" 404 1435 "http://usb-aemaut01:4502/cf" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/29.0.1547.66 Safari/537.36"

I'm a bit stumped really.  This is all out of the box stuff apart from the ldap enabled service.

Any help much appreciated.

10.24.206.76 - nicholas.carn 12/Sep/2013:09:07:34 -0400 "GET /cf HTTP/1.1" 200 58091 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/29.0.1547.66 Safari/537.36"
10.24.206.76 - nicholas.carn 12/Sep/2013:09:07:34 -0400 "GET /etc/clientlibs/granite/clientlibrarymanager.js HTTP/1.1" 304 - "http://usb-aemaut01:4502/cf" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/29.0.1547.66 Safari/537.36"
10.24.206.76 - nicholas.carn 12/Sep/2013:09:07:34 -0400 "GET /etc/clientlibs/foundation/jquery.js HTTP/1.1" 304 - "http://usb-aemaut01:4502/cf" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/29.0.1547.66 Safari/537.36"
10.24.206.76 - nicholas.carn 12/Sep/2013:09:07:34 -0400 "GET /etc/clientlibs/granite/jquery.js HTTP/1.1" 304 - "http://usb-aemaut01:4502/cf" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/29.0.1547.66 Safari/537.36"
10.24.206.76 - nicholas.carn 12/Sep/2013:09:07:34 -0400 "GET /etc/clientlibs/foundation/shared.js HTTP/1.1" 304 - "http://usb-aemaut01:4502/cf" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/29.0.1547.66 Safari/537.36"
10.24.206.76 - nicholas.carn 12/Sep/2013:09:07:34 -0400 "GET /etc/clientlibs/granite/jquery/granite.js HTTP/1.1" 304 - "http://usb-aemaut01:4502/cf" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/29.0.1547.66 Safari/537.36"
10.24.206.76 - nicholas.carn 12/Sep/2013:09:07:34 -0400 "GET /etc/clientlibs/granite/utils.js HTTP/1.1" 304 - "http://usb-aemaut01:4502/cf" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/29.0.1547.66 Safari/537.36"
10.24.206.76 - nicholas.carn 12/Sep/2013:09:07:34 -0400 "GET /libs/cq/ui/rte.js HTTP/1.1" 304 - "http://usb-aemaut01:4502/cf" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/29.0.1547.66 Safari/537.36"
10.24.206.76 - nicholas.carn 12/Sep/2013:09:07:34 -0400 "GET /libs/cq/ui/widgets.js HTTP/1.1" 304 - "http://usb-aemaut01:4502/cf" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/29.0.1547.66 Safari/537.36"
10.24.206.76 - nicholas.carn 12/Sep/2013:09:07:34 -0400 "GET /libs/cq/searchpromote/widgets.js HTTP/1.1" 304 - "http://usb-aemaut01:4502/cf" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/29.0.1547.66 Safari/537.36"
10.24.206.76 - nicholas.carn 12/Sep/2013:09:07:34 -0400 "GET /libs/cq/tagging/widgets.js HTTP/1.1" 304 - "http://usb-aemaut01:4502/cf" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/29.0.1547.66 Safari/537.36"
10.24.206.76 - nicholas.carn 12/Sep/2013:09:07:34 -0400 "GET /libs/cq/security/widgets.js HTTP/1.1" 304 - "http://usb-aemaut01:4502/cf" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/29.0.1547.66 Safari/537.36"
10.24.206.76 - nicholas.carn 12/Sep/2013:09:07:34 -0400 "GET /libs/mcm/emailservice-clientlib.js HTTP/1.1" 304 - "http://usb-aemaut01:4502/cf" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/29.0.1547.66 Safari/537.36"
10.24.206.76 - nicholas.carn 12/Sep/2013:09:07:34 -0400 "GET /libs/cq/personalization/audiencemanager/widgets.js HTTP/1.1" 304 - "http://usb-aemaut01:4502/cf" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/29.0.1547.66 Safari/537.36"
10.24.206.76 - nicholas.carn 12/Sep/2013:09:07:34 -0400 "GET /libs/cq/cloudserviceconfigs/widgets.js HTTP/1.1" 304 - "http://usb-aemaut01:4502/cf" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/29.0.1547.66 Safari/537.36"
10.24.206.76 - nicholas.carn 12/Sep/2013:09:07:34 -0400 "GET /libs/dam/components/scene7/widgets.js HTTP/1.1" 304 - "http://usb-aemaut01:4502/cf" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/29.0.1547.66 Safari/537.36"
10.24.206.76 - nicholas.carn 12/Sep/2013:09:07:34 -0400 "GET /libs/media/publishing/widgets.js HTTP/1.1" 304 - "http://usb-aemaut01:4502/cf" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/29.0.1547.66 Safari/537.36"
10.24.206.76 - nicholas.carn 12/Sep/2013:09:07:34 -0400 "GET /etc/clientlibs/granite/jquery-ui.js HTTP/1.1" 304 - "http://usb-aemaut01:4502/cf" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/29.0.1547.66 Safari/537.36"
10.24.206.76 - nicholas.carn 12/Sep/2013:09:07:34 -0400 "GET /etc/clientlibs/foundation/personalization/jcarousel.js HTTP/1.1" 304 - "http://usb-aemaut01:4502/cf" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/29.0.1547.66 Safari/537.36"
10.24.206.76 - nicholas.carn 12/Sep/2013:09:07:34 -0400 "GET /etc/clientlibs/granite/underscore.js HTTP/1.1" 304 - "http://usb-aemaut01:4502/cf" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/29.0.1547.66 Safari/537.36"
10.24.206.76 - nicholas.carn 12/Sep/2013:09:07:34 -0400 "GET /etc/clientlibs/foundation/personalization/kernel.js HTTP/1.1" 304 - "http://usb-aemaut01:4502/cf" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/29.0.1547.66 Safari/537.36"
10.24.206.76 - nicholas.carn 12/Sep/2013:09:07:34 -0400 "GET /etc/clientlibs/foundation/personalization/select2.js HTTP/1.1" 304 - "http://usb-aemaut01:4502/cf" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/29.0.1547.66 Safari/537.36"
10.24.206.76 - nicholas.carn 12/Sep/2013:09:07:34 -0400 "GET /etc/clientlibs/foundation/personalization/ui.js HTTP/1.1" 304 - "http://usb-aemaut01:4502/cf" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/29.0.1547.66 Safari/537.36"
10.24.206.76 - nicholas.carn 12/Sep/2013:09:07:34 -0400 "GET /libs/cq/personalization/widgets.js HTTP/1.1" 304 - "http://usb-aemaut01:4502/cf" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/29.0.1547.66 Safari/537.36"
10.24.206.76 - nicholas.carn 12/Sep/2013:09:07:34 -0400 "GET /libs/cq/analytics/widgets.js HTTP/1.1" 304 - "http://usb-aemaut01:4502/cf" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/29.0.1547.66 Safari/537.36"
10.24.206.76 - nicholas.carn 12/Sep/2013:09:07:34 -0400 "GET /libs/cq/security/widgets/themes/default.js HTTP/1.1" 304 - "http://usb-aemaut01:4502/cf" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/29.0.1547.66 Safari/537.36"
10.24.206.76 - nicholas.carn 12/Sep/2013:09:07:34 -0400 "GET /libs/cq/ui/widgets/themes/default.js HTTP/1.1" 304 - "http://usb-aemaut01:4502/cf" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/29.0.1547.66 Safari/537.36"
10.24.206.76 - nicholas.carn 12/Sep/2013:09:07:34 -0400 "GET /libs/cq/tagging/widgets/themes/default.js HTTP/1.1" 304 - "http://usb-aemaut01:4502/cf" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/29.0.1547.66 Safari/537.36"
10.24.206.76 - nicholas.carn 12/Sep/2013:09:07:34 -0400 "GET /libs/commerce/widgets.js HTTP/1.1" 304 - "http://usb-aemaut01:4502/cf" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/29.0.1547.66 Safari/537.36"
10.24.206.76 - nicholas.carn 12/Sep/2013:09:07:34 -0400 "GET /libs/cq/security/userinfo.json?cq_ck=1378991255127 HTTP/1.1" 404 1435 "http://usb-aemaut01:4502/cf" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/29.0.1547.66 Safari/537.36"
10.24.206.76 - nicholas.carn 12/Sep/2013:09:07:34 -0400 "GET /libs/cq/i18n/dict.en.json HTTP/1.1" 304 - "http://usb-aemaut01:4502/cf" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/29.0.1547.66 Safari/537.36"