Expand my Community achievements bar.

Create User and assign Groups to the user using non-admin user.

Avatar

Level 2

Hi All,

Is there any way non-admin groups (Groups/Users doesn't belong to "administrator" group) can create user and assign/remove groups to the users. 

We have created few non-admin groups with users who has all the permissions in the repository but doesn't belong to "administrator" group. The Group/user also has jcr:all permission to the /home/groups and /home/users node. We logged-in as non-admin user and tried to assign some groups to the user in the User Admin console. But we are getting 403 Forbidden exception.

Please find the error stack below:

*ERROR* [0:0:0:0:0:0:0:1 [1470747656075] POST /home/groups/project/c5VRoi06-7UKF3dOMUJU.rw.userprops.html HTTP/1.1] com.adobe.granite.security.user.internal.servlets.AuthorizableServlet Error while processing AuthorizableServlet POST
javax.jcr.AccessDeniedException: OakAccess0000: Access denied

    at org.apache.jackrabbit.oak.api.CommitFailedException.asRepositoryException(CommitFailedException.java:231)
    at org.apache.jackrabbit.oak.api.CommitFailedException.asRepositoryException(CommitFailedException.java:212)
    at org.apache.jackrabbit.oak.jcr.delegate.SessionDelegate.newRepositoryException(SessionDelegate.java:670)
    at org.apache.jackrabbit.oak.jcr.delegate.SessionDelegate.save(SessionDelegate.java:496)
    at org.apache.jackrabbit.oak.jcr.session.SessionImpl$8.performVoid(SessionImpl.java:419)
    at org.apache.jackrabbit.oak.jcr.delegate.SessionDelegate.performVoid(SessionDelegate.java:274)
    at org.apache.jackrabbit.oak.jcr.session.SessionImpl.save(SessionImpl.java:416)
    at sun.reflect.GeneratedMethodAccessor44.invoke(Unknown Source)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
    at java.lang.reflect.Method.invoke(Unknown Source)
    at org.apache.sling.jcr.base.SessionProxyHandler$SessionProxyInvocationHandler.invoke(SessionProxyHandler.java:116)
    at com.sun.proxy.$Proxy7.save(Unknown Source)
    at com.adobe.granite.security.user.internal.servlets.AuthorizableServlet.doPost(AuthorizableServlet.java:728)
    at org.apache.sling.api.servlets.SlingAllMethodsServlet.mayService(SlingAllMethodsServlet.java:149)

 

Any help would be appreciated.

Thanks

2 Replies

Avatar

Level 10

Hi,

You need to have admin privileges for creating any user or assign the groups to the users.

Check this documentation for more info: https://docs.adobe.com/docs/en/aem/6-2/administer/security/security.html

Thanks,
Ratna Kumar.

Avatar

Administrator

Adding to Ratna's answer,

Best Practice:-

Avoid assigning access rights on a user-by-user basis. There are several reasons for this:

        You have many more users than groups, so groups simplify the structure.

        Groups help provide an overview over all accounts.

        Inheritance is simpler with groups.

        Users come and go. Groups are long-term.

So always assign Group to a User.

       
administratorsGroup

Group that gives administrator rights to all its members. Only admin is allowed to edit this group.

Has full access rights.

If you set a 'deny-everyone' on a node, the administrators will
only have access if it is enabled again for that group.

Reference Link:- https://docs.adobe.com/docs/en/aem/6-2/administer/security/security.html

Reference Link 2:- https://docs.adobe.com/docs/en/aem/6-2/administer/security/user-group-ac-admin.html

 

~kautuk



Kautuk Sahni