Adobe Experience Manager Sites & More

Boobalan_M · 8/9/16

Hi All,

Is there any way non-admin groups (Groups/Users doesn't belong to "administrator" group) can create user and assign/remove groups to the users.

We have created few non-admin groups with users who has all the permissions in the repository but doesn't belong to "administrator" group. The Group/user also has jcr:all permission to the /home/groups and /home/users node. We logged-in as non-admin user and tried to assign some groups to the user in the User Admin console. But we are getting 403 Forbidden exception.

Please find the error stack below:

*ERROR* [0:0:0:0:0:0:0:1 [1470747656075] POST /home/groups/project/c5VRoi06-7UKF3dOMUJU.rw.userprops.html HTTP/1.1] com.adobe.granite.security.user.internal.servlets.AuthorizableServlet Error while processing AuthorizableServlet POST
javax.jcr.AccessDeniedException: OakAccess0000: Access denied
   at org.apache.jackrabbit.oak.api.CommitFailedException.asRepositoryException(CommitFailedException.java:231)
   at org.apache.jackrabbit.oak.api.CommitFailedException.asRepositoryException(CommitFailedException.java:212)
   at org.apache.jackrabbit.oak.jcr.delegate.SessionDelegate.newRepositoryException(SessionDelegate.java:670)
   at org.apache.jackrabbit.oak.jcr.delegate.SessionDelegate.save(SessionDelegate.java:496)
   at org.apache.jackrabbit.oak.jcr.session.SessionImpl$8.performVoid(SessionImpl.java:419)
   at org.apache.jackrabbit.oak.jcr.delegate.SessionDelegate.performVoid(SessionDelegate.java:274)
   at org.apache.jackrabbit.oak.jcr.session.SessionImpl.save(SessionImpl.java:416)
   at sun.reflect.GeneratedMethodAccessor44.invoke(Unknown Source)
   at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
   at java.lang.reflect.Method.invoke(Unknown Source)
   at org.apache.sling.jcr.base.SessionProxyHandler$SessionProxyInvocationHandler.invoke(SessionProxyHandler.java:116)
   at com.sun.proxy.$Proxy7.save(Unknown Source)
   at com.adobe.granite.security.user.internal.servlets.AuthorizableServlet.doPost(AuthorizableServlet.java:728)
   at org.apache.sling.api.servlets.SlingAllMethodsServlet.mayService(SlingAllMethodsServlet.java:149)

Any help would be appreciated.

Thanks

Ratna_Kumar · 8/9/16

Hi,

You need to have admin privileges for creating any user or assign the groups to the users.

Check this documentation for more info: https://docs.adobe.com/docs/en/aem/6-2/administer/security/security.html

Thanks,
Ratna Kumar.

kautuk_sahni · 8/10/16

Adding to Ratna's answer,

Best Practice:-

Avoid assigning access rights on a user-by-user basis. There are several reasons for this:

You have many more users than groups, so groups simplify the structure.

Groups help provide an overview over all accounts.

Inheritance is simpler with groups.

Users come and go. Groups are long-term.

So always assign Group to a User.

administrators

Group

Group that gives administrator rights to all its members. Only admin is allowed to edit this group.

Has full access rights.

If you set a 'deny-everyone' on a node, the administrators will
only have access if it is enabled again for that group.

Reference Link:- https://docs.adobe.com/docs/en/aem/6-2/administer/security/security.html

Reference Link 2:- https://docs.adobe.com/docs/en/aem/6-2/administer/security/user-group-ac-admin.html

~kautuk

Adobe Experience Manager Sites & More

Create User and assign Groups to the user using non-admin user.

Kautuk Sahni

Learn

Documentation

Community

Support

Resources

Adobe account

Adobe