Expand my Community achievements bar.

Learn about Edge Delivery Services in upcoming GEM session
Register!

Create User and assign Groups to the user using non-admin user.

Avatar

Level 2
Level 2
8/9/16 9:59:32 AM

Hi All,

Is there any way non-admin groups (Groups/Users doesn't belong to "administrator" group) can create user and assign/remove groups to the users. 

We have created few non-admin groups with users who has all the permissions in the repository but doesn't belong to "administrator" group. The Group/user also has jcr:all permission to the /home/groups and /home/users node. We logged-in as non-admin user and tried to assign some groups to the user in the User Admin console. But we are getting 403 Forbidden exception.

Please find the error stack below:

*ERROR* [0:0:0:0:0:0:0:1 [1470747656075] POST /home/groups/project/c5VRoi06-7UKF3dOMUJU.rw.userprops.html HTTP/1.1] com.adobe.granite.security.user.internal.servlets.AuthorizableServlet Error while processing AuthorizableServlet POST
javax.jcr.AccessDeniedException: OakAccess0000: Access denied
    at org.apache.jackrabbit.oak.api.CommitFailedException.asRepositoryException(CommitFailedException.java:231)
    at org.apache.jackrabbit.oak.api.CommitFailedException.asRepositoryException(CommitFailedException.java:212)
    at org.apache.jackrabbit.oak.jcr.delegate.SessionDelegate.newRepositoryException(SessionDelegate.java:670)
    at org.apache.jackrabbit.oak.jcr.delegate.SessionDelegate.save(SessionDelegate.java:496)
    at org.apache.jackrabbit.oak.jcr.session.SessionImpl$8.performVoid(SessionImpl.java:419)
    at org.apache.jackrabbit.oak.jcr.delegate.SessionDelegate.performVoid(SessionDelegate.java:274)
    at org.apache.jackrabbit.oak.jcr.session.SessionImpl.save(SessionImpl.java:416)
    at sun.reflect.GeneratedMethodAccessor44.invoke(Unknown Source)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
    at java.lang.reflect.Method.invoke(Unknown Source)
    at org.apache.sling.jcr.base.SessionProxyHandler$SessionProxyInvocationHandler.invoke(SessionProxyHandler.java:116)
    at com.sun.proxy.$Proxy7.save(Unknown Source)
    at com.adobe.granite.security.user.internal.servlets.AuthorizableServlet.doPost(AuthorizableServlet.java:728)
    at org.apache.sling.api.servlets.SlingAllMethodsServlet.mayService(SlingAllMethodsServlet.java:149)

 

Any help would be appreciated.

Thanks

Views

1.4K

Replies

2
Sign in to like this content

Total Likes

Translate
Translate
2 Replies

Avatar

Level 10
Level 10
8/9/16 10:16:55 AM

Hi,

You need to have admin privileges for creating any user or assign the groups to the users.

Check this documentation for more info: https://docs.adobe.com/docs/en/aem/6-2/administer/security/security.html

Thanks,
Ratna Kumar.

Views

870

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Administrator
Administrator
8/10/16 12:04:47 AM

Adding to Ratna's answer,

Best Practice:-

Avoid assigning access rights on a user-by-user basis. There are several reasons for this:

        You have many more users than groups, so groups simplify the structure.

        Groups help provide an overview over all accounts.

        Inheritance is simpler with groups.

        Users come and go. Groups are long-term.

So always assign Group to a User.

       
administratorsGroup

Group that gives administrator rights to all its members. Only admin is allowed to edit this group.

Has full access rights.

If you set a 'deny-everyone' on a node, the administrators will
only have access if it is enabled again for that group.

Reference Link:- https://docs.adobe.com/docs/en/aem/6-2/administer/security/security.html

Reference Link 2:- https://docs.adobe.com/docs/en/aem/6-2/administer/security/user-group-ac-admin.html

 

~kautuk



Kautuk Sahni

Views

870

Replies

0
Sign in to like this content

Total Likes

Translate
Translate