Adobe Experience Manager Sites & More

JoseManuel121 · 2/19/24

Hi guys.

We have a servlet in the publishing environment that creates users and groups, in Aem Cloud Service.

We are using a service user: "myServiceUser", it is included in the administrators group.

Map<String, Object> param = new HashMap<>();
param.put(ResourceResolverFactory.SUBSERVICE,"myService");
ResourceResolver resourceResolver = resourceResolverFactory.getServiceResourceResolver(param);
session = resourceResolver.adaptTo(Session.class);
userManager= resourceResolver.adaptTo(UserManager.class);
// resourceResolver.getUserID(), return = "myServiceUser"
User user=userManager.createUser("myname","mypwd");
This last line of code throws an exception, the message is: javax.jcr.AccessDeniedException: Missing permission to create intermediate authorizable folders.

Do you know why this error occurs? The service user "myServiceUser" is included in the AEM administrators group.

Regards, and thank you very much.

Imran__Khan · 2/19/24

@JoseManuel121 Looks like system usesr "myServiceUser" not having read/write access to /home/users folder.

View solution in original post

Jagadeesh_Prakash · 2/19/24

@JoseManuel121 Below example worked for me

if(userManager.getAuthorizable(userName)==null){
     User user=userManager.createUser(userName, password,new SimplePrincipal(userName),"/home/users/test");
     Value value=adminSession.getValueFactory().createValue("Issac", PropertyType.STRING);
     user.setProperty("./profile/familyName", value);

https://www.albinsblog.com/2015/04/how-to-craetemanage-groups-and-users-java-adobecq5.html

Refer the code form here. Let me know the output

JoseManuel121 · 2/19/24

Thank you very much Jagadeesh_Prakash

The page you refer as an example, the problem is that it is using:
ResourceResolver adminResolver = resolvFactory.getAdministrativeResourceResolver(null);
This method is deprecated (getAdministrativeResourceResolver).

Following Adobe's good practices, operations must be performed with a service user and not with an administrative session.

Best regards

Imran__Khan · 2/19/24

@JoseManuel121 Looks like system usesr "myServiceUser" not having read/write access to /home/users folder.

JoseManuel121 · 2/19/24

Thank you very much Imran Khan

We have included the user myServiceUser in the AEM administrators group. Is it necessary to create a specific ACL for the user myServiceUser?

Best regards

Imran__Khan · 2/19/24

@JoseManuel121 Yes, this is a system user not a normal user which we can create through user admin, it is always better to apply specific required ACL policy to perform various operations over node.
Follow below link to ready more about system user:

https://medium.com/@toimrank/aem-system-user-27999b2eb0b7

JoseManuel121 · 2/19/24

We are testing on a local publish instance.
Our final solution is to create a group in the repoinit, with the necessary permissions so that it can access the resources and associate myServiceUser with this group.
As an initial test, we were associating the user myServiceUser to the administrators group to which it appears to have all the permissions.
Not creating specific ACLs for the myServiceUser user.

arunpatidar · 2/19/24

you need add myServiceUser in user-administrator group.

The myServiceUser user might be removed from the administrator group after the deployment, please check on publisher if membership exists of not from crxde or useradmin UI.

Arun Patidar

JoseManuel121 · 2/19/24

Thank you very much Arun Patidar

We are testing on a local publish instance.
Yes we have verified that you have all the permissions.

I tried with the user-administrator group, it didn't work, finally I had to add acl to MyServiceUser

Best regards

Adobe Experience Manager Sites & More

Create User and Groups with services user

Arun Patidar

Learn

Documentation

Community

Support

Resources

Adobe account

Adobe