Expand my Community achievements bar.

SOLVED

Create User and Groups with services user

Avatar

Level 2

Hi guys.

We have a servlet in the publishing environment that creates users and groups, in Aem Cloud Service.

We are using a service user: "myServiceUser", it is included in the administrators group.

 

Map<String, Object> param = new HashMap<>();
param.put(ResourceResolverFactory.SUBSERVICE,"myService");
ResourceResolver resourceResolver = resourceResolverFactory.getServiceResourceResolver(param);
session = resourceResolver.adaptTo(Session.class);
userManager= resourceResolver.adaptTo(UserManager.class);
// resourceResolver.getUserID(), return = "myServiceUser"
User user=userManager.createUser("myname","mypwd");
This last line of code throws an exception, the message is: javax.jcr.AccessDeniedException: Missing permission to create intermediate authorizable folders.

Do you know why this error occurs? The service user  "myServiceUser" is included in the AEM administrators group.

 

Regards, and thank you very much.

1 Accepted Solution

Avatar

Correct answer by
Community Advisor

@JoseManuel121 Looks like system usesr "myServiceUser" not having read/write access to /home/users folder.

 

imran__khan_0-1708357956839.png

 

View solution in original post

8 Replies

Avatar

Community Advisor

@JoseManuel121  Below example worked for me 

 if(userManager.getAuthorizable(userName)==null){
       User user=userManager.createUser(userName, password,new SimplePrincipal(userName),"/home/users/test");
       Value value=adminSession.getValueFactory().createValue("Issac", PropertyType.STRING);
       user.setProperty("./profile/familyName", value);

 

https://www.albinsblog.com/2015/04/how-to-craetemanage-groups-and-users-java-adobecq5.html

 

Refer the code form here. Let me know the output

Avatar

Level 2

Thank you very much Jagadeesh_Prakash

The page you refer as an example, the problem is that it is using:
ResourceResolver adminResolver = resolvFactory.getAdministrativeResourceResolver(null);
This method is deprecated (getAdministrativeResourceResolver).

Following Adobe's good practices, operations must be performed with a service user and not with an administrative session.

Best regards

Avatar

Correct answer by
Community Advisor

@JoseManuel121 Looks like system usesr "myServiceUser" not having read/write access to /home/users folder.

 

imran__khan_0-1708357956839.png

 

Avatar

Level 2

Thank you very much Imran Khan

We have included the user myServiceUser in the AEM administrators group. Is it necessary to create a specific ACL for the user myServiceUser?


Best regards

Avatar

Community Advisor

@JoseManuel121 Yes, this is a system user not a normal user which we can create through user admin, it is always better to apply specific required ACL policy to perform various operations over node.
Follow below link to ready more about system user:

https://medium.com/@toimrank/aem-system-user-27999b2eb0b7

Avatar

Level 2

We are testing on a local publish instance.
Our final solution is to create a group in the repoinit, with the necessary permissions so that it can access the resources and associate myServiceUser with this group.
As an initial test, we were associating the user myServiceUser to the administrators group to which it appears to have all the permissions.
Not creating specific ACLs for the myServiceUser user.

 

Avatar

Community Advisor

you need add myServiceUser in user-administrator group.

The myServiceUser user might be removed from the administrator group after the deployment, please check on publisher if membership exists of not from crxde or useradmin UI.



Arun Patidar

Avatar

Level 2

Thank you very much Arun Patidar

We are testing on a local publish instance.
Yes we have verified that you have all the permissions.

JoseManuel121_0-1708361495738.png

 

I tried with the user-administrator group, it didn't work, finally I had to add acl to MyServiceUser

Best regards