Hi guys.
We have a servlet in the publishing environment that creates users and groups, in Aem Cloud Service.
We are using a service user: "myServiceUser", it is included in the administrators group.
Map<String, Object> param = new HashMap<>();
param.put(ResourceResolverFactory.SUBSERVICE,"myService");
ResourceResolver resourceResolver = resourceResolverFactory.getServiceResourceResolver(param);
session = resourceResolver.adaptTo(Session.class);
userManager= resourceResolver.adaptTo(UserManager.class);
// resourceResolver.getUserID(), return = "myServiceUser"
User user=userManager.createUser("myname","mypwd");
This last line of code throws an exception, the message is: javax.jcr.AccessDeniedException: Missing permission to create intermediate authorizable folders.
Do you know why this error occurs? The service user "myServiceUser" is included in the AEM administrators group.
Regards, and thank you very much.
Solved! Go to Solution.
Views
Replies
Total Likes
@JoseManuel121 Looks like system usesr "myServiceUser" not having read/write access to /home/users folder.
@JoseManuel121 Below example worked for me
if(userManager.getAuthorizable(userName)==null){
User user=userManager.createUser(userName, password,new SimplePrincipal(userName),"/home/users/test");
Value value=adminSession.getValueFactory().createValue("Issac", PropertyType.STRING);
user.setProperty("./profile/familyName", value);
https://www.albinsblog.com/2015/04/how-to-craetemanage-groups-and-users-java-adobecq5.html
Refer the code form here. Let me know the output
Thank you very much Jagadeesh_Prakash
The page you refer as an example, the problem is that it is using:
ResourceResolver adminResolver = resolvFactory.getAdministrativeResourceResolver(null);
This method is deprecated (getAdministrativeResourceResolver).
Following Adobe's good practices, operations must be performed with a service user and not with an administrative session.
Best regards
@JoseManuel121 Looks like system usesr "myServiceUser" not having read/write access to /home/users folder.
Thank you very much Imran Khan
We have included the user myServiceUser in the AEM administrators group. Is it necessary to create a specific ACL for the user myServiceUser?
Best regards
@JoseManuel121 Yes, this is a system user not a normal user which we can create through user admin, it is always better to apply specific required ACL policy to perform various operations over node.
Follow below link to ready more about system user:
We are testing on a local publish instance.
Our final solution is to create a group in the repoinit, with the necessary permissions so that it can access the resources and associate myServiceUser with this group.
As an initial test, we were associating the user myServiceUser to the administrators group to which it appears to have all the permissions.
Not creating specific ACLs for the myServiceUser user.
you need add myServiceUser in user-administrator group.
The myServiceUser user might be removed from the administrator group after the deployment, please check on publisher if membership exists of not from crxde or useradmin UI.
Thank you very much Arun Patidar
We are testing on a local publish instance.
Yes we have verified that you have all the permissions.
I tried with the user-administrator group, it didn't work, finally I had to add acl to MyServiceUser
Best regards