Expand my Community achievements bar.

Dive into Adobe Summit 2024! Explore curated list of AEM sessions & labs, register, connect with experts, ask questions, engage, and share insights. Don't miss the excitement.
SOLVED

Difference between rep:Policy and rep:repoPolicy?

Avatar

Level 7

akshaybhujbale_0-1669800939966.png

1 Accepted Solution

Avatar

Correct answer by
Community Advisor
Default ACL (rep:policy)

The default access control lists are bound to individual nodes. They may be used to grant/deny access for all operations that are in some way related to JCR items: regular read/write, access control management, versioning, locking and as of Oak 1.0 user management and writing index definitions.

Repo-Level ACL (/rep:repoPolicy)

The access control lists bound to the null path can be used to grant/deny privileges associated with operations on repository-level such as namespace, node type, privilege and workspace management.

The effect of these entries is limited to the repository operations and is no inherited to any items inside the repository.

Access control policies created and modified using the default authorization model are stored as child of the node they are bound to with name rep:policy or as node with path /rep:repoPolicy (for repo-level policies).

Examples
Regular ACL at /content
"": {
    "jcr:primaryType": "rep:root",
    "content": {
        "jcr:primaryType": "oak:Unstructured",
        "jcr:mixinTypes": "rep:AccessControllable",
        "rep:policy": {
            "jcr:primaryType": "rep:ACL",
            "allow": {
                "jcr:primaryType": "rep:GrantACE",
                "rep:principalName": "jackrabbit",
                "rep:privileges": ["jcr:read", "rep:write"]
            },
            "deny": {
                "jcr:primaryType": "rep:DenyACE",
                "rep:principalName": "jackrabbit",
                "rep:privileges": ["jcr:addNodes", "rep:addProperties"],
                "rep:restrictions" {
                    "jcr:primaryType": "rep:Restrictions",
                    "rep:ntNames": ["nt:hierarchyNode", "nt:resource"]
                }
            }
        }
    }
}
Repo-Level Policy
"": {
    "jcr:primaryType": "rep:root",
    "jcr:mixinTypes": "rep:RepoAccessControllable",
    "rep:repoPolicy": {
        "jcr:primaryType": "rep:ACL",
        "allow": {
            "jcr:primaryType": "rep:GrantACE",
            "rep:principalName": "elefant",
            "rep:privileges": ["rep:privilegeManagement"]
        }
    }
}


Please refer for information
https://jackrabbit.apache.org/oak/docs/security/accesscontrol/default.html
Hope this is helpful

View solution in original post

4 Replies

Avatar

Community Advisor

Hi

 

Access control policies created and modified using the default authorization model are stored as child of the node they are bound to with name rep:policy or as node with path /rep:repoPolicy (for repo-level policies).

 

you will get more details on this url

Ref : https://jackrabbit.apache.org/oak/docs/security/accesscontrol/default.html

 

hope this help to understand.

 

Thanks

Avatar

Community Advisor

@akshaybhujbale

Additionally, you can refer to this document - https://experienceleague.adobe.com/docs/experience-manager-65/administering/security/user-group-ac-a...

The main difference b/w the two is rep:repoPolicy applies to the repository, whereas the other associates with path.

Avatar

Correct answer by
Community Advisor
Default ACL (rep:policy)

The default access control lists are bound to individual nodes. They may be used to grant/deny access for all operations that are in some way related to JCR items: regular read/write, access control management, versioning, locking and as of Oak 1.0 user management and writing index definitions.

Repo-Level ACL (/rep:repoPolicy)

The access control lists bound to the null path can be used to grant/deny privileges associated with operations on repository-level such as namespace, node type, privilege and workspace management.

The effect of these entries is limited to the repository operations and is no inherited to any items inside the repository.

Access control policies created and modified using the default authorization model are stored as child of the node they are bound to with name rep:policy or as node with path /rep:repoPolicy (for repo-level policies).

Examples
Regular ACL at /content
"": {
    "jcr:primaryType": "rep:root",
    "content": {
        "jcr:primaryType": "oak:Unstructured",
        "jcr:mixinTypes": "rep:AccessControllable",
        "rep:policy": {
            "jcr:primaryType": "rep:ACL",
            "allow": {
                "jcr:primaryType": "rep:GrantACE",
                "rep:principalName": "jackrabbit",
                "rep:privileges": ["jcr:read", "rep:write"]
            },
            "deny": {
                "jcr:primaryType": "rep:DenyACE",
                "rep:principalName": "jackrabbit",
                "rep:privileges": ["jcr:addNodes", "rep:addProperties"],
                "rep:restrictions" {
                    "jcr:primaryType": "rep:Restrictions",
                    "rep:ntNames": ["nt:hierarchyNode", "nt:resource"]
                }
            }
        }
    }
}
Repo-Level Policy
"": {
    "jcr:primaryType": "rep:root",
    "jcr:mixinTypes": "rep:RepoAccessControllable",
    "rep:repoPolicy": {
        "jcr:primaryType": "rep:ACL",
        "allow": {
            "jcr:primaryType": "rep:GrantACE",
            "rep:principalName": "elefant",
            "rep:privileges": ["rep:privilegeManagement"]
        }
    }
}


Please refer for information
https://jackrabbit.apache.org/oak/docs/security/accesscontrol/default.html
Hope this is helpful