Your achievements

Level 1

0% to

Level 2

Tip /
Sign in

Sign in to Community

to gain points, level up, and earn exciting badges like the new
Bedrock Mission!

Learn more

View all

Sign in to view all badges

SOLVED

Difference between rep:Policy and rep:repoPolicy?

Avatar

Level 7

akshaybhujbale_0-1669800939966.png

1 Accepted Solution

Avatar

Correct answer by
Level 9
Default ACL (rep:policy)

The default access control lists are bound to individual nodes. They may be used to grant/deny access for all operations that are in some way related to JCR items: regular read/write, access control management, versioning, locking and as of Oak 1.0 user management and writing index definitions.

Repo-Level ACL (/rep:repoPolicy)

The access control lists bound to the null path can be used to grant/deny privileges associated with operations on repository-level such as namespace, node type, privilege and workspace management.

The effect of these entries is limited to the repository operations and is no inherited to any items inside the repository.

Access control policies created and modified using the default authorization model are stored as child of the node they are bound to with name rep:policy or as node with path /rep:repoPolicy (for repo-level policies).

Examples
Regular ACL at /content
"": {
    "jcr:primaryType": "rep:root",
    "content": {
        "jcr:primaryType": "oak:Unstructured",
        "jcr:mixinTypes": "rep:AccessControllable",
        "rep:policy": {
            "jcr:primaryType": "rep:ACL",
            "allow": {
                "jcr:primaryType": "rep:GrantACE",
                "rep:principalName": "jackrabbit",
                "rep:privileges": ["jcr:read", "rep:write"]
            },
            "deny": {
                "jcr:primaryType": "rep:DenyACE",
                "rep:principalName": "jackrabbit",
                "rep:privileges": ["jcr:addNodes", "rep:addProperties"],
                "rep:restrictions" {
                    "jcr:primaryType": "rep:Restrictions",
                    "rep:ntNames": ["nt:hierarchyNode", "nt:resource"]
                }
            }
        }
    }
}
Repo-Level Policy
"": {
    "jcr:primaryType": "rep:root",
    "jcr:mixinTypes": "rep:RepoAccessControllable",
    "rep:repoPolicy": {
        "jcr:primaryType": "rep:ACL",
        "allow": {
            "jcr:primaryType": "rep:GrantACE",
            "rep:principalName": "elefant",
            "rep:privileges": ["rep:privilegeManagement"]
        }
    }
}


Please refer for information
https://jackrabbit.apache.org/oak/docs/security/accesscontrol/default.html
Hope this is helpful

View solution in original post

4 Replies

Avatar

Level 4

Hi

 

Access control policies created and modified using the default authorization model are stored as child of the node they are bound to with name rep:policy or as node with path /rep:repoPolicy (for repo-level policies).

 

you will get more details on this url

Ref : https://jackrabbit.apache.org/oak/docs/security/accesscontrol/default.html

 

hope this help to understand.

 

Thanks

Avatar

Level 6

@akshaybhujbale

Additionally, you can refer to this document - https://experienceleague.adobe.com/docs/experience-manager-65/administering/security/user-group-ac-a...

The main difference b/w the two is rep:repoPolicy applies to the repository, whereas the other associates with path.

Avatar

Correct answer by
Level 9
Default ACL (rep:policy)

The default access control lists are bound to individual nodes. They may be used to grant/deny access for all operations that are in some way related to JCR items: regular read/write, access control management, versioning, locking and as of Oak 1.0 user management and writing index definitions.

Repo-Level ACL (/rep:repoPolicy)

The access control lists bound to the null path can be used to grant/deny privileges associated with operations on repository-level such as namespace, node type, privilege and workspace management.

The effect of these entries is limited to the repository operations and is no inherited to any items inside the repository.

Access control policies created and modified using the default authorization model are stored as child of the node they are bound to with name rep:policy or as node with path /rep:repoPolicy (for repo-level policies).

Examples
Regular ACL at /content
"": {
    "jcr:primaryType": "rep:root",
    "content": {
        "jcr:primaryType": "oak:Unstructured",
        "jcr:mixinTypes": "rep:AccessControllable",
        "rep:policy": {
            "jcr:primaryType": "rep:ACL",
            "allow": {
                "jcr:primaryType": "rep:GrantACE",
                "rep:principalName": "jackrabbit",
                "rep:privileges": ["jcr:read", "rep:write"]
            },
            "deny": {
                "jcr:primaryType": "rep:DenyACE",
                "rep:principalName": "jackrabbit",
                "rep:privileges": ["jcr:addNodes", "rep:addProperties"],
                "rep:restrictions" {
                    "jcr:primaryType": "rep:Restrictions",
                    "rep:ntNames": ["nt:hierarchyNode", "nt:resource"]
                }
            }
        }
    }
}
Repo-Level Policy
"": {
    "jcr:primaryType": "rep:root",
    "jcr:mixinTypes": "rep:RepoAccessControllable",
    "rep:repoPolicy": {
        "jcr:primaryType": "rep:ACL",
        "allow": {
            "jcr:primaryType": "rep:GrantACE",
            "rep:principalName": "elefant",
            "rep:privileges": ["rep:privilegeManagement"]
        }
    }
}


Please refer for information
https://jackrabbit.apache.org/oak/docs/security/accesscontrol/default.html
Hope this is helpful