Disable admin account in CQ5.5 | Community
Skip to main content
This post is no longer active and is closed to new replies. Need help? Start a new post to ask your question.
Best answer by ogill

Why not simply limit access to the admin account, change the password and entrust it to a select few who will not use it to carry out admin tasks?

Then provide administrator privileges and felix console access to users that need to carry out admin duties. This is a simpler way to control access without disabling the default system administrator account.

Regards,

Opkar

5 replies

O
Adobe Employee
ogillAdobe Employee
Adobe Employee
October 19, 2015

Hi,

why do you want to disable the admin account?

Have you set up users with administration privileges and access to the felix console already?

Regards,

Opkar

kautuk_sahni
Community Manager
kautuk_sahniCommunity Manager
Community Manager
October 23, 2015

Hi 

Please share the use case of disabling the admin account.

If you would like to deny access to site admin actions for particular group, then please have a look at the following :-

Problem

 

How is it possible to disable Site Admin actions for particular groups, e.g. Activate?

 

Resolution

 

Following the concept 'Everything is content', Site Admin actions as such are also pure nodes in the repository which are thus subject of access control.

In order to disable and completely hide a certain action in the Site Admin console for a particular group, a corresponding group ACL has to be defined that denies read access to this action.

Following example will deal with the Activate action.

In order to set the actual ACL on above action node, the CRX Content Explorer has to be used. Following are the steps how to disable the Activate action for a group:

  • logged in as admin, open the crx.default workspace with the CRX Content Explorer and navigate to /libs/wcm/core/content/siteadmin/actions/activate
  • next click on the Security button and select Access Control Editor
  • in the Applicable Access Control Policies section, mark the checkbox next toorg.apache.jackrabbit.core.security.authorization.acl.ACLTemplate
  • click on Set selected policies
  • next click on New ACE
  • browse the Principal for the group for which a privilege is to be set
  • DENY jcr:read and confirm
  • click Apply and close the window

At this point, members of the above specified group won't have access to the Activate action anymore.

Based on the above given instructions, basically all other actions available in the Site Admin can be equally controlled via permissions. Following is a list of paths under which actions reside for different consoles:

                       
ConsolePath
Site Admin/libs/wcm/core/content/siteadmin/actions
DAM Admin/libs/wcm/core/content/damadmin/actions
Tools/libs/wcm/core/content/misc/actions
Security Admin/libs/cq/security/content/admin/authlist/actions

Link:- https://helpx.adobe.com/experience-manager/kb/how-to-deny-access-to-site-admin-actions.html

I hope this would help you.

 

Thanks and Regards

Kautuk Sahni

Kautuk Sahni
rama_krishna11
rama_krishna11Author
Level 2
October 23, 2015

Coming to auditing point, we are getting admin related information. So that planning to disable admin and access with other guy who hav admin rights. 

O
Adobe Employee
ogillAdobe EmployeeAccepted solution
Adobe Employee
October 23, 2015

Why not simply limit access to the admin account, change the password and entrust it to a select few who will not use it to carry out admin tasks?

Then provide administrator privileges and felix console access to users that need to carry out admin duties. This is a simpler way to control access without disabling the default system administrator account.

Regards,

Opkar

smacdonald2008
smacdonald2008
Level 10
October 23, 2015

Opkar's suggestion is best practice with AEM. 

Terms & ConditionsAccessibility statement

Loading footer...