Adobe Experience Manager Sites & More

svenw22098367 · 9/14/16

Good day,

While figuring out the right way to configure closed user groups for my AEM 6.0 publisher, I came across the option to enable/disable CUG roots (in the OSGI configuration of component com.day.cq.auth.impl.cug.CugSupportImpl). At the moment, the CUG roots option is enabled.

I'm having trouble figuring out what exactly this option entails. I've tried Google and the AEM and JCR documentation, but I'm not finding a clear explanation.

Can someone explain what CUG roots are and what the consequences would be if I were to disable them in the OSGI configuration of component com.day.cq.auth.impl.cug.CugSupportImpl?

Thanks!

Jörg_Hoh · 9/15/16

Hi,

the CugSupportImpl translates the CUG settings into ACL. Disabling this service (via the config) does not revert the ACLs. So to get rid of these ACLS you can

1) remove the ACLs manually

2) enable the CUG mechanism again and make sure, that you remove the CUG related settings on author and activate again. This will cause a recreation of the correct ACL settings (no ACL); after that you can disable the service again.

Jörg

View solution in original post

Jörg_Hoh · 9/14/16

The label in the configMgr is a bit misleading. It should just be "enabled" and if it's checked the CUG mechanism is working. If you don't use CUGs there is no real difference if you have it enabled or not.

Jörg

svenw22098367 · 9/15/16

I have now disabled the CUG roots, but I don't notice any change in functionality. I can still configure closed user groups for pages and still only users with the roles described in the "cq:cugPrincipals" have access. Shouldn't this stop working?

Sven

Jörg_Hoh · 9/15/16

Hi,

the CugSupportImpl translates the CUG settings into ACL. Disabling this service (via the config) does not revert the ACLs. So to get rid of these ACLS you can

1) remove the ACLs manually

2) enable the CUG mechanism again and make sure, that you remove the CUG related settings on author and activate again. This will cause a recreation of the correct ACL settings (no ACL); after that you can disable the service again.

Jörg

svenw22098367 · 9/15/16

I've found that if I disable CUG roots and remove ACL's, yet keep the "cq:cugEnabled" set to true and "cq:cugPrincipals" set to an array of roles, that the page for which those CUG's are set is still only accessible for who have the roles specified in "cq:cugPrincipals". How is it possible that even though there is no "rep:policy" node anymore which holds the ACE data, that CUG's still seem in effect?

svenw22098367 · 9/15/16

Ignore my previous comment. It turns out we have a custom piece of code that is responsible for this functionality.

I now understand how it works and am able to use it properly.

Thanks for the help!

Adobe Experience Manager Sites & More

Disabling CUG roots consequences

Learn

Documentation

Community

Support

Resources

Adobe account

Adobe