Expand my Community achievements bar.

SOLVED

Disabling CUG roots consequences

Avatar

Level 2
Level 2
9/14/16 6:12:39 AM

Good day,

While figuring out the right way to configure closed user groups for my AEM 6.0 publisher, I came across the option to enable/disable CUG roots (in the OSGI configuration of component com.day.cq.auth.impl.cug.CugSupportImpl). At the moment, the CUG roots option is enabled.

I'm having trouble figuring out what exactly this option entails. I've tried Google and the AEM and JCR documentation, but I'm not finding a clear explanation.

Can someone explain what CUG roots are and what the consequences would be if I were to disable them in the OSGI configuration of component com.day.cq.auth.impl.cug.CugSupportImpl?

Thanks!

Views

1.3K

Replies

5
Sign in to like this content

Total Likes

Translate
Translate
1 Accepted Solution

Avatar

Correct answer by
Employee Advisor
Employee Advisor
9/15/16 3:21:15 AM

Hi,

the CugSupportImpl translates the CUG settings into ACL. Disabling this service (via the config) does not revert the ACLs. So to get rid of these ACLS you can

1) remove the ACLs manually

2) enable the CUG mechanism again and make sure, that you remove the CUG related settings on author and activate again. This will cause a recreation of the correct ACL settings (no ACL);  after that you can disable the service again.

Jörg

View solution in original post

Views

779

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply
5 Replies

Avatar

Employee Advisor
Employee Advisor
9/14/16 12:55:35 PM

The label in the configMgr is a bit misleading. It should just be "enabled" and if it's checked the CUG mechanism is working. If you don't use CUGs there is no real difference if you have it enabled or not.

Jörg

Views

779

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Level 2
Level 2
9/15/16 2:20:21 AM

I have now disabled the CUG roots, but I don't notice any change in functionality. I can still configure closed user groups for pages and still only users with the roles described in the "cq:cugPrincipals" have access. Shouldn't this stop working?

Sven

Views

732

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Correct answer by
Employee Advisor
Employee Advisor
9/15/16 3:21:15 AM

Hi,

the CugSupportImpl translates the CUG settings into ACL. Disabling this service (via the config) does not revert the ACLs. So to get rid of these ACLS you can

1) remove the ACLs manually

2) enable the CUG mechanism again and make sure, that you remove the CUG related settings on author and activate again. This will cause a recreation of the correct ACL settings (no ACL);  after that you can disable the service again.

Jörg

Views

780

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply

Avatar

Level 2
Level 2
9/15/16 5:07:10 AM

I've found that if I disable CUG roots and remove ACL's, yet keep the "cq:cugEnabled" set to true and "cq:cugPrincipals" set to an array of roles, that the page for which those CUG's are set is still only accessible for who have the roles specified in "cq:cugPrincipals". How is it possible that even though there is no "rep:policy" node anymore which holds the ACE data, that CUG's still seem in effect?

Views

736

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Level 2
Level 2
9/15/16 5:14:22 AM

Ignore my previous comment. It turns out we have a custom piece of code that is responsible for this functionality.

I now understand how it works and am able to use it properly.

Thanks for the help!

Views

736

Replies

0
Sign in to like this content

Total Likes

Translate
Translate