Hi,I get the following requests from clients a lot.The ability to have a role which can't edit a page but can annotate for reviewThe ability to edit only a section of the pageIs it worth raising these as feature requests? Is there any workaround now that is commonly used?Thanks!

T

Tim_Goodman_BTE

Level 4

Solved

Enhancements to AEM to support restricted user permissions

Forum|Forum|10 years ago
October 16, 2015
16 replies
8185 views

Hi,

I get the following requests from clients a lot.

The ability to have a role which can't edit a page but can annotate for review
The ability to edit only a section of the page

Is it worth raising these as feature requests? Is there any workaround now that is commonly used?

Thanks!

This post is no longer active and is closed to new replies. Need help? Start a new post to ask your question.

Best answer by joerghoh

Hi,

the annotation thing is "easy" to do, you only need to allow write access to the cq:annotation property, and have read access for everything else. You can do this quite easily using wildcard ACLs [1]. Editing only a section of a page is more tricky, as then this section does always have to have the very same name. Then you can also use wildcard ACLs as well.

The standard (path based) ACLs do not really work here, as the ACL inheritance is not applicable.

kind regards,
Jörg

[1] http://wiki.apache.org/jackrabbit/AccessControl#Principal-based_ACLs, look for the rep:glob property

Show previous replies

bswx

Level 2

Thank you for quick reply. But that's exactly what I tried.

1) Gave read permission to all pages.

2) Then added allow policy for the group with rep:glob as /*/cq:annotations/*

Still I get access denied, also edit is enabled for the all pages. Any specific example would be nice to

paul_bjorkstran

Level 2

This can be done with normal path-based ACLs, but you need to allow more than just access to cq:annotations.

EDIT: I forgot to mention, the permissions below are on the /content node as allow with jcr:read & rep:write base permissions, and restrictions based on the lists below.

You need to allow write for the following rep:globs

/*/cq:annotations
/*/cq:annotations/*

You also need to allow write for the following rep:itemNames

cq:lastModified
cq:lastModifiedBy

I also added these rep:itemNames for good measure

jcr:lastModified
jcr:lastModifiedBy

The rep:itemNames are needed because when AEM makes annotations updates the cq:lastModified/cq:lastModifiedBy for the page when an annotation is changed (add, modify, delete).

To create them you need crx/de or a similarly powerful tool for ACL management. With crx/de, I have 6 entries for permissions, one for each of the 6 items above.

bswx & omallianz, this might be something you are interested in as well.

O

omallianz

paul.bjorkstrand thanks, I will check this out.

Update: Thanks paul.bjorkstrand, checked this and worked well.

Sorry guys, I made some confusion on this. when I checked this last time, I had already given write permission on everything below jcr:content and this worked. However if you just add above 6 acls as mentioned by Paul, it doesn't work. fyi, below is the representation of rep:poilicy node

{

"jcr:primaryType":"rep:ACL",

"allow":{

"jcr:primaryType":"rep:GrantACE",

"rep:principalName":"annotations-group-example",

"rep:privileges":[

"jcr:read"

]

},

"allow13":{

"jcr:primaryType":"rep:GrantACE",

"rep:principalName":"annotations-group-example",

"rep:privileges":[

"rep:write"

],

"rep:restrictions":{

"jcr:primaryType":"rep:Restrictions",

"rep:glob":"/*/cq:annotations"

}

},

"allow14":{

"jcr:primaryType":"rep:GrantACE",

"rep:principalName":"annotations-group-example",

"rep:privileges":[

"rep:write"

],

"rep:restrictions":{

"jcr:primaryType":"rep:Restrictions",

"rep:glob":"/*/cq:annotations/*"

}

},

"allow15":{

"jcr:primaryType":"rep:GrantACE",

"rep:principalName":"annotations-group-example",

"rep:privileges":[

"rep:write"

],

"rep:restrictions":{

"jcr:primaryType":"rep:Restrictions",

"rep:itemNames":[

"cq:lastModified"

]

}

},

"allow16":{

"jcr:primaryType":"rep:GrantACE",

"rep:principalName":"annotations-group-example",

"rep:privileges":[

"rep:write"

],

"rep:restrictions":{

"jcr:primaryType":"rep:Restrictions",

"rep:itemNames":[

"cq:lastModifiedBy"

]

}

},

"allow17":{

"jcr:primaryType":"rep:GrantACE",

"rep:principalName":"annotations-group-example",

"rep:privileges":[

"rep:write"

],

"rep:restrictions":{

"jcr:primaryType":"rep:Restrictions",

"rep:itemNames":[

"jcr:lastModified"

]

}

},

"allow18":{

"jcr:primaryType":"rep:GrantACE",

"rep:principalName":"annotations-group-example",

"rep:privileges":[

"rep:write"

],

"rep:restrictions":{

"jcr:primaryType":"rep:Restrictions",

"rep:itemNames":[

"jcr:lastModifiedBy"

]

}

As a workaround, we did something like this:

# Allows user to annotate on the pages(wildcard for everything below jcr:content, excluding jcr:content itself) but blocks modifying page properties by restricting access on jcr:content node. See also Jackrabbit Oak – Restriction Management

- path: /content/we-retail/en

permission: allow

privileges: rep:write

restrictions:

repGlob: '/*/jcr:content/*'

This will give a permission to create, edit, modify everything below jcr:content(excluding jcr:content).

P

padminik5129032

Hi ,

I have a user with only read permissions and then added all the 6 permissions mentioned above for the user in the crx/de at the /content node.

Now , I am able to edit and update the existing annotation but i am still unable to add a new annotation. Logs show "Access denied".

Is there anything that I am still missing ?

Thanks in advance

O

omallianz

Can you share the screenshots of rep:policy node?

J

Jangra98

Level 2

Hi Tim/everyone,
Is this functionality got implemented successfully? If yes, can you please share the final solution for this issue! We are also in need to implement the same functionality in our project.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded