Expand my Community achievements bar.

SOLVED

Give Upload/Create only permissions to user in AEM

Avatar

Level 2

Hi all,

I have AEM 6.4 with aem-service-pkg-6.4.3 installed

in this I have created a new user group with below like permissions for all parent folders:

1791336_pastedImage_1.png

What my basic requirement is that I want the users (belonging to this user group) to only have read and create permission in my project's folder path (Let say: content/dam/ASC/en/MyFolder)

To do this I have given read and create permission to that folder paths as shown below, but I am not able to see the Create button in Assets folder path to be able to upload the assets in the AEM Assets screen.

1791337_pastedImage_4.png

I found this documentation link : (User Administration and Security) where it says

Create

The user can:

  • create a new page or child page.

If modify is denied the subtrees below jcr:content are specifically excluded because the creation of jcr:content and its child nodes are considered a page modification. This only applies to nodes defining a jcr:content child node.

But if I enable modify for this usergroup on this folder, the user would also be able to edit the metadata properties of asset inside that folder. Which, as per the requirement, the user should not be able to perform.

Can somebody please help regarding this?

The user should only be able to upload assets.

You can also suggest any other round the way solution.

1 Accepted Solution

Avatar

Correct answer by
Employee Advisor

That's unfortunate, but not really unexpected.

If I see it correctly, the create button explicitly requests MODIFY permissions on that folder. Because modify also contains the "add children" permission.

That means while the underlying JCR permissions would allow a very fine-grained permission control, the UI does not expose it in that granularity and modelling at this level gets nearly impossible.

I would provide the group the modify permission and instead disallow write permission on the metadata nodes (using wildcard ACLs). That should result in the same outcome.

Jörg

View solution in original post

3 Replies

Avatar

Employee Advisor

I believe you need to add more granular ACL's from Crxde using the rep:glob pattern. Check [1] and [2] for more details.

[1] User, Group and Access Rights Administration

[2] Jackrabbit Oak – Restriction Management

Avatar

Correct answer by
Employee Advisor

That's unfortunate, but not really unexpected.

If I see it correctly, the create button explicitly requests MODIFY permissions on that folder. Because modify also contains the "add children" permission.

That means while the underlying JCR permissions would allow a very fine-grained permission control, the UI does not expose it in that granularity and modelling at this level gets nearly impossible.

I would provide the group the modify permission and instead disallow write permission on the metadata nodes (using wildcard ACLs). That should result in the same outcome.

Jörg

Avatar

Employee

Hello niks1020,

Jorg is correct. You need to add 'Modify' permission also.

I tried adding 'Modify' permission along with Read and Create permission to the group and I could see 'Create'

button visible in <host:port>/assets.html/content/dam but without Modify permission create button is not visible.

Give this a try!

Best Regards,

Nidhi Priya