Give Upload/Create only permissions to user in AEM

Avatar

Avatar

niks1020

Avatar

niks1020

niks1020

14-07-2019

Hi all,

I have AEM 6.4 with aem-service-pkg-6.4.3 installed

in this I have created a new user group with below like permissions for all parent folders:

1791336_pastedImage_1.png

What my basic requirement is that I want the users (belonging to this user group) to only have read and create permission in my project's folder path (Let say: content/dam/ASC/en/MyFolder)

To do this I have given read and create permission to that folder paths as shown below, but I am not able to see the Create button in Assets folder path to be able to upload the assets in the AEM Assets screen.

1791337_pastedImage_4.png

I found this documentation link : (User Administration and Security) where it says

Create

The user can:

  • create a new page or child page.

If modify is denied the subtrees below jcr:content are specifically excluded because the creation of jcr:content and its child nodes are considered a page modification. This only applies to nodes defining a jcr:content child node.

But if I enable modify for this usergroup on this folder, the user would also be able to edit the metadata properties of asset inside that folder. Which, as per the requirement, the user should not be able to perform.

Can somebody please help regarding this?

The user should only be able to upload assets.

You can also suggest any other round the way solution.

Accepted Solutions (1)

Accepted Solutions (1)

Avatar

Avatar

Jörg_Hoh

Employee

Total Posts

3.0K

Likes

942

Correct Reply

1.0K

Avatar

Jörg_Hoh

Employee

Total Posts

3.0K

Likes

942

Correct Reply

1.0K
Jörg_Hoh
Employee

16-07-2019

That's unfortunate, but not really unexpected.

If I see it correctly, the create button explicitly requests MODIFY permissions on that folder. Because modify also contains the "add children" permission.

That means while the underlying JCR permissions would allow a very fine-grained permission control, the UI does not expose it in that granularity and modelling at this level gets nearly impossible.

I would provide the group the modify permission and instead disallow write permission on the metadata nodes (using wildcard ACLs). That should result in the same outcome.

Jörg

Answers (2)

Answers (2)

Avatar

Avatar

nidhip010816

Employee

Avatar

nidhip010816

Employee

nidhip010816
Employee

16-07-2019

Hello niks1020,

Jorg is correct. You need to add 'Modify' permission also.

I tried adding 'Modify' permission along with Read and Create permission to the group and I could see 'Create'

button visible in <host:port>/assets.html/content/dam but without Modify permission create button is not visible.

Give this a try!

Best Regards,

Nidhi Priya

Avatar

Avatar

jbrar

Employee

Avatar

jbrar

Employee

jbrar
Employee

15-07-2019

I believe you need to add more granular ACL's from Crxde using the rep:glob pattern. Check [1] and [2] for more details.

[1] User, Group and Access Rights Administration

[2] Jackrabbit Oak – Restriction Management