Your achievements

Level 1

0% to

Level 2

Tip /
Sign in

Sign in to Community

to gain points, level up, and earn exciting badges like the new
Bedrock Mission!

Learn more

View all

Sign in to view all badges

SOLVED

How to allow/deny access to a libs path in aem as a cloud

Avatar

Level 2

I am trying to deny access on a libs path (/libs/cq/core/content/nav/tools/security) using the repoinit and it's working fine on the local SDK but failing the pipeline on the cloud. Any recommendation on how to fix it?

 

Use case : "test-demo" Group is created in admin console and synced to AEM so group already exists in AEM.

The below code is adding to "org.apache.sling.jcr.repoinit.RepositoryInitializer~projectName.cfg.json" :

{
"scripts":[
"set ACL on /libs/cq/core/content/nav/tools/security\r\n deny jcr:read for \"test-demo\"\r\nend"
]
}
 
It works fine on my local but failing a pipeline on cloud. Any recommendations?
1 Accepted Solution

Avatar

Correct answer by
Level 8

Hi @ReddyIshanvi 

 

Below one workes. Make sure that the spaces and characters are replaced with encoded format

 

<?xml version="1.0" encoding="UTF-8"?>
<jcr:root xmlns:sling="http://sling.apache.org/jcr/sling/1.0" xmlns:jcr="http://www.jcp.org/jcr/1.0"
jcr:primaryType="sling:OsgiConfig"
scripts="[set ACL for content-writer-service&#xa; allow jcr:read\,rep:write\,jcr:versionManagement\, jcr:modifyAccessControl\,jcr:readAccessControl\,jcr:lockManagement on /var&#xa; end, set ACL for content-writer-service&#xa; allow jcr:read\ on /&#xa; end, set ACL for content-writer-service&#xa; allow jcr:read\,rep:write\,jcr:versionManagement\, jcr:modifyAccessControl\,jcr:readAccessControl\,jcr:lockManagement on /etc&#xa; end, set ACL for content-writer-service&#xa; allow jcr:read\,rep:write\,jcr:versionManagement\, jcr:modifyAccessControl\,jcr:readAccessControl\,jcr:lockManagement on /content&#xa; end, set ACL for content-reader-service&#xa; allow jcr:read\ on /content&#xa; end, set ACL for content-reader-service&#xa; allow jcr:read\ on /etc&#xa; end]"/>

 

View solution in original post

3 Replies

Avatar

Correct answer by
Level 8

Hi @ReddyIshanvi 

 

Below one workes. Make sure that the spaces and characters are replaced with encoded format

 

<?xml version="1.0" encoding="UTF-8"?>
<jcr:root xmlns:sling="http://sling.apache.org/jcr/sling/1.0" xmlns:jcr="http://www.jcp.org/jcr/1.0"
jcr:primaryType="sling:OsgiConfig"
scripts="[set ACL for content-writer-service&#xa; allow jcr:read\,rep:write\,jcr:versionManagement\, jcr:modifyAccessControl\,jcr:readAccessControl\,jcr:lockManagement on /var&#xa; end, set ACL for content-writer-service&#xa; allow jcr:read\ on /&#xa; end, set ACL for content-writer-service&#xa; allow jcr:read\,rep:write\,jcr:versionManagement\, jcr:modifyAccessControl\,jcr:readAccessControl\,jcr:lockManagement on /etc&#xa; end, set ACL for content-writer-service&#xa; allow jcr:read\,rep:write\,jcr:versionManagement\, jcr:modifyAccessControl\,jcr:readAccessControl\,jcr:lockManagement on /content&#xa; end, set ACL for content-reader-service&#xa; allow jcr:read\ on /content&#xa; end, set ACL for content-reader-service&#xa; allow jcr:read\ on /etc&#xa; end]"/>

 

Avatar

Level 6

Create file in ui.config folder:

scripts=["
# These paths must exist otherwise the following ACL applicaiton will fail, resulting in err'ing build
create path /libs/cq/core/content/nav/tools/security
# Create a group
create group test-demo
set ACL for test-demo
deny jcr:read on /libs/cq/core/content/nav/tools/security

end
"]