Expand my Community achievements bar.

Dive into Adobe Summit 2024! Explore curated list of AEM sessions & labs, register, connect with experts, ask questions, engage, and share insights. Don't miss the excitement.
SOLVED

How to edit/delete custom privileges

Avatar

Level 2

Hi had registered a custom namespace in order to create custom privileges based on that namespace for some POC work. 

Now based on the updated requirements i want to edit those custom privileges(make aggregate of different privileges) but im unable to do so.

Is there a way to edit the custom privileges or we need to delete and create new?

If delete, it doesn't give an option to delete the privileges via crx/de or crx/explorer->Content explorer-> custom privilege. How can we delete it?

Though it gives option to delete namespace through content explorer.

Any pointers are appreciated.

1 Accepted Solution

Avatar

Correct answer by
Community Advisor

Hi @kpsolanki_1204,

OOTB and custom privileges are stored in the repository under /jcr:system/rep:privileges. 

Vijayalakshmi_S_0-1624917717501.png

 

You can remove for here. But be sure to take care of resources assigned with this privilege before deletion.

Couldn't see direct option for edit/delete from CRXDE -> Tools -> Privileges nor from Privileges UI. (which is accessible via CRX Explorer -> Repository Configuration ->  Privilege Administration -> http://localhost:4502/crx/explorer/config/privileges.jsp)

View solution in original post

6 Replies

Avatar

Employee Advisor

Hi @kpsolanki_1204!

Unfortunately, it's not quite clear to me what you are referring to as "custom privileges".

Could you please elaborate on what you mean by that? Have you set access control entries (ACE) to you content and want to remove these policies? Have you granted certain privileges to groups and want to revert this?

As you are already mentioning content explorer, you may also want to look at it's Access Control Editor tool. It allows to see, manage and delete access control policies for specific content paths and also lists all policies that are effective for a certain path (including policies inherited through hierarchy).

If that's not what you are looking for, please share additional details on your question/request.

 

 

Update:

Thanks for clarifying your question, @kpsolanki_1204!

So you registered a custom privilege through CRX Explorers "Privilege Administration" at http://localhost:4502/crx/explorer/config/privileges.jsp

As @Vijayalakshmi_S pointed out, the custom privilege is stored below /jcr:system/rep:privileges on the repository, but it can not be manually managed through CRX DE or CRX explorer because the node is protected. That usually means, that it must be managed via the according API (or some UI exposing the API).

 

In this case, however, I was not able to find any API that allows for deletion of custom privileges, not even talking about a UI.

While the PrivilegeManager allows for privilege registration, there is no method available for deletion or changing privileges once they are registered.

There does not see to be much (recent) information available on the topic, but I found this (ancient) improvement ticket on the JCR project that initially introduced the possibility to register custom privileges. The resolving comment states that:

 

The new privilege manager is exposed as interface in org.apache.jackrabbit.api.security.authorization.PrivilegeManager.
It provides methods to retrieve existing privileges and register new custom privileges and aggregates of custom and built-in privileges. 
[...]
Up to now un-registration of custom privileges is not supported.

 

As I have not found anything more recent on the topic we must assume that this is still the case and that there is no possibility to delete custom privileges once they are registered. If you think that this is an issue that should be addressed, please feel free to create an improvement request for the project.

 

 

Hope that helps!

Hi @markus_bulla_adobe

Registered a namespace (e.g. test) then creating a custom privilege using it (e.g. test:read)

No, i haven't set any ACE's. I just did the above activity on a vanilla instance and then was trying to edit/delete the custom privilege.

 

Checked the Access Control Editor tool as well to see if by default on creation, the custom privileges got assigned to any user/group on any path. But i don't see any assignments.

 

What more information do you require? 

Avatar

Employee Advisor

Hi @kpsolanki_1204 !

Thanks for providing additional details. I double checked and updated my initial post.

Unfortunately, it seems that there is currently no way to delete custom privileges once they are registered.

Avatar

Correct answer by
Community Advisor

Hi @kpsolanki_1204,

OOTB and custom privileges are stored in the repository under /jcr:system/rep:privileges. 

Vijayalakshmi_S_0-1624917717501.png

 

You can remove for here. But be sure to take care of resources assigned with this privilege before deletion.

Couldn't see direct option for edit/delete from CRXDE -> Tools -> Privileges nor from Privileges UI. (which is accessible via CRX Explorer -> Repository Configuration ->  Privilege Administration -> http://localhost:4502/crx/explorer/config/privileges.jsp)

Avatar

Level 2

Hi @Vijayalakshmi_S,

I created a brand new privilege on Vanilla and thus it is not been assigned to any user/group for any path.

It doesn't allow me to delete the privilege directly from crx /jcr:system/rep:privileges.. Gives the below error when i try to save.

kpsolanki_1204_0-1624952129183.png

Also through the crx/explorer->Content explorer, it disables the delete option for /jcr:system/rep:privileges.

Please let me know if there is any workaround for this.

Avatar

Community Advisor

Hi @kpsolanki_1204,

It is my miss that I didn't attempt to delete from my end.

Here is the mention about the same from Official Jackrabbit Oak documentation. 

  • From the existing Default PrivilegeManagement implementation standpoint, there is no configuration options available.  
  • nodeType - rep:Privilege is a protected node and hence modifications to the same via regular JCR operations is not allowed. The same is validated using dedicated PrivilegeValidator, hence the error you observe. 

https://jackrabbit.apache.org/oak/docs/security/privilege/default.html

https://jackrabbit.apache.org/oak/docs/security/privilege.html