How to set up a rep:policy(deny) for a specific user group to not access an AEM page programmatically

Avatar

Avatar
Boost 3
Level 1
srig786
Level 1

Likes

3 likes

Total Posts

4 posts

Correct reply

0 solutions
Top badges earned
Boost 3
Boost 1
View profile

Avatar
Boost 3
Level 1
srig786
Level 1

Likes

3 likes

Total Posts

4 posts

Correct reply

0 solutions
Top badges earned
Boost 3
Boost 1
View profile
srig786
Level 1

10-07-2019

Hi,

I have a requirement where I should set up a deny (rep:policy) access to an user group(Eg: testgroup) under a specific AEM page (Eg: /content/we-retail/us/en/experience/hours-of-wilderness) programmatically based on the checkbox property authored in page properties as shown in the screenshot below.

checkbox-property-in-page-properties.png

I know we can manually set up the privileges/permissions using user admin interface shown in screenshot below

deny-access-given-in-useradmin.png

When we provide deny jcr:read access in user admin, AEM creates a rep:policy/deny node under the page for that specific usergroup (eg: testgroup). However I want to achieve this programmatically.

deny-access-schreeshot.png

Could someone suggest/provide an example to implement this use case ? please let me know if you need any additional information.

Thanks in Advance,

Regards,

Sri.

Accepted Solutions (1)

Accepted Solutions (1)

Avatar

Avatar
Applaud 5
Level 3
anjali_biddanda
Level 3

Likes

23 likes

Total Posts

88 posts

Correct reply

8 solutions
Top badges earned
Applaud 5
Give Back 10
Ignite 1
Validate 10
Validate 1
View profile

Avatar
Applaud 5
Level 3
anjali_biddanda
Level 3

Likes

23 likes

Total Posts

88 posts

Correct reply

8 solutions
Top badges earned
Applaud 5
Give Back 10
Ignite 1
Validate 10
Validate 1
View profile
anjali_biddanda
Level 3

21-09-2020

This does it:

 

//Create your adminSession using a mapped service user
Map<String, Object> param = new HashMap<String, Object>();
param.put(ResourceResolverFactory.SUBSERVICE, "write-service"); //ensure you have write-service user created via a config script or on usermanager
ResourceResolver resourceResolver = resourceResolverFactory.getServiceResourceResolver(param);
Session adminSession = resourceResolver.adaptTo(Session.class);

AccessControlManager aMgr = adminSession.getAccessControlManager();
// create privilege
Privilege[] privileges = new Privilege[]{aMgr.privilegeFromName(Replicator.REPLICATE_PRIVILEGE)};

JackrabbitAccessControlList acl = AccessControlUtils.getAccessControlList(adminSession, path);
acl.addEntry(contentManagerGroup.getPrincipal(),privileges,false);
aMgr.setPolicy(path, acl);
adminSession.save();

 

 

 

 

 

Answers (4)

Answers (4)

Avatar

Avatar
Boost 5
Level 3
cal-netsolution
Level 3

Likes

29 likes

Total Posts

21 posts

Correct reply

4 solutions
Top badges earned
Boost 5
Boost 3
Boost 25
Boost 10
Boost 1
View profile

Avatar
Boost 5
Level 3
cal-netsolution
Level 3

Likes

29 likes

Total Posts

21 posts

Correct reply

4 solutions
Top badges earned
Boost 5
Boost 3
Boost 25
Boost 10
Boost 1
View profile
cal-netsolution
Level 3

17-07-2019

For this usecase I suggest this approach. As you have a checkbox in the page properties.

1. Create an Event listener, choose the event type, Node modified, or property modified etc. Also specify the path where this event listener is to be triggered.

Here is the link to see how to create an event listener. https://helpx.adobe.com/experience-manager/using/aem64_event_listener.html

2. In OnEvent method, you can write your logic to check if the checkbox property is modified and then can add the rep:policy/deny node under the page for that specific usergroup

So whenever the property is changed, using event listener you can set the permissions for the page programmatic-ally.

Hope this helps!

Cal

Avatar

Avatar
Validate 1
Level 5
Tuhin_Ghosh
Level 5

Likes

36 likes

Total Posts

301 posts

Correct reply

40 solutions
Top badges earned
Validate 1
Give Back 50
Give Back 5
Give Back 3
Give Back 25
View profile

Avatar
Validate 1
Level 5
Tuhin_Ghosh
Level 5

Likes

36 likes

Total Posts

301 posts

Correct reply

40 solutions
Top badges earned
Validate 1
Give Back 50
Give Back 5
Give Back 3
Give Back 25
View profile
Tuhin_Ghosh
Level 5

16-07-2019

You might have to try setting up the acls programatically.

Look at AccessControlManager API.

Read the below documents. This should help.

User, Group and Access Rights Administration

Thanks

Tuhin

Avatar

Avatar
Boost 3
Level 1
srig786
Level 1

Likes

3 likes

Total Posts

4 posts

Correct reply

0 solutions
Top badges earned
Boost 3
Boost 1
View profile

Avatar
Boost 3
Level 1
srig786
Level 1

Likes

3 likes

Total Posts

4 posts

Correct reply

0 solutions
Top badges earned
Boost 3
Boost 1
View profile
srig786
Level 1

11-07-2019

hamidk11679710​ I have looked at the first link and it says copying ACL's from source path to target path, which is not my requirement. I will try the second link and get back to you.

Thanks for your help.

Avatar

Avatar
Contributor
Employee
hamidk92094312
Employee

Likes

103 likes

Total Posts

240 posts

Correct reply

38 solutions
Top badges earned
Contributor
Shape 1
Ignite 1
Give Back 50
Give Back 5
View profile

Avatar
Contributor
Employee
hamidk92094312
Employee

Likes

103 likes

Total Posts

240 posts

Correct reply

38 solutions
Top badges earned
Contributor
Shape 1
Ignite 1
Give Back 50
Give Back 5
View profile
hamidk92094312
Employee

10-07-2019