Expand my Community achievements bar.

Guidelines for the Responsible Use of Generative AI in the Experience Cloud Community.
Read More.

Issue with Move operation permissions

Avatar

Level 4
Level 4
8/23/24 9:47:52 AM

I've created a situation where authors are running into permission issues when trying to move pages under certain conditions.

 

To manage access, I set up group ACLs that limit author permissions to specific content paths, allowing them to only edit, publish, and perform similar actions within their designated regions. This was achieved by denying jcr:write and crx:replicate at the /content level, while allowing these permissions for their specific regional content paths.

 

This setup works well until an author needs to move or rename a page within their accessible top-level path. If that page only has references within the author's regions they have access to, the move operation works fine. If that page does have references outside the region they can access, it triggers a "request to move" operation. This happens because the move process attempts to update the references through unpublishing and publishing, which they cannot perform outside of their region. I understand why this is occurring.

 

While I have some ideas for workarounds, I wanted to check if there’s a simpler solution that I might be overlooking. Please let me know if you need any further details.

Views

325

Replies

7
Sign in to like this content

Total Likes

Translate
Translate
7 Replies

Avatar

Community Advisor
Community Advisor
8/26/24 3:40:22 AM

Hi @mmasonWD 
The simplest solution would be to give your authors a reference report.


Best part is this will remain disjoint from your current ACL permissions and authors can make use of reference report to identify references before attempting a move so they can either remove or manually adjust references within their permissions.

 

However this will increase overhead but would help without change current ACL permissions.


Using the report authors can manually update references within their allowed region or request assistance for references outside their control.

Views

254

Replies

4
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Level 4
Level 4
8/26/24 6:56:13 AM
In response to pulkitvashisth

Thanks for the suggestion, but I am hoping for a solution that does not require additional assistance from an admin or another user. While this is a good suggestion, we have almost 40 authors and over 3500 pages, so not too feasible for our situation. I wasn't sure if there was some Access Control Entry that could be added/edited that I am overlooking that could solve this issue.

Views

236

Replies

3
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Community Advisor
Community Advisor
8/26/24 10:26:54 AM
In response to mmasonWD

If you only want to use ACL to achieve the same then one thing you can do is assign specific permissions to a user group that are required for moving pages with references to other non accessible regions, that is I think jcr:write and jcr:modifyProperties permissions for the content path root. 
Then you can assign this group temporarily to a regional author group and remove the group when the moving is done.
This can be done using a simple installable permissions package.

Views

225

Replies

2
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Level 4
Level 4
8/26/24 12:20:06 PM
In response to pulkitvashisth

If I understand you correctly, this would only solve the issue temporarily for a selected span of time, and not a permanent solution moving forward when authors may need to move pages at any given date. Part of the "move" operation also includes the crx:replicate privilege that must exist as part of publishing/unpublishing references upon move. 

I am beginning to think my request is not possible given how I currently have managed author access to specific regions. I may have to completely rethink our strategy here.  

Views

218

Replies

1
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Community Advisor
Community Advisor
8/26/24 10:37:17 PM
In response to mmasonWD

Yes , given that you are looking for a permanent solve, you will have to rethink ACL division and hierarchy. 

Views

203

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Administrator
Administrator
9/4/24 5:25:31 AM

@mmasonWD Did you find the suggestion helpful? Please let us know if you require more information. Otherwise, please mark the answer as correct for posterity. If you've discovered a solution yourself, we would appreciate it if you could share it with the community. Thank you!



Kautuk Sahni

Views

154

Replies

1
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Level 4
Level 4
9/4/24 6:39:54 AM
In response to kautuk_sahni

Unfortunately there is no correct answer here as it seems the route I was attempting to take and the specific outcomes I needed are not possible. 

Views

140

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Related Conversations
Career Discovery Webinar with AEM Experts from Cognizant Netcentric

Views

275

Likes

0

Replies

1
How to implement Servlet to find smart tags attached with an image?

Views

206

Likes

0

Replies

4
Can we use ACS Commons Redirect Map Manager with IIS

Views

151

Likes

0

Replies

2
Custom oak:index for content fragment causing issue on query result

Views

282

Likes

0

Replies

4
Querybuilder casesensitive issue

Views

350

Likes

0

Replies

9