Adobe Experience Manager Sites & More

josephabraham · 10/15/15

One for the AEM Geeks :

From the useradmin screen, when we assign a "delete" privilege to a group for a particular node (say /content/dam/foo, a folder in this case), I noticed two privileges being assigned in the rep:policy node (jcr:removeNode and jcr:removeChildNodes). Hence I tried to check out the behavior of the system when only jcr:removeChildNodes prilvilege is applied. My expectation is that the user should be able to delete the contents within the folder "foo" but not the folder itself. However, this didn't work for me. Any takes on why this could happen?

FYI. I used the ACL Setup Service to apply the jcr:removeChildNodes privilege at the /content/dam/foo. Even after this, the user wasn't able to delete anything under "/content/dam/foo".

smacdonald2008 · 10/15/15

"All I would like to enforce is that they do not delete "foo" by mistake."

In this case - if you are concerned about a user of the group deleting foo - ie:

content/foo22/ (as shown in my examle to represent foo)

then simply remove the delete permission at this level of the JCR for that group. Keep delete permissions on any children. That is the way the product is intended to work as discussed in this topic i listed above.

If you are looking for an automated way to set these permissions (you do not want to use the Security tool as shown above), you can create a JCR event handler that would set these permissions when you create a node under foo22.

View solution in original post

smacdonald2008 · 10/15/15

When you set groups permissions - you can set the exact level in the JCR that you allow a member of the group to delete. For example, consider the following illustration.

[img]JCRDelete.png[/img]

We have extended all members of this group to delete:

content/foo22/
content/foo22/foo44
/content/foo22/foo44/foo55

If you do not want members of that group to delete the top level - you can change that in the permissions view.

All of this is covered in this AEM doc topic:

http://docs.adobe.com/docs/en/aem/6-0/administer/security/security.html

josephabraham · 10/15/15

Not really what I am looking for.

I have users who have access to create and delete stuff under foo at the moment. All I would like to enforce is that they do not delete "foo" by mistake. A user may create ten folders under "foo" tomorrow. I do not want to add more and more rep:policy nodes (for each folder) each time a folder is created (manual or scripted) as this would eventually lead to performance bottlenecks

Hence, logically it would make sense to get rid of the jcr:removeNode privilege on "foo" while keeping the jcr:removeChildNodes privilege in place.

smacdonald2008 · 10/15/15

"All I would like to enforce is that they do not delete "foo" by mistake."

In this case - if you are concerned about a user of the group deleting foo - ie:

content/foo22/ (as shown in my examle to represent foo)

then simply remove the delete permission at this level of the JCR for that group. Keep delete permissions on any children. That is the way the product is intended to work as discussed in this topic i listed above.

If you are looking for an automated way to set these permissions (you do not want to use the Security tool as shown above), you can create a JCR event handler that would set these permissions when you create a node under foo22.

Adobe Experience Manager Sites & More

jcr:RemoveChildNodes not working by itself

Learn

Documentation

Community

Support

Resources

Adobe account

Adobe