We have heard from those that have migrated that ACL migration is not easy with the new security standards in AEM 6.1. Some are reporting lost ACLs that thye have to recreate. This is not acceptable for our migration. We have a very large ACL and need to migrate this into the new secure standards (secured hash for paths, etc). What is the right way to do this? Will ACS Commons ACL Package help?
Solved! Go to Solution.
Views
Replies
Total Likes
HI Mark,
you likely mean, that the node name of a principal is longer the id of the principal.
So on AEM 6.0 and older it's /home/users/a/admin, but on 6.1 it's on my box /home/users/a/apa96F-DQwDDhZsnfBDq.
If you migrate properly, there should not any problem. The only problem I see is that a lot of code assumes that it could calculate the path of the username by the principal id and some semi-static prefixes. Which is no longer possible.
kind regards,
Jörg
Views
Replies
Total Likes
Hi Mark,
As I replied to you on Twitter, I'm not sure what you mean about "hashed paths" in the context of ACLs. If you are consistently losing ACLs on package installation, be sure you are specifying the right Access Control Handling. It should probably be Override. I think the default is Ingore. You can specify this when building or installing the package.
Regards,
Justin
Views
Replies
Total Likes
We were just told by another institution that node names change and are no longer the user ID strings. They are or include some hash value for added path security. The same institution could not migration the permissions with OOTB migration steps. I am simply asking how to best avoid this.
Views
Replies
Total Likes
HI Mark,
you likely mean, that the node name of a principal is longer the id of the principal.
So on AEM 6.0 and older it's /home/users/a/admin, but on 6.1 it's on my box /home/users/a/apa96F-DQwDDhZsnfBDq.
If you migrate properly, there should not any problem. The only problem I see is that a lot of code assumes that it could calculate the path of the username by the principal id and some semi-static prefixes. Which is no longer possible.
kind regards,
Jörg
Views
Replies
Total Likes
Thanks. I was hoping this was a case of a proprietary issue with that organization.
Views
Replies
Total Likes
Keep in mind that the change Joerg is describing has absolutely nothing to do with ACLs. This is only for users and groups node names/path. The link between an ACL and a user/group was always done through the principal name.
Any code which assumed that the path to a user or group was derivable from the username was buggy and likely to fail on any CQ/AEM version. The only change now is that this code will always fail. Which IMHO is actually much better
Views
Replies
Total Likes
Views
Likes
Replies
Views
Likes
Replies