Expand my Community achievements bar.

SOLVED

Migrating 5.6.1 ACLs to 6.1

Avatar

Level 4
Level 4
10/15/15 7:28:25 PM

We have heard from those that have migrated that ACL migration is not easy with the new security standards in AEM 6.1.   Some are reporting lost ACLs that thye have to recreate.  This is not acceptable for our migration.  We have a very large ACL and need to migrate this into the new secure standards (secured hash for paths, etc).  What is the right way to do this?  Will ACS Commons ACL Package help?

Views

756

Replies

5
Sign in to like this content

Total Likes

Translate
Translate
1 Accepted Solution

Avatar

Correct answer by
Employee Advisor
Employee Advisor
10/15/15 7:28:25 PM

HI Mark,

you likely mean, that the node name of a principal is longer the id of the principal.

So on AEM 6.0 and older it's /home/users/a/admin, but on 6.1 it's on my box /home/users/a/apa96F-DQwDDhZsnfBDq.

If you migrate properly, there should not any problem. The only problem I see is that a lot of code assumes that it could calculate the path of the username by the principal id and some semi-static prefixes. Which is no longer possible.

kind regards,
Jörg

View solution in original post

Views

527

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply
5 Replies

Avatar

Employee
Employee
10/15/15 7:28:25 PM

Hi Mark,

As I replied to you on Twitter, I'm not sure what you mean about "hashed paths" in the context of ACLs. If you are consistently losing ACLs on package installation, be sure you are specifying the right Access Control Handling. It should probably be Override. I think the default is Ingore. You can specify this when building or installing the package.

Regards,

Justin

Views

552

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Level 4
Level 4
10/15/15 7:28:25 PM

We were just told by another institution that node names change and are no longer the user ID strings.  They are or include some hash value for added path security.  The same institution could not migration the permissions with OOTB migration steps.  I am simply asking how to best avoid this. 

Views

559

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Correct answer by
Employee Advisor
Employee Advisor
10/15/15 7:28:25 PM

HI Mark,

you likely mean, that the node name of a principal is longer the id of the principal.

So on AEM 6.0 and older it's /home/users/a/admin, but on 6.1 it's on my box /home/users/a/apa96F-DQwDDhZsnfBDq.

If you migrate properly, there should not any problem. The only problem I see is that a lot of code assumes that it could calculate the path of the username by the principal id and some semi-static prefixes. Which is no longer possible.

kind regards,
Jörg

Views

528

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply

Avatar

Level 4
Level 4
10/15/15 7:28:25 PM

Thanks.  I was hoping this was a case of a proprietary issue with that organization.  

Views

558

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Employee
Employee
10/15/15 7:28:25 PM

Keep in mind that the change Joerg is describing has absolutely nothing to do with ACLs. This is only for users and groups node names/path. The link between an ACL and a user/group was always done through the principal name.

Any code which assumed that the path to a user or group was derivable from the username was buggy and likely to fail on any CQ/AEM version. The only change now is that this code will always fail. Which IMHO is actually much better smiley

Views

599

Replies

0
Sign in to like this content

Total Likes

Translate
Translate