Your achievements

Level 1

0% to

Level 2

Tip /
Sign in

Sign in to Community

to gain points, level up, and earn exciting badges like the new
Bedrock Mission!

Learn more

View all

Sign in to view all badges

SOLVED

Migrating 5.6.1 ACLs to 6.1

Avatar

Level 4

We have heard from those that have migrated that ACL migration is not easy with the new security standards in AEM 6.1.   Some are reporting lost ACLs that thye have to recreate.  This is not acceptable for our migration.  We have a very large ACL and need to migrate this into the new secure standards (secured hash for paths, etc).  What is the right way to do this?  Will ACS Commons ACL Package help?

1 Accepted Solution

Avatar

Correct answer by
Employee Advisor

HI Mark,

you likely mean, that the node name of a principal is longer the id of the principal.

So on AEM 6.0 and older it's /home/users/a/admin, but on 6.1 it's on my box /home/users/a/apa96F-DQwDDhZsnfBDq.

If you migrate properly, there should not any problem. The only problem I see is that a lot of code assumes that it could calculate the path of the username by the principal id and some semi-static prefixes. Which is no longer possible.

kind regards,
Jörg

View solution in original post

5 Replies

Avatar

Employee

Hi Mark,

As I replied to you on Twitter, I'm not sure what you mean about "hashed paths" in the context of ACLs. If you are consistently losing ACLs on package installation, be sure you are specifying the right Access Control Handling. It should probably be Override. I think the default is Ingore. You can specify this when building or installing the package.

Regards,

Justin

Avatar

Level 4

We were just told by another institution that node names change and are no longer the user ID strings.  They are or include some hash value for added path security.  The same institution could not migration the permissions with OOTB migration steps.  I am simply asking how to best avoid this. 

Avatar

Correct answer by
Employee Advisor

HI Mark,

you likely mean, that the node name of a principal is longer the id of the principal.

So on AEM 6.0 and older it's /home/users/a/admin, but on 6.1 it's on my box /home/users/a/apa96F-DQwDDhZsnfBDq.

If you migrate properly, there should not any problem. The only problem I see is that a lot of code assumes that it could calculate the path of the username by the principal id and some semi-static prefixes. Which is no longer possible.

kind regards,
Jörg

Avatar

Level 4

Thanks.  I was hoping this was a case of a proprietary issue with that organization.  

Avatar

Employee

Keep in mind that the change Joerg is describing has absolutely nothing to do with ACLs. This is only for users and groups node names/path. The link between an ACL and a user/group was always done through the principal name.

Any code which assumed that the path to a user or group was derivable from the username was buggy and likely to fail on any CQ/AEM version. The only change now is that this code will always fail. Which IMHO is actually much better smiley