Expand my Community achievements bar.

SOLVED

Migrating permissions between AEM publish instances

Avatar

Level 2

Good morning.

 

I hope someone can help me with this.

I have been asked to apply some additional permissions to the anonymous user on an AEM 6.5.15 publish instance. Obviously I can do this manually by applying the check marks to the relevant nodes through useradmin.

What I would like to do is package these changes, so I can apply to other publish instances via an automated process.  It seems that the ACS-Commons content packager will not allow me to build and edit a permissions package for the anonymous user on the publish server.  And even if it did, then the unique id of the anonymous user is different on each AEM publish instance, so installing a package on a new publish instance, would not supposedly update the correct anonymous user.

Please could anyone advise if there is a way to automate this process?

Many thanks

1 Accepted Solution

Avatar

Correct answer by
Community Advisor

You should use netcentric AC tool. We also use it to manage user and groups.
Usually we provide permissions to group and add user to group. The plugin also suggest the same.

I have attached a screenshot for the permissions of anonymous user. I think you need exactly the same

- group_config:

- fragment-everyone:
- name: "Fragment Everyone"
members: anonymous
path: /home/groups/fragments

- ace_config:

- fragment-everyone:
- path: /conf/example/settings/wcm/templates
permission: allow
actions: read

- path: /conf/example/settings/wcm/template-types
permission: allow
actions: read

- path: /conf/example/settings/wcm/policies
permission: allow
actions: read

- path: /apps/example/settings/wcm/policies
permission: allow
actions: read

- path: /apps/example/settings/wcm/templates
permission: allow
actions: read

- path: /apps/example/sling:configs
permission: allow
actions: read

You can check the documentation here https://github.com/Netcentric/accesscontroltool 

kaikubad_0-1682602361957.png

 

View solution in original post

3 Replies

Avatar

Employee Advisor

Hi @neilwebbcbs!

 

There are different ways of managing permissions in AEM. You may want to refer to my reply in this thread [1] for additional details around that. As already mentioned by @arunpatidar, the Netcentric AC Tool [2] is a good way to manage groups and their according ACLs through code which will ensure a consistent state across different environments and instances.

 

In addition to that, it would be interesting to learn why you need to change the permissions of the OOTB anonymous user. From my experience, it's usually recommended to not tamper with the OOTB users or groups, especially when it comes to the ones that are integral part of certain system functionalities, such as the admin or anonymous user. For most cases the better option is to create a custom project-specific group and base that on the OOTB ones. As always, there are exceptions to this and some requirements might actually need changes to the anonymous user. But this has to be a qualified and justified decision. The documentation on the OOTB users and groups [3] mentions that the anonymous user should not be deleted or disabled to avoid unexpected behavior. Similarly, changing their permissions might have unexpected and/or unwanted effects. So in any case please make sure to thoroughly test any permission changes that are performed for the OOTB users and groups on lower environments and take a backup before applying the changes.

 

Hope that helps!

 

 

[1] https://experienceleaguecommunities.adobe.com/t5/adobe-experience-manager/restrict-user-to-publish-t...

[2] https://github.com/Netcentric/accesscontroltool

[3] https://experienceleague.adobe.com/docs/experience-manager-65/administering/security/security.html#b...

Avatar

Correct answer by
Community Advisor

You should use netcentric AC tool. We also use it to manage user and groups.
Usually we provide permissions to group and add user to group. The plugin also suggest the same.

I have attached a screenshot for the permissions of anonymous user. I think you need exactly the same

- group_config:

- fragment-everyone:
- name: "Fragment Everyone"
members: anonymous
path: /home/groups/fragments

- ace_config:

- fragment-everyone:
- path: /conf/example/settings/wcm/templates
permission: allow
actions: read

- path: /conf/example/settings/wcm/template-types
permission: allow
actions: read

- path: /conf/example/settings/wcm/policies
permission: allow
actions: read

- path: /apps/example/settings/wcm/policies
permission: allow
actions: read

- path: /apps/example/settings/wcm/templates
permission: allow
actions: read

- path: /apps/example/sling:configs
permission: allow
actions: read

You can check the documentation here https://github.com/Netcentric/accesscontroltool 

kaikubad_0-1682602361957.png