Migrating permissions between AEM publish instances

Question

Good morning.

I hope someone can help me with this.

I have been asked to apply some additional permissions to the anonymous user on an AEM 6.5.15 publish instance. Obviously I can do this manually by applying the check marks to the relevant nodes through useradmin.

What I would like to do is package these changes, so I can apply to other publish instances via an automated process. It seems that the ACS-Commons content packager will not allow me to build and edit a permissions package for the anonymous user on the publish server. And even if it did, then the unique id of the anonymous user is different on each AEM publish instance, so installing a package on a new publish instance, would not supposedly update the correct anonymous user.

Please could anyone advise if there is a way to automate this process?

Many thanks

kaikubad · Accepted Answer

You should use netcentric AC tool. We also use it to manage user and groups.
Usually we provide permissions to group and add user to group. The plugin also suggest the same.

I have attached a screenshot for the permissions of anonymous user. I think you need exactly the same

- group_config:

    - fragment-everyone:
        - name: "Fragment Everyone"
          members: anonymous
          path:  /home/groups/fragments

- ace_config:

    - fragment-everyone:
        - path: /conf/example/settings/wcm/templates
          permission: allow
          actions: read

        - path: /conf/example/settings/wcm/template-types
          permission: allow
          actions: read

        - path: /conf/example/settings/wcm/policies
          permission: allow
          actions: read
          
        - path: /apps/example/settings/wcm/policies
          permission: allow
          actions: read

        - path: /apps/example/settings/wcm/templates
          permission: allow
          actions: read

        - path: /apps/example/sling:configs
          permission: allow
          actions: read

You can check the documentation here https://github.com/Netcentric/accesscontroltool

MarkusBullaAdobe · Answer

Hi @neilwebbcbs!

There are different ways of managing permissions in AEM. You may want to refer to my reply in this thread [1] for additional details around that. As already mentioned by @arunpatidar, the Netcentric AC Tool [2] is a good way to manage groups and their according ACLs through code which will ensure a consistent state across different environments and instances.

In addition to that, it would be interesting to learn why you need to change the permissions of the OOTB anonymous user. From my experience, it's usually recommended to not tamper with the OOTB users or groups, especially when it comes to the ones that are integral part of certain system functionalities, such as the admin or anonymous user. For most cases the better option is to create a custom project-specific group and base that on the OOTB ones. As always, there are exceptions to this and some requirements might actually need changes to the anonymous user. But this has to be a qualified and justified decision. The documentation on the OOTB users and groups [3] mentions that the anonymous user should not be deleted or disabled to avoid unexpected behavior. Similarly, changing their permissions might have unexpected and/or unwanted effects. So in any case please make sure to thoroughly test any permission changes that are performed for the OOTB users and groups on lower environments and take a backup before applying the changes.

Hope that helps!

[1] https://experienceleaguecommunities.adobe.com/t5/adobe-experience-manager/restrict-user-to-publish-the-page-from-author-instance/m-p/589715#M147204

[2] https://github.com/Netcentric/accesscontroltool

[3] https://experienceleague.adobe.com/docs/experience-manager-65/administering/security/security.html#built-in-users-and-groups

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded