Permission to generate audit log report in ACS commons for non admin users

Question

Hi All,Currently the audit log report under acs commons can be generated by the admin users, I would like to create a group for non-admin users to generate audit log report.May I know what are the permissions i need to enable to do so?

SantoshSai · Accepted Answer

Hi @abbirami,1. Grant Access to Audit Log NodesI think Audit logs are stored under:/var/auditPermissions needed on /var/audit:jcr:read – Allows reading audit log entries.You can assign this via user/group permissions.2. Grant Access to the Audit Log Report ToolThe tool lives under:/apps/acs-commons/components/audit-log-reportor if you're using the ACS Commons tools UI:/apps/acs-commons/components/utility/audit-log-reportPermissions needed:jcr:read on:/apps/acs-commons/libs/acs-commons (if applicable)jcr:read on the nodes where the tool UI is rendered (often under /content, e.g., /content/acs-commons)3. Access to Query Audit Logs (Optional but Important)If you're using the ACS Commons Audit Log Report UI that queries audit data, make sure the group has access to the QueryBuilder service or permissions to run queries via /bin/querybuilder.json.Path:/bin/querybuilder.jsonPermission: read + ability to post queries depending on UI behavior.4. Allow Execution of Audit Log Report Servlet (if applicable)Some versions of ACS Commons expose the report via a servlet, like:/bin/acs-commons/audit-log-reportPermissions:Grant jcr:read and allow access to /bin/acs-commons or the servlet path.5. General Permissions Needed for Viewing ACS Tools:jcr:read on /apps/acs-commonsjcr:read on /etc/acs-commons (some config may be here)jcr:read on /libs/granite/uijcr:read on /libs/cq/core/content/tools (if part of classic UI)Hope this helps!

AmitVishwakarma · Answer

Hi @abbirami ,Try below steps:1. Access to Audit Logs DataPath:/var/auditPermission:jcr:readWhy:This is where AEM stores audit logs. Without read access, no data will be returned in the report.2. Access to ACS Commons Audit Log UIPaths to grant jcr:read:/apps/acs-commons/components/utility/audit-log-report/libs/acs-commons/apps/acs-commons/content/acs-commons (if you're rendering the tool under a site)/libs/granite/uiOptional (if classic UI or older version is involved):/libs/cq/core/content/tools3. Access to QueryBuilder ServletPath:/bin/querybuilder.jsonPermission:Allow POST + GETWhy:Audit report UI uses QueryBuilder to fetch logs. Without this, UI breaks or returns no results.How to allow:You may need to explicitly allow this servlet path in your dispatcher filter rules or AEM ACLs.4. Access to ACS Commons Report Servlet (if applicable)Path:/bin/acs-commons/audit-log-reportPermission:read + allow execution (depends on your setup)This may vary by version, but if the UI calls this servlet directly, it must be accessible.5. General UI Permissions (Safe Defaults)Also grant jcr:read to:/etc/acs-commons/libs/cq/security/libs/cq/gui Recommended Steps to Apply1. Create a group:  - audit-log-report-users2. Assign the user to that group.3. Apply above permissions via:  - User Admin UI (/security)  - Or create a permission package (via RepoInit or ACL Packager)4. Test by logging in as a non-admin user and opening:http://localhost:4502/etc/acs-commons/audit-log-report.html Regards,Amit

Regístrese

Social Login

Bienvenido

Social Login

Escaneando el archivo en busca de virus

Este archivo no se puede descargar