Expand my Community achievements bar.

SOLVED

Permissions for 'everyone' usergroup

Avatar

Level 6
Level 6
4/16/24 4:35:58 AM

Is it advisable to add read permissions for /conf directory for everyone usergroup.
The problem statement is as follows, whenever a new site is developed by creating new set of templates and policies and is replicated to the publishers, the anonymous users are seeing the content getting rendered differently. Upon investigation it was identified that the anonymous users doesn't have read permissions for the new site template and policies. What would be the suggested approach to follow here? 
1. Add read permissions to /conf directory for everyone usergroup in the publisher. Noting that there would be more sites that would be developed in future, which would require anonymous access.
2. Add read permissions specific to the site templates/policies for everyone usergroup in the publisher. And we do this every time when a new site is replicated.


Views

528

Replies

6
Sign in to like this content

Total Likes

Translate
Translate
1 Accepted Solution

Avatar

Correct answer by
Community Advisor
Community Advisor
4/16/24 8:53:51 AM
In response to RikVanB

Hi @jezwn 

It is not advisable to add read permissions for the `/conf` directory for the everyone user group. This would give all users access to the configuration files for your AEM instance, which could pose a security risk.

Instead, you should add read permissions specific to the site templates and policies for the everyone user group in the publisher. This will ensure that anonymous users have access to the necessary files without compromising the security of your AEM instance.

To make this process easier, you could create a custom user group that includes the necessary permissions for site templates and policies. Then, you can assign this user group to the appropriate folders when new sites are replicated.

It's important to note that granting read permissions to anonymous users can pose a security risk, as it allows anyone to access the content of your site. You should carefully consider the risks and benefits of allowing anonymous access before making any changes to your permissions.

refer
https://experienceleague.adobe.com/en/docs/experience-manager-65/content/security/security#:~:text=P...
https://experienceleague.adobe.com/en/docs/experience-manager-learn/cloud-service/accessing/aem-user... 



View solution in original post

Views

432

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply
6 Replies

Avatar

Level 3
Level 3
4/16/24 4:42:46 AM

Hi @jezwn 

 

I don't think it's an issue, just make sure that you block request to the /conf directly through dispatcher.
Also stated in this Accepted Solution: https://experienceleaguecommunities.adobe.com/t5/adobe-experience-manager/editable-templates-access-...

 

Greetings
Rik

Views

519

Replies

5
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Level 6
Level 6
4/16/24 4:49:09 AM
In response to RikVanB

Thanks @RikVanB The link that you shared talks about setting permissions for anonymous user, and my question is more around 'everyone' group, but that should be fine I believe. But just to clarify, the reason why I was raising this question was that I came across this Adobe documentation talking about security implications of modifying the everyone group.
https://experienceleague.adobe.com/en/docs/experience-manager-65/content/security/security

Screenshot 2024-04-16 at 5.19.57 PM.png

Views

516

Replies

4
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Level 3
Level 3
4/16/24 5:12:38 AM
In response to jezwn

Thanks for pointing that out @jezwn. If the official documentation is pointing out to not change anything on the everyone group, I would keep it like that.

On the other hand if you would add the permissions to the anonymous user group, you would have the same result as adding it to the everyone group. Because a request to the publisher is done by an anoymous user by default.

Views

500

Replies

3
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Level 6
Level 6
4/16/24 5:22:35 AM
In response to RikVanB

@RikVanB Anonymous is a user and not a usergroup. And AEM best practices says that you should add permissions to groups only and add the required members to the group, rather than assigning permissions to individual users. It's bit confusing overall.

Views

493

Replies

2
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Level 3
Level 3
4/16/24 5:26:04 AM
In response to jezwn

@jezwnIndeed, you are right! My mistake!

What I would do then is like mentioned in my first message, change the permissions of the everyone user group and just block the request to /conf in your dispatcher. I think like that you would keep the security risks as small as possible.

Views

485

Replies

1
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Correct answer by
Community Advisor
Community Advisor
4/16/24 8:53:51 AM
In response to RikVanB

Hi @jezwn 

It is not advisable to add read permissions for the `/conf` directory for the everyone user group. This would give all users access to the configuration files for your AEM instance, which could pose a security risk.

Instead, you should add read permissions specific to the site templates and policies for the everyone user group in the publisher. This will ensure that anonymous users have access to the necessary files without compromising the security of your AEM instance.

To make this process easier, you could create a custom user group that includes the necessary permissions for site templates and policies. Then, you can assign this user group to the appropriate folders when new sites are replicated.

It's important to note that granting read permissions to anonymous users can pose a security risk, as it allows anyone to access the content of your site. You should carefully consider the risks and benefits of allowing anonymous access before making any changes to your permissions.

refer
https://experienceleague.adobe.com/en/docs/experience-manager-65/content/security/security#:~:text=P...
https://experienceleague.adobe.com/en/docs/experience-manager-learn/cloud-service/accessing/aem-user... 



Views

433

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply
Related Conversations
how to set up cache invalidation on webserver for multiple domain Solved

Views

194

Likes

0

Replies

5
How to Render the different version of Header for Specific Pages Using Experience Fragments in AEM?

Views

114

Likes

0

Replies

3
Way to remove the timestamp from the metadata field for expiry date

Views

127

Likes

0

Replies

4
Regarding User Roles and Permissions API of Adobe commerce

Views

87

Likes

0

Replies

2
Permissions for usersgroups for pages

Views

80

Likes

0

Replies

1