Expand my Community achievements bar.

Don’t miss the AEM Skill Exchange in SF on Nov 14—hear from industry leaders, learn best practices, and enhance your AEM strategy with practical tips.
Read More & Register today!
SOLVED

Permissions for 'everyone' usergroup

Avatar

Level 6
Level 6
4/16/24 4:35:58 AM

Is it advisable to add read permissions for /conf directory for everyone usergroup.
The problem statement is as follows, whenever a new site is developed by creating new set of templates and policies and is replicated to the publishers, the anonymous users are seeing the content getting rendered differently. Upon investigation it was identified that the anonymous users doesn't have read permissions for the new site template and policies. What would be the suggested approach to follow here? 
1. Add read permissions to /conf directory for everyone usergroup in the publisher. Noting that there would be more sites that would be developed in future, which would require anonymous access.
2. Add read permissions specific to the site templates/policies for everyone usergroup in the publisher. And we do this every time when a new site is replicated.


Views

497

Replies

6
Sign in to like this content

Total Likes

Translate
Translate
1 Accepted Solution

Avatar

Correct answer by
Community Advisor
Community Advisor
4/16/24 8:53:51 AM
In response to RikVanB

Hi @jezwn 

It is not advisable to add read permissions for the `/conf` directory for the everyone user group. This would give all users access to the configuration files for your AEM instance, which could pose a security risk.

Instead, you should add read permissions specific to the site templates and policies for the everyone user group in the publisher. This will ensure that anonymous users have access to the necessary files without compromising the security of your AEM instance.

To make this process easier, you could create a custom user group that includes the necessary permissions for site templates and policies. Then, you can assign this user group to the appropriate folders when new sites are replicated.

It's important to note that granting read permissions to anonymous users can pose a security risk, as it allows anyone to access the content of your site. You should carefully consider the risks and benefits of allowing anonymous access before making any changes to your permissions.

refer
https://experienceleague.adobe.com/en/docs/experience-manager-65/content/security/security#:~:text=P...
https://experienceleague.adobe.com/en/docs/experience-manager-learn/cloud-service/accessing/aem-user... 



View solution in original post

Views

401

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply
6 Replies

Avatar

Level 3
Level 3
4/16/24 4:42:46 AM

Hi @jezwn 

 

I don't think it's an issue, just make sure that you block request to the /conf directly through dispatcher.
Also stated in this Accepted Solution: https://experienceleaguecommunities.adobe.com/t5/adobe-experience-manager/editable-templates-access-...

 

Greetings
Rik

Views

488

Replies

5
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Level 6
Level 6
4/16/24 4:49:09 AM
In response to RikVanB

Thanks @RikVanB The link that you shared talks about setting permissions for anonymous user, and my question is more around 'everyone' group, but that should be fine I believe. But just to clarify, the reason why I was raising this question was that I came across this Adobe documentation talking about security implications of modifying the everyone group.
https://experienceleague.adobe.com/en/docs/experience-manager-65/content/security/security

Screenshot 2024-04-16 at 5.19.57 PM.png

Views

485

Replies

4
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Level 3
Level 3
4/16/24 5:12:38 AM
In response to jezwn

Thanks for pointing that out @jezwn. If the official documentation is pointing out to not change anything on the everyone group, I would keep it like that.

On the other hand if you would add the permissions to the anonymous user group, you would have the same result as adding it to the everyone group. Because a request to the publisher is done by an anoymous user by default.

Views

469

Replies

3
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Level 6
Level 6
4/16/24 5:22:35 AM
In response to RikVanB

@RikVanB Anonymous is a user and not a usergroup. And AEM best practices says that you should add permissions to groups only and add the required members to the group, rather than assigning permissions to individual users. It's bit confusing overall.

Views

462

Replies

2
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Level 3
Level 3
4/16/24 5:26:04 AM
In response to jezwn

@jezwnIndeed, you are right! My mistake!

What I would do then is like mentioned in my first message, change the permissions of the everyone user group and just block the request to /conf in your dispatcher. I think like that you would keep the security risks as small as possible.

Views

454

Replies

1
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Correct answer by
Community Advisor
Community Advisor
4/16/24 8:53:51 AM
In response to RikVanB

Hi @jezwn 

It is not advisable to add read permissions for the `/conf` directory for the everyone user group. This would give all users access to the configuration files for your AEM instance, which could pose a security risk.

Instead, you should add read permissions specific to the site templates and policies for the everyone user group in the publisher. This will ensure that anonymous users have access to the necessary files without compromising the security of your AEM instance.

To make this process easier, you could create a custom user group that includes the necessary permissions for site templates and policies. Then, you can assign this user group to the appropriate folders when new sites are replicated.

It's important to note that granting read permissions to anonymous users can pose a security risk, as it allows anyone to access the content of your site. You should carefully consider the risks and benefits of allowing anonymous access before making any changes to your permissions.

refer
https://experienceleague.adobe.com/en/docs/experience-manager-65/content/security/security#:~:text=P...
https://experienceleague.adobe.com/en/docs/experience-manager-learn/cloud-service/accessing/aem-user... 



Views

402

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply
Related Conversations
I want to disable the delete copy move and all the other options for the child components Solved

Views

137

Likes

0

Replies

5
How to store multiple Org IDs, Environment IDs, Program IDs locally for AIO Plugin Deployment? Solved

Views

117

Likes

0

Replies

3
how to implement nonce for Content-Security-Policy script-src directive in dispatcher

Views

91

Likes

0

Replies

2
Ability to preview or thumbnail to preview for XF

Views

79

Likes

0

Replies

2
Tips Needed for Adobe AD0-E126 Exam Preparation

Views

423

Likes

0

Replies

3