Permissions for 'everyone' usergroup | Community
Skip to main content
jezwn
jezwn
Level 5
April 16, 2024
Solved

Permissions for 'everyone' usergroup

  • April 16, 2024
  • 1 reply
  • 1380 views

Is it advisable to add read permissions for /conf directory for everyone usergroup.
The problem statement is as follows, whenever a new site is developed by creating new set of templates and policies and is replicated to the publishers, the anonymous users are seeing the content getting rendered differently. Upon investigation it was identified that the anonymous users doesn't have read permissions for the new site template and policies. What would be the suggested approach to follow here? 
1. Add read permissions to /conf directory for everyone usergroup in the publisher. Noting that there would be more sites that would be developed in future, which would require anonymous access.
2. Add read permissions specific to the site templates/policies for everyone usergroup in the publisher. And we do this every time when a new site is replicated.


This post is no longer active and is closed to new replies. Need help? Start a new post to ask your question.
Best answer by Raja_Reddy

@jezwnIndeed, you are right! My mistake!

What I would do then is like mentioned in my first message, change the permissions of the everyone user group and just block the request to /conf in your dispatcher. I think like that you would keep the security risks as small as possible.


Hi @jezwn 

It is not advisable to add read permissions for the `/conf` directory for the everyone user group. This would give all users access to the configuration files for your AEM instance, which could pose a security risk.

Instead, you should add read permissions specific to the site templates and policies for the everyone user group in the publisher. This will ensure that anonymous users have access to the necessary files without compromising the security of your AEM instance.

To make this process easier, you could create a custom user group that includes the necessary permissions for site templates and policies. Then, you can assign this user group to the appropriate folders when new sites are replicated.

It's important to note that granting read permissions to anonymous users can pose a security risk, as it allows anyone to access the content of your site. You should carefully consider the risks and benefits of allowing anonymous access before making any changes to your permissions.

refer
https://experienceleague.adobe.com/en/docs/experience-manager-65/content/security/security#:~:text=Permissions%20give%20users%20and%20groups,clearing%20the%20appropriate%20check%20boxes
https://experienceleague.adobe.com/en/docs/experience-manager-learn/cloud-service/accessing/aem-users-groups-and-permissions 

1 reply

RikVanB
RikVanB
Level 2
April 16, 2024

Hi @jezwn 

 

I don't think it's an issue, just make sure that you block request to the /conf directly through dispatcher.
Also stated in this Accepted Solution: https://experienceleaguecommunities.adobe.com/t5/adobe-experience-manager/editable-templates-access-on-conf-for-anonymous-user/m-p/299247/highlight/true#M44538

 

Greetings
Rik

    jezwn
    jezwnAuthor
    Level 5
    April 16, 2024

    Thanks @rikvanb The link that you shared talks about setting permissions for anonymous user, and my question is more around 'everyone' group, but that should be fine I believe. But just to clarify, the reason why I was raising this question was that I came across this Adobe documentation talking about security implications of modifying the everyone group.
    https://experienceleague.adobe.com/en/docs/experience-manager-65/content/security/security

      RikVanB
      RikVanB
      Level 2
      April 16, 2024

      Thanks for pointing that out @jezwn. If the official documentation is pointing out to not change anything on the everyone group, I would keep it like that.

      On the other hand if you would add the permissions to the anonymous user group, you would have the same result as adding it to the everyone group. Because a request to the publisher is done by an anoymous user by default.

        Terms & ConditionsAccessibility statement

        Loading footer...