Expand my Community achievements bar.

Don’t miss the AEM Skill Exchange in SF on Nov 14—hear from industry leaders, learn best practices, and enhance your AEM strategy with practical tips.
SOLVED

Permissions for 'everyone' usergroup

Avatar

Level 6

Is it advisable to add read permissions for /conf directory for everyone usergroup.
The problem statement is as follows, whenever a new site is developed by creating new set of templates and policies and is replicated to the publishers, the anonymous users are seeing the content getting rendered differently. Upon investigation it was identified that the anonymous users doesn't have read permissions for the new site template and policies. What would be the suggested approach to follow here? 
1. Add read permissions to /conf directory for everyone usergroup in the publisher. Noting that there would be more sites that would be developed in future, which would require anonymous access.
2. Add read permissions specific to the site templates/policies for everyone usergroup in the publisher. And we do this every time when a new site is replicated.


1 Accepted Solution

Avatar

Correct answer by
Community Advisor

Hi @jezwn 

It is not advisable to add read permissions for the `/conf` directory for the everyone user group. This would give all users access to the configuration files for your AEM instance, which could pose a security risk.

Instead, you should add read permissions specific to the site templates and policies for the everyone user group in the publisher. This will ensure that anonymous users have access to the necessary files without compromising the security of your AEM instance.

To make this process easier, you could create a custom user group that includes the necessary permissions for site templates and policies. Then, you can assign this user group to the appropriate folders when new sites are replicated.

It's important to note that granting read permissions to anonymous users can pose a security risk, as it allows anyone to access the content of your site. You should carefully consider the risks and benefits of allowing anonymous access before making any changes to your permissions.

refer
https://experienceleague.adobe.com/en/docs/experience-manager-65/content/security/security#:~:text=P...
https://experienceleague.adobe.com/en/docs/experience-manager-learn/cloud-service/accessing/aem-user... 



View solution in original post

6 Replies

Avatar

Level 3

Hi @jezwn 

 

I don't think it's an issue, just make sure that you block request to the /conf directly through dispatcher.
Also stated in this Accepted Solution: https://experienceleaguecommunities.adobe.com/t5/adobe-experience-manager/editable-templates-access-...

 

Greetings
Rik

Avatar

Level 6

Thanks @RikVanB The link that you shared talks about setting permissions for anonymous user, and my question is more around 'everyone' group, but that should be fine I believe. But just to clarify, the reason why I was raising this question was that I came across this Adobe documentation talking about security implications of modifying the everyone group.
https://experienceleague.adobe.com/en/docs/experience-manager-65/content/security/security

Screenshot 2024-04-16 at 5.19.57 PM.png

Avatar

Level 3

Thanks for pointing that out @jezwn. If the official documentation is pointing out to not change anything on the everyone group, I would keep it like that.

On the other hand if you would add the permissions to the anonymous user group, you would have the same result as adding it to the everyone group. Because a request to the publisher is done by an anoymous user by default.

Avatar

Level 6

@RikVanB Anonymous is a user and not a usergroup. And AEM best practices says that you should add permissions to groups only and add the required members to the group, rather than assigning permissions to individual users. It's bit confusing overall.

Avatar

Level 3

@jezwnIndeed, you are right! My mistake!

What I would do then is like mentioned in my first message, change the permissions of the everyone user group and just block the request to /conf in your dispatcher. I think like that you would keep the security risks as small as possible.

Avatar

Correct answer by
Community Advisor

Hi @jezwn 

It is not advisable to add read permissions for the `/conf` directory for the everyone user group. This would give all users access to the configuration files for your AEM instance, which could pose a security risk.

Instead, you should add read permissions specific to the site templates and policies for the everyone user group in the publisher. This will ensure that anonymous users have access to the necessary files without compromising the security of your AEM instance.

To make this process easier, you could create a custom user group that includes the necessary permissions for site templates and policies. Then, you can assign this user group to the appropriate folders when new sites are replicated.

It's important to note that granting read permissions to anonymous users can pose a security risk, as it allows anyone to access the content of your site. You should carefully consider the risks and benefits of allowing anonymous access before making any changes to your permissions.

refer
https://experienceleague.adobe.com/en/docs/experience-manager-65/content/security/security#:~:text=P...
https://experienceleague.adobe.com/en/docs/experience-manager-learn/cloud-service/accessing/aem-user...