Adobe Experience Manager Sites & More

brunovianarezen · 10/21/15

Hi,

is it possible to programmatically add permissions to a system user in AEM 6.1 (i.e. using java or maven)?

This is my use case: I want to automatically create the system users and give them the needed permissions.

I tried to export the permissions stored in '/jcr:system/rep:permissionStore/crx.default/myuser' and then re-import, but I got an error saying that the path is protected (at least one other person had the same problem: http://stackoverflow.com/questions/31460105/how-to-import-content-with-system-user).

If I try to assign the permissions using java, then I have a chicken-egg problem: I need a service user with the right permissions to be able to assign the permissions. Or maybe there is a builtin system user that I could use for that?

smacdonald2008 · 10/21/15

OK - that was article written and tested on 5.6. We still have a lot of AEM users on that CQ version.

Anyhow for AEM 6.1 - manually create an AEM system as documented here:

https://docs.adobe.com/docs/en/aem/6-1/administer/security/security.html

Then use that system user when using the getServiceResourceResolver method:

Map<String, Object> param = new HashMap<String, Object>();

param.put(ResourceResolverFactory.SUBSERVICE, "datawrite");
ResourceResolver resolver = null;

try {

resolver = resolverFactory.getServiceResourceResolver(param);
session = resolver.adaptTo(Session.class);

Do not try and create the system user (ie - datawrite in this code example) via the Jackrabbit API.

View solution in original post

smacdonald2008 · 10/21/15

What most people do to dynamically create users via the API is to create a user and then add that user to an existing AEM group that has defined permissions.

To learn how to create users and add them to a group -- see this AEM Community article:

Using Jackrabbit UserManager APIs to create AEM Users and Groups at https://helpx.adobe.com/experience-manager/using/jackrabbit-users.html.

brunovianarezen · 10/21/15

I read the article but if I look its code I see this:

adminResolver = resolverFactory.getAdministrativeResourceResolver(null);

and this doesn't work in aem 6.1, I need to change to something like:

Map<String, Object> param = new HashMap<String, Object>();
param.put(ResourceResolverFactory.SUBSERVICE, "theServiceName");
adminResolver = resolverFactory.getServiceResourceResolver(param);

and map a system user to that service. And this is exactly the chicken-egg problem I was talking about: I need to use a system user to be able to assign permissions to a system user.

edubey · 10/21/15

Hi,

here is a simple article which talk about assigning permission to node in aem, however this is based on 5.6.1. it can surely help you.

http://www.albinsblog.com/2015/01/modify-node-permissions-through-java.html#.VifWdvkrLIU

Regarding user, you create one user with required permission and map that user to service. And implement your logic in this service.

Is there any issue, why don't you create a user from user admin management.?

For info: Maven is build tool, you can not use write code in it.

smacdonald2008 · 10/21/15

OK - that was article written and tested on 5.6. We still have a lot of AEM users on that CQ version.

Anyhow for AEM 6.1 - manually create an AEM system as documented here:

https://docs.adobe.com/docs/en/aem/6-1/administer/security/security.html

Then use that system user when using the getServiceResourceResolver method:

Map<String, Object> param = new HashMap<String, Object>();

param.put(ResourceResolverFactory.SUBSERVICE, "datawrite");
ResourceResolver resolver = null;

try {

resolver = resolverFactory.getServiceResourceResolver(param);
session = resolver.adaptTo(Session.class);

Do not try and create the system user (ie - datawrite in this code example) via the Jackrabbit API.

brunovianarezen · 10/21/15

edubey wrote...

Hi,

here is a simple article which talk about assigning permission to node in aem, however this is based on 5.6.1. it can surely help you.

http://www.albinsblog.com/2015/01/modify-node-permissions-through-java.html#.VifWdvkrLIU

Regarding user, you create one user with required permission and map that user to service. And implement your logic in this service.

Is there any issue, why don't you create a user from user admin management.?

For info: Maven is build tool, you can not use write code in it.

sorry, there was a mistake in my original question, I edited it to correct. I don't want to create any user nor assign permissions manually, I want to do all automatically. I want to do that just so that I can simple install my bundle and have all working.

brunovianarezen · 10/21/15

smacdonald2008 wrote...

OK - that was article written and tested on 5.6. We still have a lot of AEM users on that CQ version.

Anyhow for AEM 6.1 - manually create an AEM system as documented here:

https://docs.adobe.com/docs/en/aem/6-1/administer/security/security.html

Then use that system user when using the getServiceResourceResolver method:

Map<String, Object> param = new HashMap<String, Object>();

param.put(ResourceResolverFactory.SUBSERVICE, "datawrite"); ResourceResolver resolver = null;

try { resolver = resolverFactory.getServiceResourceResolver(param); session = resolver.adaptTo(Session.class);

Do not try and create the system user (ie - datawrite in this code example) via the Jackrabbit API.

sorry, there was a mistake in my original question, I just corrected it. I want to do all automatically. In other words: I don't want to create a user manually not assign permissions manually. I wonder if it is possible at all (given the sentence 'Do not try and create the system user' in your answer, I think it isn't).

edubey · 10/21/15

I agree that you want to create user and assign permission automatically but to do that you need to write a OSGI service. That service will require a user permission to run and inside that service you can implement you logic to create user and add permission manually.However it wont be possible to execute this service when you install bundle, you need to manually call this.

smacdonald2008 · 10/21/15

I agree with Praveen - write an OSGi bundle to create all users - expect for the system user - create the system user via the AEM GUI.

brunovianarezen · 10/23/15

sorry, there was a mistake in my original question, I edited it to correct. I don't want to create any user nor assign users manually, I want to do all automatically. I want to do that just so that I can simple install my bundle and have all working.

Tyler_Maynard · 6/9/16

So is there no way to add a system user via a AEM Package?

I ask because we have created a service and would like system user to live in the same maven project as the service, so when moving it to different environments the user exists.

We have tried to add a vault-filter for the /home/users/system/<user> with little success.

Thanks,

-Tyler

sherrylynnh1858 · 10/20/17

I too would like to know how to do this.

Did you get anywhere with this? Any pointers would be appreciated, thanks.

Adobe Experience Manager Sites & More

Programmatically add permissions to system user in AEM 6.1

Learn

Documentation

Community

Support

Resources

Adobe account

Adobe