Expand my Community achievements bar.

July 31st AEM Gems Webinar: Elevate your AEM development to master the integration of private GitHub repositories within AEM Cloud Manager.
SOLVED

Programmatically add permissions to system user in AEM 6.1

Avatar

Level 2

Hi,

is it possible to programmatically add permissions to a system user in AEM 6.1 (i.e. using java or maven)?

This is my use case: I want to automatically create the system users and give them the needed permissions.

I tried to export the permissions stored in '/jcr:system/rep:permissionStore/crx.default/myuser' and then re-import, but I got an error saying that the path is protected (at least one other person had the same problem: http://stackoverflow.com/questions/31460105/how-to-import-content-with-system-user).

If I try to assign the permissions using java, then I have a chicken-egg problem: I need a service user with the right permissions to be able to assign the permissions. Or maybe there is a builtin system user that I could use for that?

1 Accepted Solution

Avatar

Correct answer by
Level 10

OK - that was article written and tested on 5.6. We still have a lot of AEM users on that CQ version. 

Anyhow for AEM 6.1 - manually create an AEM system as documented here:

https://docs.adobe.com/docs/en/aem/6-1/administer/security/security.html

Then use that system user when using the getServiceResourceResolver method:

 Map<String, Object> param = new HashMap<String, Object>();

param.put(ResourceResolverFactory.SUBSERVICE, "datawrite");
ResourceResolver resolver = null;

try {
           
    resolver = resolverFactory.getServiceResourceResolver(param);
    session = resolver.adaptTo(Session.class);

Do not try and create the system user (ie -  datawrite in this code example) via the Jackrabbit API. 

View solution in original post

11 Replies

Avatar

Level 10

What most people do to dynamically create users via the API is to create a user and then add that user to an existing AEM group that has defined permissions.

To learn how to create users and add them to a group -- see this AEM Community article: 

Using Jackrabbit UserManager APIs to create AEM Users and Groups at https://helpx.adobe.com/experience-manager/using/jackrabbit-users.html.

Avatar

Level 2

I read the article but if I look its code I see this:

adminResolver = resolverFactory.getAdministrativeResourceResolver(null);

and this doesn't work in aem 6.1, I need to change to something like:

Map<String, Object> param = new HashMap<String, Object>();
param.put(ResourceResolverFactory.SUBSERVICE, "theServiceName");
adminResolver = resolverFactory.getServiceResourceResolver(param);

and map a system user to that service. And this is exactly the chicken-egg problem I was talking about: I need to use a system user to be able to assign permissions to a system user.

Avatar

Level 10

Hi,

here is a simple article which talk about assigning permission to node in aem, however this is based on 5.6.1. it can surely help you.

http://www.albinsblog.com/2015/01/modify-node-permissions-through-java.html#.VifWdvkrLIU

Regarding user, you create one user with required permission and map that user to service. And implement your logic in this service.

Is there any issue, why don't you create a user from user admin management.?

For info: Maven is build tool, you can not use write code in it.

Avatar

Correct answer by
Level 10

OK - that was article written and tested on 5.6. We still have a lot of AEM users on that CQ version. 

Anyhow for AEM 6.1 - manually create an AEM system as documented here:

https://docs.adobe.com/docs/en/aem/6-1/administer/security/security.html

Then use that system user when using the getServiceResourceResolver method:

 Map<String, Object> param = new HashMap<String, Object>();

param.put(ResourceResolverFactory.SUBSERVICE, "datawrite");
ResourceResolver resolver = null;

try {
           
    resolver = resolverFactory.getServiceResourceResolver(param);
    session = resolver.adaptTo(Session.class);

Do not try and create the system user (ie -  datawrite in this code example) via the Jackrabbit API. 

Avatar

Level 2

edubey wrote...

Hi,

here is a simple article which talk about assigning permission to node in aem, however this is based on 5.6.1. it can surely help you.

http://www.albinsblog.com/2015/01/modify-node-permissions-through-java.html#.VifWdvkrLIU

Regarding user, you create one user with required permission and map that user to service. And implement your logic in this service.

Is there any issue, why don't you create a user from user admin management.?

For info: Maven is build tool, you can not use write code in it.

 

sorry, there was a mistake in my original question, I edited it to correct. I don't want to create any user nor assign permissions manually, I want to do all automatically. I want to do that just so that I can simple install my bundle and have all working.

Avatar

Level 2

smacdonald2008 wrote...

OK - that was article written and tested on 5.6. We still have a lot of AEM users on that CQ version. 

Anyhow for AEM 6.1 - manually create an AEM system as documented here:

https://docs.adobe.com/docs/en/aem/6-1/administer/security/security.html

Then use that system user when using the getServiceResourceResolver method:

 Map<String, Object> param = new HashMap<String, Object>();

param.put(ResourceResolverFactory.SUBSERVICE, "datawrite");
ResourceResolver resolver = null;

try {
           
    resolver = resolverFactory.getServiceResourceResolver(param);
    session = resolver.adaptTo(Session.class);

Do not try and create the system user (ie -  datawrite in this code example) via the Jackrabbit API. 

 


sorry, there was a mistake in my original question, I just corrected it. I want to do all automatically. In other words: I don't want to create a user manually not assign permissions manually. I wonder if it is possible at all (given the sentence 'Do not try and create the system user' in your answer, I think it isn't).

Avatar

Level 10

I agree that you want to create user and assign permission automatically but to do that you need to write a OSGI service. That service will require a user permission to run and inside that service you can implement you logic to create user and add permission manually.However it wont be possible to execute this service when you install bundle, you need to manually call this.

Avatar

Level 10

I agree with Praveen - write an OSGi bundle to create all users - expect for the system user - create the system user via the AEM GUI. 

Avatar

Level 2

sorry, there was a mistake in my original question, I edited it to correct. I don't want to create any user nor assign users manually, I want to do all automatically. I want to do that just so that I can simple install my bundle and have all working.

Avatar

Level 4

So is there no way to add a system user via a AEM Package?

I ask because we have created a service and would like system user to live in the same maven project as the service, so when moving it to different environments the user exists.

We have tried to add a vault-filter for the /home/users/system/<user> with little success.

Thanks,

-Tyler

Avatar

Level 1

I too would like to know how to do this.

Did you get anywhere with this? Any pointers would be appreciated, thanks.