Adobe Experience Manager Sites & More

skmAem · 6/1/20

Hello AEM Gurus,

We have a requirement to prevent everyone (including administrators) from replicating assets from a certain path under /content/dam. I have removed replicate permission for this path (eg /content/dam/testfldr) for all of the groups including the administrators group. But users in this administrators group are still able to replicate the assets under this path. When I see the permissions for administrators in useradmin for /content/dam/testfldr path, it has a *! markup next to the Replicate checkbox. When I hover over that checkbox, it says "Noneffective administrators (deny)" in a modal popup.

Is it possible to prevent administrators from replicating assets from certain paths? If setting permission through useradmin is not possible, is there an alternative way to achieve this?

Appreciate any help/pointers on this.

-SKM

Shashi_Mulugu · 6/2/20

To guide you better, try not to use OOTB administrators group instead create your own client/project specific admin groups upon which you control permissions to each subtree and add people to it. Try to restrict to only add system admins to OOTB group for system maintenance.

View solution in original post

hamidk92094312 · 6/1/20

Can you verify if can do it via ACLs for individual path in crx/de ?

ArpitVarshney · 6/2/20

Hi @skmAem

I'm not sure but you can't change admin permission in AEM. If you try to do so, it will revert back to default again.

The role of admin to control and manage everything so restricting it for any action won't make any sense.

Regards,

Arpit Varshney

Shashi_Mulugu · 6/2/20

To guide you better, try not to use OOTB administrators group instead create your own client/project specific admin groups upon which you control permissions to each subtree and add people to it. Try to restrict to only add system admins to OOTB group for system maintenance.

skmAem · 6/4/20

Thanks @Shashi_Mulugu,

We will follow this approach to create custom admin group and assign permissions accordingly.

Best Regards,

SKM

skmAem · 6/2/20

@hamidk92094312

When I denied the replicate permission through useradmin, i can see that the deny for crx:replicate action for administrators group in crxde access control tab. Pls see the screenshot. But it still allows a user in the administrators group to replicate assets.

@Shashi_Mulugu & @ArpitVarshney , I agree that we should have followed the setup as you mentioned, but unfortunately I recently joined this project and they already have several power users added under administrators group for some reason. How do I work around it?

On this document: https://docs.adobe.com/content/help/en/experience-manager-64/administering/security/security.html they say you set "deny-everyone" on a node, administrators will have to be enabled explicitly to get them the access, what do they mean by "deny-everyone"? Pls see screenshot below:

Thanks everyone for your inputs!

-Shridev

hamidk92094312 · 6/2/20

It's true .. it seems its not possible to achieve this via permission restrictions.

Shashi_Mulugu · 6/2/20

Eventhough it is existing project you can simply create a new admin-level group and move the users to from OOTB group to new group.. I feel that should be simple and optimal solutions instead of customizing touchui and implementing custom JS..

skmAem · 6/2/20

If it is not possible to prevent replication through permissions, is it possible to prevent it through touch ui/granite for everyone for a specific folder in dam? Any suggestions for this approach?

ArpitVarshney · 6/2/20

Hi @skmAem

I think it is not possible to change admin permission by anyway. Even though you will deny for everyone, admin can still access it because of its role in AEM.

Regards,

Arpit

skmAem · 6/2/20

Hi @ArpitVarshney, when you say "admin" account, do you mean anyone in the administrators group or the ootb "admin" account?

Thanks & Regards,

SKM

Adobe Experience Manager Sites & More

Remove replicate permission for administrators - AEM 6.4

Learn

Documentation

Community

Support

Resources

Adobe account

Adobe