Adobe Experience Manager Sites & More

After I changed it to jcr:all, it applied complete permissions. I want to apply permissions only for Read, Modify, Create, and Delete and restrict access for Read ACL, Edit ACL, and Replicate.

{
"scripts": [
"create path (sling:Folder) /conf/test",
"set ACL for everyone\nallow jcr:read on /conf/test\nend",
"create service user brandWriteUser",
"set ACL on /content/experience-fragments/global-branding\n allow jcr:read, jcr:modifyProperties, jcr:addChildNodes, jcr:removeNode for brandWriteUser\n deny jcr:readAccessControl, jcr:modifyAccessControl, jcr:replicate for brandWriteUser\n end\n",
"set ACL on /content/brand/en\n allow jcr:read, jcr:modifyProperties, jcr:addChildNodes, jcr:removeNode for brandWriteUser\n deny jcr:readAccessControl, jcr:modifyAccessControl, jcr:replicate for brandWriteUser\n end\n"
]
}

Hi @test1234567 ,

Sorry for confusion, that jcr:all is just an example.

I have asked to just exchange the place of on /path and for user(s) position.

Thanks

I don't see any specific errors in the logs. I want to restrict the permissions for Read ACL, Edit ACL, and Replicate, but the script below is not working.

"scripts": [
"create path (sling:Folder) /conf/test",
"set ACL for everyone\nallow jcr:read on /conf/test\nend",
"create service user brandWriteUser",
"set ACL on /content/experience-fragments/global-branding\n allow jcr:read, jcr:modifyProperties, jcr:addChildNodes, jcr:removeNode for brandWriteUser\n deny jcr:readAccessControl, jcr:modifyAccessControl, jcr:replicate for brandWriteUser\n end\n",
"set ACL on /content/brand/en\n allow jcr:read, jcr:modifyProperties, jcr:addChildNodes, jcr:removeNode for brandWriteUser\n deny jcr:readAccessControl, jcr:modifyAccessControl, jcr:replicate for brandWriteUser\n end\n"
]
}

Ignroe the script above, use the following one instead:

scripts=["
    create path /conf/test (sling:Folder)
        set principal ACL for everyone
        allow jcr:read on /conf/test
    end

    create service user brandWriteUser with forced path system/cq:services/medi
        set principal ACL for brandWriteUser
        allow jcr:read, jcr:write, jcr:modifyProperties, jcr:addChildNodes, jcr:removeNode on /content/brand/en
        allow jcr:read, jcr:write, jcr:modifyProperties, jcr:addChildNodes, jcr:removeNode on /content/experience-fragments/global-branding
    end
"]

It's not working. Basically, I want to restrict access to 'Read ACL', 'Edit ACL', and 'Replicate'.

Access should only be granted for 'Read', 'Modify', 'Create', and 'Delete'.

jcr:write: An aggregate privilege that contains:

• jcr:modifyProperties
• jcr:addChildNodes
• jcr:removeNode
• jcr:removeChildNodes
  
  

I tried the script below and it works for me. Before running a new script make sure that all obsoleted ACEs are removed for system user. You can find example in a new script:

scripts=["

    # Remove obsoleted ACEs for node rep:principalPolicy under /home/users if there are any
    remove principal ACE for brandWriteUser
        allow jcr:read, jcr:write, crx:replicate on /content/medi/at/de
    end

    # Remove obsoleted ACEs for node rep:policy.
    # For example if you have allow node under rep:policy of /content, with rep:privileges=jcr:read, and
    # rep:principalName=brandWriteUser then this entry will be removed.
    remove ACE for brandWriteUser
        allow jcr:read on /content
    end

    create service user brandWriteUser
        set principal ACL for brandWriteUser
            allow jcr:read, jcr:write on /content/medi/at/de
        end
"]

ResourceResolver rr = resourceResolverFactory.getServiceResourceResolver(Map.of(
                    ResourceResolverFactory.SUBSERVICE, "brandWriteUser"
            ));

            Session session = rr.adaptTo(Session.class);


            var workspace = (JackrabbitWorkspace) session.getWorkspace();

            var readAccessControlAcl = workspace.getPrivilegeManager().getPrivilege("jcr:readAccessControl");
            var modifyAcl = workspace.getPrivilegeManager().getPrivilege("jcr:modifyAccessControl");
            var replicateAcl = workspace.getPrivilegeManager().getPrivilege("crx:replicate");

            var writeAcl = workspace.getPrivilegeManager().getPrivilege("jcr:write");
            var readAcl = workspace.getPrivilegeManager().getPrivilege("jcr:read");

            var hasReadAcl = session.getAccessControlManager().hasPrivileges("/content/medi/at/de",
                    new Privilege[]{readAccessControlAcl});

            var hasModifyAcl = session.getAccessControlManager().hasPrivileges("/content/medi/at/de",
                    new Privilege[]{modifyAcl});

            var hasReplicateAcl = session.getAccessControlManager().hasPrivileges("/content/medi/at/de",
                    new Privilege[]{replicateAcl});


            var hasJcrRead = session.getAccessControlManager().hasPrivileges("/content/medi/at/de",
                    new Privilege[]{readAcl});

            var hasJcrWrite = session.getAccessControlManager().hasPrivileges("/content/medi/at/de",
                    new Privilege[]{writeAcl});

            

        } catch (LoginException | RepositoryException e) {
            throw new RuntimeException(e);
        }

This is what I get back as result:

Thanks.

Thank you for the details. Could you please confirm if it is recommended to remove obsolete ACEs before adding the new permissions? If so, this will be executed for all deployments. Please confirm.

I always prefer to not keep any obsolote data in repository. The script will be executed along with every deployment but if it is found nothing to clear up then it will not do anything, the same applies for setting permissions