Expand my Community achievements bar.

July 31st AEM Gems Webinar: Elevate your AEM development to master the integration of private GitHub repositories within AEM Cloud Manager.
SOLVED

Restrict user to publish the page from author instance

Avatar

Level 4

Hi Team,

 

Hope you are doing well.

 

Is there any access rule to restrict author user to publish the page. as currently all content authors are publish the page. 

 

Thanks

Bhagchand Saini

1 Accepted Solution

Avatar

Correct answer by
Employee Advisor

Hi @bhagchand!

As mentioned by @Sady_Rifat and @ShaileshBassi already, there are dedicated Access Control Lists (ACLs) available for replication. Please refer to the documentation around User Administration [1] and check for the "Replicate" action.

 

In general, ACLs can be managed through the authoring UI. However, as outlined by @ShaileshBassi it is usually a better idea to manage your groups and their according permissions through code, e. g. as RepoInit [2] scripts or dedicated tools, such as the Netcentric AC Tool [3].

 

In addition to that, please make sure to manage your ACLs on a group level and avoid assigning permissions to single users (emphasizing/clearing on what @Sady_Rifats wrote). My recommendation is to start with the OOTB groups [4] that are available within AEM as a starting point and base project-specific groups on these through inheritance by building a hierarchy of group memberships.

Doing so, it is important to only deny on the initial level of your hierarchy (deny as much as possible without breaking anything with regards to general system functionality for the users). Starting from there, more specific groups should allow what ever is required for their respective business use cases. Avoid denying ACLs on deeper levels of the group hierarchy as this will make things much more complex and you might end up with unexpected results (although I admit that it's not 100% avoidable for certain, rare cases).

 

Hope that helps!

 

[1] https://experienceleague.adobe.com/docs/experience-manager-65/administering/security/security.html#a...

[2] https://sling.apache.org/documentation/bundles/repository-initialization.html

[3] https://github.com/Netcentric/accesscontroltool

[4] https://experienceleague.adobe.com/docs/experience-manager-65/administering/security/security.html?l...

View solution in original post

4 Replies

Avatar

Community Advisor

Hello @bhagchand ,

You can simply remove the user "replicate" permission to restrict the author from page publication. 

http://localhost:4502/useradmin 

Sady_Rifat_0-1682491293762.png

 

But for standard practice, you shouldn't do this by this way. 

For this you can create 2 separate user groups, say Base Author and Base Approval.

Base Approval will have all the permission that Base Author has additional replicate permission also. Now when you have the 2 separate user groups assign this group to the end users.
Let's say Mr. X is a member of Base Author and Mr. Y is a member of Base Author and Base Approval. 

Since Mr. X is not a member of Base Approval he has no permission of replication and is unable to publish a page.

 

If you think still it's complicated there is a tool to manage it by writing code.

Check this Access Control Tool: https://github.com/Netcentric/accesscontroltool 

Avatar

Community Advisor

Hi @bhagchand For providing the permissions it is always recommended to create the repoinit file, so that it can promoted to the higher environment and there is no chance of the human errors over there.

 

Below is a sample Repo Init OSGi configuration with jcr:primaryType “sling:OsgiConfig”:

/apps/myproject/config/org.apache.sling.jcr.repoinit.RepositoryInitializer-demo.xml

scripts = “[

create group demo-group,

create path (sling:OrderedFolder) /content/dam/project

set ACL for demo-group

deny crx:replicate on /content/dam/project;

end

]”

Above is an example for explicitly deny the publishing permission, but it also be that from starting only the permissions are provided for the paths where publishing is required.

Hope this helps!

Thanks

Avatar

Correct answer by
Employee Advisor

Hi @bhagchand!

As mentioned by @Sady_Rifat and @ShaileshBassi already, there are dedicated Access Control Lists (ACLs) available for replication. Please refer to the documentation around User Administration [1] and check for the "Replicate" action.

 

In general, ACLs can be managed through the authoring UI. However, as outlined by @ShaileshBassi it is usually a better idea to manage your groups and their according permissions through code, e. g. as RepoInit [2] scripts or dedicated tools, such as the Netcentric AC Tool [3].

 

In addition to that, please make sure to manage your ACLs on a group level and avoid assigning permissions to single users (emphasizing/clearing on what @Sady_Rifats wrote). My recommendation is to start with the OOTB groups [4] that are available within AEM as a starting point and base project-specific groups on these through inheritance by building a hierarchy of group memberships.

Doing so, it is important to only deny on the initial level of your hierarchy (deny as much as possible without breaking anything with regards to general system functionality for the users). Starting from there, more specific groups should allow what ever is required for their respective business use cases. Avoid denying ACLs on deeper levels of the group hierarchy as this will make things much more complex and you might end up with unexpected results (although I admit that it's not 100% avoidable for certain, rare cases).

 

Hope that helps!

 

[1] https://experienceleague.adobe.com/docs/experience-manager-65/administering/security/security.html#a...

[2] https://sling.apache.org/documentation/bundles/repository-initialization.html

[3] https://github.com/Netcentric/accesscontroltool

[4] https://experienceleague.adobe.com/docs/experience-manager-65/administering/security/security.html?l...