Expand my Community achievements bar.

Radically easy to access on brand approved content for distribution and omnichannel performant delivery. AEM Assets Content Hub and Dynamic Media with OpenAPI capabilities is now GA.
SOLVED

Restriction on Folder Level

Avatar

Level 3

Hi Team

 

I need some help on setting restrictions on folder

 

Consider I have folder project1 under path /content/dam/organization and I want only group1 and group2 to access this folder others should not be able to view project1 folder.

 

I have tried setting permissions by going to /security/permissions.html but deny jcr:all to group1 and group2 and everyone however it is working reverse 

like group1 and group2 not able to view /content/dam/organization/project1 folder others able to view.

 

Please correct me and my requirement is that  /content/dam/organization/project1 should be viewed by only group1 and group2 users.

 

Thanks in advance.

 

1 Accepted Solution

Avatar

Correct answer by
Level 9

@Prashardan , whenever a new user is created he/she must be part of everyone group. Please make sure that the pemission for everyone is present as

"deny jcr:all /content/dam/organization/project1".

View solution in original post

7 Replies

Avatar

Level 9

@Prashardan , you need to add 

deny jcr:all to everyone
allow jcr:all to group1
allow jcr:all to group2

This will make users from group1 and group2  to access the project1 folder and denied for others.

Avatar

Level 3

Hi @sravs 

 

Thanks for your reply. I have added this but when a new user is created and that new user is able to view project1 folder which is incorrect.

 

I have added permissions from /security/groups.html and also went to folder >> properties >> permissions >> closed user group >> added group1 and group2.

 

Still it is not working as expected that is every new user able to view this folder

 

My requirement is only group1 and group2 should be able to view and access project1.

 

 

Avatar

Correct answer by
Level 9

@Prashardan , whenever a new user is created he/she must be part of everyone group. Please make sure that the pemission for everyone is present as

"deny jcr:all /content/dam/organization/project1".

Avatar

Level 3

HI @sravs 

 

I have added the below permissions from /security/permissions.html however still the required permissions are not coming.

 

group1 -- "allow jcr:all /content/dam/organization/project1"

group2 -- "allow jcr:all /content/dam/organization/project1"

everyone -- "deny jcr:all /content/dam/organization/project1".

 

Please help

Avatar

Community Advisor

The jcr:read permission alone is enough for view privileges.

Setting everyone to deny, with group1 and group2 set to allow for jcr:read on path /content/dam/organization/project1 should have worked! 

Is it possible you have multiple permissions acting on "everyone" group? 
Can you share the permissions for the "everyone" group if there are multiple ACE defined for /content/dam path?

Avatar

Level 10

Hi @Prashardan ,

To set up folder-level restrictions in AEM so that only specific groups (group1 and group2) can access a folder while preventing access for all other users, you need to correctly configure the permissions. Here are the steps to ensure that only the desired groups have access:

Steps to Configure Permissions

  1. Navigate to the Folder:

    • Go to /content/dam/organization/project1 in CRXDE Lite or use the AEM Admin Console.
  2. Set Deny Permissions for Everyone Else:

    • Navigate to the Permissions page: http://<aem-host>:<port>/useradmin.
    • Select the Everyone group (or everyone principal).
    • Navigate to /content/dam/organization/project1.
    • Set deny for jcr:read and other permissions as needed.
  3. Allow Permissions for Specific Groups:

    • Now, select group1.
    • Navigate to /content/dam/organization/project1.
    • Set allow for jcr:read and any other required permissions.
    • Repeat the same steps for group2.
  4. Check Effective Permissions:

    • Verify that the effective permissions are correctly set. Users from group1 and group2 should have allow permissions, and Everyone should have deny.

Detailed Steps with Screenshots (for clarity):

  1. Deny Permissions for Everyone Else:

    • Open http://<aem-host>:<port>/useradmin.
    • Search for the Everyone group.
    • Navigate to /content/dam/organization/project1.
    • Click on the permissions icon and deny jcr:read (and other necessary permissions).
  2. Allow Permissions for group1 and group2:

    • Search for group1.
    • Navigate to /content/dam/organization/project1.
    • Click on the permissions icon and allow jcr:read (and other necessary permissions).
    • Repeat the same for group2.

Common Issues and Troubleshooting

  • Reverse Permissions Issue: If you are experiencing issues where permissions seem to be applied in reverse, double-check the order and precedence of permissions. In AEM, deny permissions typically take precedence over allow permissions, so setting global deny permissions can inadvertently block access for all users, including those explicitly allowed.

  • Verify Effective Permissions: Use the Permissions UI in AEM to verify the effective permissions for the specific groups and users. This UI helps you to see exactly what permissions are applied and can help diagnose issues.

  • Inheritance of Permissions: Make sure that permissions are not being inherited from parent folders that might contradict your settings. Explicitly setting permissions on the project1 folder should override inherited permissions, but it's good to verify.

Example to Illustrate

  1. Denying Everyone:

    • Everyone Group:
      • /content/dam/organization/project1 -> deny jcr:read
  2. Allowing Specific Groups:

    • group1:
      • /content/dam/organization/project1 -> allow jcr:read
    • group2:
      • /content/dam/organization/project1 -> allow jcr:read

By carefully setting these permissions, you ensure that only members of group1 and group2 can access the project1 folder while all other users, including those in the Everyone group, are denied access.

 

  1. Deny access to Everyone group.
  2. Allow access to group1 and group2.
  3. Verify effective permissions using the AEM Permissions UI.

Following these steps should give you the desired restriction setup on the project1 folder in AEM.

Avatar

Administrator

@Prashardan Did you find the suggestions from users helpful? Please let us know if you require more information. Otherwise, please mark the answer as correct for posterity. If you've discovered a solution yourself, we would appreciate it if you could share it with the community. Thank you!



Kautuk Sahni