Restriction on Folder Level | Community
Skip to main content
Prashardan
Prashardan
Level 4
May 24, 2024
Solved

Restriction on Folder Level

  • May 24, 2024
  • 4 replies
  • 1318 views

Hi Team

 

I need some help on setting restrictions on folder

 

Consider I have folder project1 under path /content/dam/organization and I want only group1 and group2 to access this folder others should not be able to view project1 folder.

 

I have tried setting permissions by going to /security/permissions.html but deny jcr:all to group1 and group2 and everyone however it is working reverse 

like group1 and group2 not able to view /content/dam/organization/project1 folder others able to view.

 

Please correct me and my requirement is that  /content/dam/organization/project1 should be viewed by only group1 and group2 users.

 

Thanks in advance.

 

This post is no longer active and is closed to new replies. Need help? Start a new post to ask your question.
Best answer by sravs

@prashardan , whenever a new user is created he/she must be part of everyone group. Please make sure that the pemission for everyone is present as

"deny jcr:all /content/dam/organization/project1".

4 replies

sravs
Community Advisor
sravsCommunity Advisor
Community Advisor
May 24, 2024

@prashardan , you need to add 

deny jcr:all to everyone allow jcr:all to group1 allow jcr:all to group2

This will make users from group1 and group2  to access the project1 folder and denied for others.

    Prashardan
    PrashardanAuthor
    Level 4
    May 24, 2024

    Hi @sravs 

     

    Thanks for your reply. I have added this but when a new user is created and that new user is able to view project1 folder which is incorrect.

     

    I have added permissions from /security/groups.html and also went to folder >> properties >> permissions >> closed user group >> added group1 and group2.

     

    Still it is not working as expected that is every new user able to view this folder

     

    My requirement is only group1 and group2 should be able to view and access project1.

     

     

      sravs
      Community Advisor
      sravsCommunity AdvisorAccepted solution
      Community Advisor
      May 24, 2024

      @prashardan , whenever a new user is created he/she must be part of everyone group. Please make sure that the pemission for everyone is present as

      "deny jcr:all /content/dam/organization/project1".

        Prashardan
        PrashardanAuthor
        Level 4
        May 24, 2024

        HI @sravs 

         

        I have added the below permissions from /security/permissions.html however still the required permissions are not coming.

         

        group1 -- "allow jcr:all /content/dam/organization/project1"

        group2 -- "allow jcr:all /content/dam/organization/project1"

        everyone -- "deny jcr:all /content/dam/organization/project1".

         

        Please help

          Rohan_Garg
          Community Advisor
          Rohan_GargCommunity Advisor
          Community Advisor
          May 24, 2024

          The jcr:read permission alone is enough for view privileges.

          Setting everyone to deny, with group1 and group2 set to allow for jcr:read on path /content/dam/organization/project1 should have worked! 

          Is it possible you have multiple permissions acting on "everyone" group? 
          Can you share the permissions for the "everyone" group if there are multiple ACE defined for /content/dam path?

            HrishikeshKagne
            Community Advisor
            HrishikeshKagneCommunity Advisor
            Community Advisor
            May 25, 2024

            Hi @prashardan ,

            To set up folder-level restrictions in AEM so that only specific groups (group1 and group2) can access a folder while preventing access for all other users, you need to correctly configure the permissions. Here are the steps to ensure that only the desired groups have access:

            Steps to Configure Permissions

            1. Navigate to the Folder:

              • Go to /content/dam/organization/project1 in CRXDE Lite or use the AEM Admin Console.

            2. Set Deny Permissions for Everyone Else:

              • Navigate to the Permissions page: http://<aem-host>:<port>/useradmin.
              • Select the Everyone group (or everyone principal).
              • Navigate to /content/dam/organization/project1.
              • Set deny for jcr:read and other permissions as needed.

            3. Allow Permissions for Specific Groups:

              • Now, select group1.
              • Navigate to /content/dam/organization/project1.
              • Set allow for jcr:read and any other required permissions.
              • Repeat the same steps for group2.

            4. Check Effective Permissions:

              • Verify that the effective permissions are correctly set. Users from group1 and group2 should have allow permissions, and Everyone should have deny.

            Detailed Steps with Screenshots (for clarity):

            1. Deny Permissions for Everyone Else:

              • Open http://<aem-host>:<port>/useradmin.
              • Search for the Everyone group.
              • Navigate to /content/dam/organization/project1.
              • Click on the permissions icon and deny jcr:read (and other necessary permissions).

            2. Allow Permissions for group1 and group2:

              • Search for group1.
              • Navigate to /content/dam/organization/project1.
              • Click on the permissions icon and allow jcr:read (and other necessary permissions).
              • Repeat the same for group2.

            Common Issues and Troubleshooting

            • Reverse Permissions Issue: If you are experiencing issues where permissions seem to be applied in reverse, double-check the order and precedence of permissions. In AEM, deny permissions typically take precedence over allow permissions, so setting global deny permissions can inadvertently block access for all users, including those explicitly allowed.

            • Verify Effective Permissions: Use the Permissions UI in AEM to verify the effective permissions for the specific groups and users. This UI helps you to see exactly what permissions are applied and can help diagnose issues.

            • Inheritance of Permissions: Make sure that permissions are not being inherited from parent folders that might contradict your settings. Explicitly setting permissions on the project1 folder should override inherited permissions, but it's good to verify.

            Example to Illustrate

            1. Denying Everyone:

              • Everyone Group:
                • /content/dam/organization/project1 -> deny jcr:read

            2. Allowing Specific Groups:

              • group1:
                • /content/dam/organization/project1 -> allow jcr:read
              • group2:
                • /content/dam/organization/project1 -> allow jcr:read

            By carefully setting these permissions, you ensure that only members of group1 and group2 can access the project1 folder while all other users, including those in the Everyone group, are denied access.

             

            1. Deny access to Everyone group.
            2. Allow access to group1 and group2.
            3. Verify effective permissions using the AEM Permissions UI.

            Following these steps should give you the desired restriction setup on the project1 folder in AEM.

            Hrishikesh Kagane
              kautuk_sahni
              Community Manager
              kautuk_sahniCommunity Manager
              Community Manager
              June 10, 2024

              @prashardan Did you find the suggestions from users helpful? Please let us know if you require more information. Otherwise, please mark the answer as correct for posterity. If you've discovered a solution yourself, we would appreciate it if you could share it with the community. Thank you!

              Kautuk Sahni
              Terms & ConditionsAccessibility statement

              Loading footer...