Adobe Experience Manager Sites & More

HI @sravs 

I have added the below permissions from /security/permissions.html however still the required permissions are not coming.

group1 -- "allow jcr:all /content/dam/organization/project1"

group2 -- "allow jcr:all /content/dam/organization/project1"

everyone -- "deny jcr:all /content/dam/organization/project1".

Please help

Hi @Prashardan ,

To set up folder-level restrictions in AEM so that only specific groups (group1 and group2) can access a folder while preventing access for all other users, you need to correctly configure the permissions. Here are the steps to ensure that only the desired groups have access:

Steps to Configure Permissions

1. Navigate to the Folder:

   • Go to /content/dam/organization/project1 in CRXDE Lite or use the AEM Admin Console.

2. Set Deny Permissions for Everyone Else:

   • Navigate to the Permissions page: http://<aem-host>:<port>/useradmin.
   • Select the Everyone group (or everyone principal).
   • Navigate to /content/dam/organization/project1.
   • Set deny for jcr:read and other permissions as needed.

3. Allow Permissions for Specific Groups:

   • Now, select group1.
   • Navigate to /content/dam/organization/project1.
   • Set allow for jcr:read and any other required permissions.
   • Repeat the same steps for group2.

4. Check Effective Permissions:

   • Verify that the effective permissions are correctly set. Users from group1 and group2 should have allow permissions, and Everyone should have deny.

Detailed Steps with Screenshots (for clarity):

1. Deny Permissions for Everyone Else:

   • Open http://<aem-host>:<port>/useradmin.
   • Search for the Everyone group.
   • Navigate to /content/dam/organization/project1.
   • Click on the permissions icon and deny jcr:read (and other necessary permissions).

2. Allow Permissions for group1 and group2:

   • Search for group1.
   • Navigate to /content/dam/organization/project1.
   • Click on the permissions icon and allow jcr:read (and other necessary permissions).
   • Repeat the same for group2.

Common Issues and Troubleshooting

• Reverse Permissions Issue: If you are experiencing issues where permissions seem to be applied in reverse, double-check the order and precedence of permissions. In AEM, deny permissions typically take precedence over allow permissions, so setting global deny permissions can inadvertently block access for all users, including those explicitly allowed.

• Verify Effective Permissions: Use the Permissions UI in AEM to verify the effective permissions for the specific groups and users. This UI helps you to see exactly what permissions are applied and can help diagnose issues.

• Inheritance of Permissions: Make sure that permissions are not being inherited from parent folders that might contradict your settings. Explicitly setting permissions on the project1 folder should override inherited permissions, but it's good to verify.

Example to Illustrate

1. Denying Everyone:

   • Everyone Group:
     • /content/dam/organization/project1 -> deny jcr:read

2. Allowing Specific Groups:

   • group1:
     • /content/dam/organization/project1 -> allow jcr:read
   • group2:
     • /content/dam/organization/project1 -> allow jcr:read

By carefully setting these permissions, you ensure that only members of group1 and group2 can access the project1 folder while all other users, including those in the Everyone group, are denied access.

1. Deny access to Everyone group.
2. Allow access to group1 and group2.
3. Verify effective permissions using the AEM Permissions UI.

Following these steps should give you the desired restriction setup on the project1 folder in AEM.

@Prashardan Did you find the suggestions from users helpful? Please let us know if you require more information. Otherwise, please mark the answer as correct for posterity. If you've discovered a solution yourself, we would appreciate it if you could share it with the community. Thank you!

Kautuk Sahni