Expand my Community achievements bar.

Retrict Permission of User in AEM Cloud

Avatar

Level 2
Level 2
12/13/24 2:59:04 AM

I want to restrict some permissions for a user. For example: the ability to publish a page.

I have already removed all groups in the Admin Console in Cloud Manager, but when I log in, I still see many groups in the AEM instance (User/Group).

I also set restricted permissions in User/Permissions by denying crx:replicate on /, but the function is not working.

Please help and provide some suggestions for this case.

Thanks!

 

Views

193

Replies

5
Sign in to like this content

Total Likes

Translate
Translate
5 Replies

Avatar

Level 9
Level 9
12/13/24 3:23:19 AM

Hi @dante8888,

check that your user is not a member of multiple groups or has user-specific permissions set in AEM.

I would strongly suggest a whitelisting approach to avoid conflicts between different ACLs. This can be achieved by denying everything on the root path (like /content) in the default group that a user gets assigned to. Then all other groups can only have allow rules to be able to access specific content (like /content/my-site).

By following this approach you make sure you never have conflicting ACLs. The rule is simple, completely avoid using DENY rules.

 

Good luck,

Daniel

Views

181

Replies

3
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Level 2
Level 2
12/13/24 6:51:57 AM
In response to daniel-strmecki

Thanks replied @daniel-strmecki 

But which default group are you referring to? I have a lot of groups.

Views

153

Replies

2
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Level 9
Level 9
12/16/24 12:13:44 AM
In response to dante8888

Hi @dante8888,

I am referring to the default group your users get assigned after they first log in. In AEMaaCS OOTB this should be the contributors group, but also configurable in OSGi.

 

Good luck,

Daniel

Views

107

Replies

1
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Level 2
Level 2
12/16/24 12:28:08 AM
In response to daniel-strmecki

Do you mean that when a user logs in for the first time, they are assigned certain groups, and based on these groups, permissions are set for /content/project to allow actions like jcr:read and jcr:write, but excluding replicate? Is this correct?

Views

100

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Level 1
Level 1
12/23/24 5:06:49 AM

Hello, @dante8888, in AEMaaCS you can give permissions in two main ways.

 

If you have given access to a user through the Admin Console, a series of Adobe's own groups are assigned to him, which give access to all the content of pages and dam. You can see these groups if you go to Tools > Security > Users, look for a user and in their properties go to the Groups part. It doesn't matter if you delete or not the groups of that user, since they are given from the Admin Console, when the user logs in again, the same groups will be loaded again. The same happens if you decide to create your own group with denys (or allows) to certain paths, it will be indifferent to assign it to the user because their accesses will not be modified (it will ignore the permissions of the group you have created).

 

The second way, and the only way I know with which you can have a more defined permissions management, is to register users directly in the AEMaaCS environment instead of from Admin Console. You could also make an external login management, that associates groups and users (for example through Azure), that is a separate issue not really necessary, but that would facilitate what I am going to discuss now:

By registering users within the environment, they would have to enter through the “Login locally” option, which is located under the blue button option “Login with Adobe”, where they must enter username and password. For this to work you would have to register them and generate a password for each of them (which can be really tedious if there are many). This password could then be changed by them as they wish. With the users thus registered you can make your own groups and permissions management that will have an effect.

 

Depending on the need, you would not have to do this management for all users, maybe only for some more specific ones, so that the rest can enter normally. If you have many users, instead of giving them by hand, I would consider making an external login, in our case, we are implementing a Single Sign-On (SSO) with Azure that saves us the problem of passwords and register users in the environment. The creation of groups and their permission settings would be the same for both login cases.

 

Maybe you already know this, but I would like to add, that when you configure the permissions of the groups try to use as little as possible (and if it is nothing, better), the denys, since they give problems when combined with other groups.

 

I hope I have answered your questions and have been helpful.

Best regards!

Paula

Views

31

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Related Conversations
AEM Rockstar IX is open for submissions

Views

26

Likes

0

Replies

0
Is there a way to Log request.headers in AEM CS Dispatcher?

Views

141

Likes

0

Replies

2
Want to get the content of YAML files instead of downloading them (AEM 6.5)

Views

196

Likes

0

Replies

5
Clipping Path Details in Image Binary Metadata

Views

116

Likes

0

Replies

1
Cloud Manager - Error connecting to our backend systems

Views

143

Likes

0

Replies

2