Expand my Community achievements bar.

SOLVED

Right permission for the system user to initiate password setting process.

Avatar

Level 4

Dear community,

I have a " forget password " use case which introduce in system user to initiate resetting password before authentication.

The code snippet is like:

 

 

Map<String, Object> serviceParams = new HashMap<String, Object>();
serviceParams.put(ResourceResolverFactory.SUBSERVICE, "system-user");
ResourceResolver resolver = resolverFactory.getServiceResourceResolver(serviceParams);
session = resolver.adaptTo(Session.class);

UserManager userManager = ((JackrabbitSession) session).getUserManager();
User user = (User) userManager.getAuthorizable(userID); // userID => who forget the password

user.changePassword("xxxxxxxx");
session.save();
session.logout();

 

 

It works fine if I grant system-user "jcr:all" permission,

otherwise the exception "javax.jcr.AccessDeniedException: OakAccess0000: Access denied" occurs as session.save()

Would like to ask:

1. Is there an exact permission to set for system-user other than jcr:all? since jcr:all permssion covers too many accesses.

2. Why the user (obtained from UserManager.getAuthorizable(userID)) cannot change its own password (when the jcr:all permission is not granted to system-user).

 

Thanks!

1 Accepted Solution

Avatar

Correct answer by
Community Advisor

Hi @YuSheng,

Your user definitely do not need jcr:all permission or be an Administrator group member.

User password is stored under specific node under /home/users - each user have it's own dedicated node that represents it on the repository level. To be able to change password programmatically for any user using service user, you will need to grant this user with 2 permissions to entire /home/users path and all the structure under it:

  • jcr:read - to be able to read user node using UserManager java api - you will need this to change the password
  • rep:userManagement - to be able to change the password

You do not need anything more, on crx level you should see something like this.

password-permissions.jpg

Please also explore below documentation. It clearly points what kind of privilege you need to successfully run specific method from UserManager java api.

View solution in original post

2 Replies

Avatar

Community Advisor

HI @YuSheng 

You can add this system user in User Administrator group.



Arun Patidar

Avatar

Correct answer by
Community Advisor

Hi @YuSheng,

Your user definitely do not need jcr:all permission or be an Administrator group member.

User password is stored under specific node under /home/users - each user have it's own dedicated node that represents it on the repository level. To be able to change password programmatically for any user using service user, you will need to grant this user with 2 permissions to entire /home/users path and all the structure under it:

  • jcr:read - to be able to read user node using UserManager java api - you will need this to change the password
  • rep:userManagement - to be able to change the password

You do not need anything more, on crx level you should see something like this.

password-permissions.jpg

Please also explore below documentation. It clearly points what kind of privilege you need to successfully run specific method from UserManager java api.