Adobe Experience Manager Sites & More

YuSheng · 3/29/23

Dear community,

I have a " forget password " use case which introduce in system user to initiate resetting password before authentication.

The code snippet is like:

Map<String, Object> serviceParams = new HashMap<String, Object>();
serviceParams.put(ResourceResolverFactory.SUBSERVICE, "system-user");
ResourceResolver resolver = resolverFactory.getServiceResourceResolver(serviceParams);
session = resolver.adaptTo(Session.class);

UserManager userManager = ((JackrabbitSession) session).getUserManager();
User user = (User) userManager.getAuthorizable(userID); // userID => who forget the password

user.changePassword("xxxxxxxx");
session.save();
session.logout();

It works fine if I grant system-user "jcr:all" permission,

otherwise the exception "javax.jcr.AccessDeniedException: OakAccess0000: Access denied" occurs as session.save()

Would like to ask:

1. Is there an exact permission to set for system-user other than jcr:all? since jcr:all permssion covers too many accesses.

2. Why the user (obtained from UserManager.getAuthorizable(userID)) cannot change its own password (when the jcr:all permission is not granted to system-user).

Thanks!

lukasz-m · 3/30/23

Hi @YuSheng,

Your user definitely do not need jcr:all permission or be an Administrator group member.

User password is stored under specific node under /home/users - each user have it's own dedicated node that represents it on the repository level. To be able to change password programmatically for any user using service user, you will need to grant this user with 2 permissions to entire /home/users path and all the structure under it:

jcr:read - to be able to read user node using UserManager java api - you will need this to change the password
rep:userManagement - to be able to change the password

You do not need anything more, on crx level you should see something like this.

Please also explore below documentation. It clearly points what kind of privilege you need to successfully run specific method from UserManager java api.

https://jackrabbit.apache.org/oak/docs/security/privilege/mappingtoprivileges.html#user-management

View solution in original post

arunpatidar · 3/30/23

HI @YuSheng

You can add this system user in User Administrator group.

Arun Patidar

lukasz-m · 3/30/23

Hi @YuSheng,

Your user definitely do not need jcr:all permission or be an Administrator group member.

User password is stored under specific node under /home/users - each user have it's own dedicated node that represents it on the repository level. To be able to change password programmatically for any user using service user, you will need to grant this user with 2 permissions to entire /home/users path and all the structure under it:

jcr:read - to be able to read user node using UserManager java api - you will need this to change the password
rep:userManagement - to be able to change the password

You do not need anything more, on crx level you should see something like this.

Please also explore below documentation. It clearly points what kind of privilege you need to successfully run specific method from UserManager java api.