Right permission for the system user to initiate password setting process. | Community
Skip to main content
Y
YuSheng
Level 3
March 30, 2023
Solved

Right permission for the system user to initiate password setting process.

  • March 30, 2023
  • 2 replies
  • 732 views

Dear community,

I have a " forget password " use case which introduce in system user to initiate resetting password before authentication.

The code snippet is like:

 

 

Map<String, Object> serviceParams = new HashMap<String, Object>(); serviceParams.put(ResourceResolverFactory.SUBSERVICE, "system-user"); ResourceResolver resolver = resolverFactory.getServiceResourceResolver(serviceParams); session = resolver.adaptTo(Session.class); UserManager userManager = ((JackrabbitSession) session).getUserManager(); User user = (User) userManager.getAuthorizable(userID); // userID => who forget the password user.changePassword("xxxxxxxx"); session.save(); session.logout();

 

 

It works fine if I grant system-user "jcr:all" permission,

otherwise the exception "javax.jcr.AccessDeniedException: OakAccess0000: Access denied" occurs as session.save()

Would like to ask:

1. Is there an exact permission to set for system-user other than jcr:all? since jcr:all permssion covers too many accesses.

2. Why the user (obtained from UserManager.getAuthorizable(userID)) cannot change its own password (when the jcr:all permission is not granted to system-user).

 

Thanks!

This post is no longer active and is closed to new replies. Need help? Start a new post to ask your question.
Best answer by lukasz-m

Hi @yusheng,

Your user definitely do not need jcr:all permission or be an Administrator group member.

User password is stored under specific node under /home/users - each user have it's own dedicated node that represents it on the repository level. To be able to change password programmatically for any user using service user, you will need to grant this user with 2 permissions to entire /home/users path and all the structure under it:

  • jcr:read - to be able to read user node using UserManager java api - you will need this to change the password
  • rep:userManagement - to be able to change the password

You do not need anything more, on crx level you should see something like this.

Please also explore below documentation. It clearly points what kind of privilege you need to successfully run specific method from UserManager java api.

2 replies

arunpatidar
Community Advisor
arunpatidarCommunity Advisor
Community Advisor
March 30, 2023

HI @yusheng 

You can add this system user in User Administrator group.

Arun Patidar
    lukasz-m
    Community Advisor
    lukasz-mCommunity AdvisorAccepted solution
    Community Advisor
    March 30, 2023

    Hi @yusheng,

    Your user definitely do not need jcr:all permission or be an Administrator group member.

    User password is stored under specific node under /home/users - each user have it's own dedicated node that represents it on the repository level. To be able to change password programmatically for any user using service user, you will need to grant this user with 2 permissions to entire /home/users path and all the structure under it:

    • jcr:read - to be able to read user node using UserManager java api - you will need this to change the password
    • rep:userManagement - to be able to change the password

    You do not need anything more, on crx level you should see something like this.

    Please also explore below documentation. It clearly points what kind of privilege you need to successfully run specific method from UserManager java api.

      Terms & ConditionsAccessibility statement

      Loading footer...