Expand my Community achievements bar.

SOLVED

Unlocking Pages - Alternative to "admin" Account?

Avatar

Level 3

Hello all,

I have seen many forum posts and documentation links saying locked pages can only be unlocked by the author who locked it or the "admin" account, including [1] below. As the platform scales up, it becomes increasingly likely that users will forget to unlock pages and the "admin" has to step in. How do other companies handle unlocking pages in AEM as things scale?

 

To me, there are three obvious options: Get more admins (cost concerns), share the "admin" password with additional people such as a support team (security concerns), or find an alternative solution. Has anyone been able to find an alternative solution?

 

[1] http://blogs.adobe.com/dmcmahon/2012/06/06/cq5-5-members-of-administrators-group-not-able-to-unlock-...

1 Accepted Solution

Avatar

Correct answer by
Employee Advisor

If users forget to unlock the pages and you want other users to be able to edit those pages then you can consider the following solution- 

  • Implement a scheduled background job which will scan the content paths for the locked pages and send reminders by email to the users to unlock the page if the page modification date is more than 10 days (can be configured) old. You can also configure a report for the admin group to see the number of locked pages available under a path. 
  • If the users are no more available or can not login then you can create a new user account called as "superuser" and give that account the capability to impersonate the user accounts which are no more able to login. You don't need to share admin password as the superuser account will be able to impersonate as other users and unlock the pages on their behalf. 

View solution in original post

8 Replies

Avatar

Level 10

Hi Andrew,

As far as I know in the authoring prospective, those who(people) belongs to "Admin" account, they only can unlock the pages. Or else, the admin people must give the permissions to the power authors i.e., admin is added the author group.of particular author person

file

Here admin can be added to the group of the particular author. Now, the person having admin access, can unlock the page.

file\

Hope this clears your query!

Thanks,
Ratna Kumar.

Avatar

Level 3

Hi Ratna, 

I think we're mixing two things - the "admin" user account and the "Administrators" group. I have tried adding users to the "Administrators" group as well as an author group, but they were unable to unlock pages locked by other users (most recently yesterday). I have only had success with the "admin" user account, not the "Administrators" group. 

Thanks,

Andrew

Avatar

Level 10

See this KB - it confirms that only the user whom locks the page or an admin account:

https://helpx.adobe.com/experience-manager/kb/UnlockALockedPage.html

So if you want more ppl to be able to unlock a page - then you will have to give admin creds to trusted employees. 

Avatar

Correct answer by
Employee Advisor

If users forget to unlock the pages and you want other users to be able to edit those pages then you can consider the following solution- 

  • Implement a scheduled background job which will scan the content paths for the locked pages and send reminders by email to the users to unlock the page if the page modification date is more than 10 days (can be configured) old. You can also configure a report for the admin group to see the number of locked pages available under a path. 
  • If the users are no more available or can not login then you can create a new user account called as "superuser" and give that account the capability to impersonate the user accounts which are no more able to login. You don't need to share admin password as the superuser account will be able to impersonate as other users and unlock the pages on their behalf. 

Avatar

Employee Advisor

Hi,

I would like to add a 3rd solution to this problem:

  • Create a servlet, which uses a new admin session to unlock a page; then call this servlet from the UI and restrict access to it (e.g. bind the servlet to a resource type, create a node using this resource type and restrict access to this node).

Avatar

Level 9

Hi Andrew,

What @Kunal has suggested is a very nice approach. And, In my view, running a scheduler & query to find out what are the pages are locked and who has locked them and then report them is a long process.

In my view, this could be done in a very easy way.

  • Customize a sidekick and just like "Locking" & "Unlocking" page menu item, add another menu item "Request to unlock".
  • If you want to get it unlocked, you should request to the person who has unlocked it.
  • On "Request for unlock", send an email to the person who has locked. 

Pros: No searching, no scheduler & spamming to those who does not want to unlock their pages.

Cons: User can send request for one page at a time.

Jitendra

Avatar

Employee

Note that this solution is not working in AEM 6.3. Impersonated sessions will no be able to do unlocking.

Avatar

Level 4

The only solution as of today in case the locked user no more available or went on a vecation is to reach out to Adobe via a support ticket and ask them to unlock it. Only adobe holds the super admin access and even product admin with impersonate access to locked user will not work.

There is one workaround for AMS and Inhouse users where they can go to Adobe legacy user admin page(http://localhost:4502/useradmin) and update the password of the locked user and login with that user id and new password by directly accessing the Author URL(direct URL with port number) and unlock the page.

When the locked user comes back from vacation and login via SSO it will overwrite the manually updated password and will not block the user access.