Expand my Community achievements bar.

SOLVED

User/Group Migration issues

Avatar

Level 7

Hi All,

 

We are trying to migrate users/groups from AEM 6.0 to AEM 6.5, with the goal of all the permissions and privileges retained. I am following this documentation, https://experienceleague.adobe.com/docs/experience-cloud-kcs/kbarticles/KA-16448.html?lang=es-ES. After the migrations, all the original permissions are gone.

user permissions in AEM 6.0user permissions in AEM 6.0same user permissions in AEM 6.5same user permissions in AEM 6.5

 

1 Accepted Solution

Avatar

Correct answer by
Community Advisor

If you are going to migrate the users/groups using ACLS then you will have to put those users/groups under "Principle names". If you have a large number of users, those users must be part of a few groups. You can provide these groups name instead of users under "Principle name".

Anyway in your case you have already migrated the users as per the adobe document, right? Unselect "Include principles" and try getting the acls of couple of users. If this doesn't work there might be some issue with acs commons version you are using which we can look into further.

View solution in original post

11 Replies

Avatar

Community Advisor

Hi @kevingtan 

 

ACL packager pretty much does the job. I had used this to migrate users, groups and their acls from 6.2 to 6.5 and it worked flawlessly.

 

I see that you are migrating acls under /content. Is it possible that you have installed acls package first and then installed/reinstalled content package? I suspect this might be one of the reason its not showing up.

 

Regards,

Jeevan

Avatar

Level 7

Interesting. I actually tried it as you said before the content migration a while ago, it failed also. But the failure didn't come from the ACL migration, but because we never reached the ACL migration due to AEM 6.0 has a very strict rule against ACS-Commons. Now we got a version (2.12.0) that works for AEM 6.0, but never tried the ACL migration before the content migration since then. You got a very good point. Thanks for your suggestion.

Avatar

Community Advisor

I was suggesting the opposite of that. The content has to be installed first and then the acls. If you install the content package after installing acls then it would overwrite the rep:policy.

Avatar

Level 7

Approach:

1. Created user package in AEM 6.0, and edited it with all the necessary exclude-paths.

Once we created it, downloaded and unzipped it. Modified the mode as `mode="merge"` in META-INF/vault/filter.xml. Then re-zipped it. Uploaded it and rebuilt it, downloaded it again and uploaded it to AEM 6.5 server.

 

2. Created ACL package via ACS commons, as shown in the attachments above. Then downloaded it uploaded it to the AEM 6.5 server, installed it. 

 

3. Restarted AEM 6.5. 

 

Does anyone have any idea what went wrong? 

Thanks!

 

-k

 

Avatar

Community Advisor

Are you creating two separate packages for users and ACLS?

Avatar

Community Advisor

Why dont you use acl package for both user and acl migration?

The approach I followed was quite simple:

  1. Migrated content first to 6.5
  2. Create the acl packager in lower env i.e, 6.0 in your case.
  3. Select "Package ACL handling" as "merge"
  4. Provide the users/groups name you want to migrate or users/groups acls which you want to migrate under "Principle names"
  5. Provide the "Include patterns"
  6. Select "Include principle" if you want to include the user/group in the same package. Unselect this if you want to migrate users/groups separately.
  7. Select Include ACL package. No harm in selecting one option. This is optional.
  8. Build the package. Download and upload to 6.5. Install the package.

Avatar

Level 7

I almost did the same thing as you did. With an exception that the "Package ACL handling" is "overwrite". Also another question, do we have to put all the users in the "Principle names"? I wonder what if we have a few hundred or even thousands?

Avatar

Correct answer by
Community Advisor

If you are going to migrate the users/groups using ACLS then you will have to put those users/groups under "Principle names". If you have a large number of users, those users must be part of a few groups. You can provide these groups name instead of users under "Principle name".

Anyway in your case you have already migrated the users as per the adobe document, right? Unselect "Include principles" and try getting the acls of couple of users. If this doesn't work there might be some issue with acs commons version you are using which we can look into further.