User/Group Permission

Avatar

Avatar

arvind

Avatar

arvind

arvind

06-04-2020

Dear Team,

Step1:

I have below content tree structure:

 

arvind_0-1586165394617.png

Step2:

and user "sample" is created with below permission:

arvind_1-1586165540889.png

 

Step3:

Now , When I access sites.html, I only see my "Product" site/page. Which is correct.

arvind_2-1586165606163.png

 

Step4:

Problem Statement:

 

Now admin creates a new Page/Site e.g. New Product 

arvind_3-1586165739030.png

Step5:

When I again login with "sample" user , I can see this "New Product " Page . 

 

arvind_4-1586166082628.png

 

Question:

Is there any way to restrict this so that "sample" user  can only see Product websites , not any other created by Admin in future.

 

Thank you in advance.

 

 

 

 

 

Accepted Solutions (1)

Accepted Solutions (1)

Avatar

Avatar

Theo_Pendle

MVP

Avatar

Theo_Pendle

MVP

Theo_Pendle
MVP

06-04-2020

Hi,

Here is a video I just recorded showing how you can do this quite easily using AEM 6.5's new Pricipal View for permissions.

Sorry for the poor audio quality, I don't often do this so I don't have fancy equipment 😅

https://youtu.be/Pq4kv8MxXUI 

Answers (3)

Answers (3)

Avatar

Avatar

Vijayalakshmi_S

MVP

Avatar

Vijayalakshmi_S

MVP

Vijayalakshmi_S
MVP

06-04-2020

Hi,

 

Try to add Access Control entry from Access Control tab on the respective node from CRXDE with advanced option - rep:glob

In the example you have shared, we need to set 2 entries on /content/we-retail/sample for the respective user/group

Entry 1:

  • permission "Allow"
  • privilege being "jcr:read"

Entry 2:

  • permission "Deny
  • privilege being jcr:all and
  • restrictions- rep:glob=/* 

On Sample node, read on that node enables sample alone and everything under that path is denied (/* on rep:glob)

Product node is set with have all permissions.(read, modify, delete read/write ACLs or jcr:all)

(Explicit permissions set on this will override the deny set on the sample node or in other words, deny will not apply to this node but to rest of the other children of sample node. )

 

Avatar

Avatar

sunjot16

Employee

Avatar

sunjot16

Employee

sunjot16
Employee

06-04-2020

I was able to reproduce the same.

The thing is that when we you have read-only access to /content, /we-retail, /sample and product nodes, it works according to the given permissions.

However, whenever you(as an admin or something) add a new page beneath /content/we-retail/sample, as the parent(/sample) has read-only access, the user "sample" gets the read-only access to the newly created page by default.

If you go to /useradmin on your instance, after you created a new page under /sample, you can see that the user has read-only access to that page. You can remove the access from the read-only page. It works.

 

Permissions to user on Newly Created Page:

sunjot16_0-1586184833549.png

 

Remove the read-only access for sample user from the newly created page:

sunjot16_1-1586184910471.png

 

Newly created page no longer visible to sample user (or test user in my case):

sunjot16_2-1586184997882.png

 

Avatar

Avatar

Theo_Pendle

MVP

Avatar

Theo_Pendle

MVP

Theo_Pendle
MVP

06-04-2020

Hi,

Here is a video explaining how you can do this: https://www.youtube.com/watch?v=Pq4kv8MxXUI  

PS: As discussed, my first attempt to post didn't work, so I took out the hyperlink to be safe 🤞