Highlighted

What permissions does someone need to Move content?

MFlint61

14-02-2019

Hi,

We recently upgraded from AEM v6.2 to v6.4. Under v6.2 (and earlier) we had a delegated administration model, where people who were not in the out-of-the-box "administrators" group could work within their folder structures independently. Meaning they could move pieces of content from one folder to another without any "administrator" assistance. Now that we are on v6.4, people who are not in the "administrators" group are automatically triggering "Request to complete Move operation" workflows. Those workflows sit until an administrator like myself happens to notice it and then approve the move.

I have been Googling for an answer but not finding anything. What permissions does someone need to Move content? Do we need to add them to some group so it does not trigger the workflow? Or should we just modify what I assume is the out-of-the-box workflow "Request to complete Move operation" to replace its steps with a no-operation step? Something else?

Any suggestions would be appreciated.

Mark

Replies

Highlighted

Gaurav-Behl

MVP

17-02-2019

Move operation involves create/modify/delete ACLs. You may use /useradmin console to apply the same permissions for either user/group for specific paths including /libs for '/libs/granite/omnisearch/content/metadata/site/actions'.

If you want to be very restrictive in granting ACLs then you may have to use /crx/de to apply specific ACLs on specific paths.

Could you check if there is a workflow launcher configured for the "Request to complete Move operation"? Modifying launcher would be better than the workflow model itself.

1692553_pastedImage_3.png

Highlighted

Veena_Vikram

MVP

17-02-2019

Hi Mark

    I have been faced with a similar issue long back , as my business wanted a group , where the content authors should have permission to COPY, MOVE but NOT DELETE. Unfortunately , moving a content needs delete permission also in AEM. Since moving means you should delete the node and then add the node to new location, a delete permission for the user is needed to complete this action.

Thanks

Veena

Highlighted

Arun_Patidar

MVP

18-02-2019

This is interesting, but you could have handle this by hiding delete button from menu based on user group.

I know this is not possible through CRXDE.

Highlighted

MFlint61

18-02-2019

I am a little confused I think. Currently the delegated administrators in question have Read, Modify, Create, Delete and Replicate, leaving Read ACL and Edit ACL unchecked. This had been done since we started with AEM 5.2, but exactly why our architect at the time did it that way is unclear. Are you saying that under AEM 6.4 we would have to allow them Read ACL and Edit ACL too?

In the past our "administrators" group people would set the ACLs for the folder structures for the delegated administrators, who would control parts of the folder structures, and then the delegated administrators would work within them without issue. Wouldn't giving them ability to Edit ACLs allow them to do whatever they wanted to the security?

Please clarify. Thank you.

Highlighted

Veena_Vikram

MVP

19-02-2019

We didn't wanted to add much customization to the console itself. But I can give it a try for learning purpose