We recently upgraded from AEM v6.2 to v6.4. Under v6.2 (and earlier) we had a delegated administration model, where people who were not in the out-of-the-box "administrators" group could work within their folder structures independently. Meaning they could move pieces of content from one folder to another without any "administrator" assistance. Now that we are on v6.4, people who are not in the "administrators" group are automatically triggering "Request to complete Move operation" workflows. Those workflows sit until an administrator like myself happens to notice it and then approve the move.
I have been Googling for an answer but not finding anything. What permissions does someone need to Move content? Do we need to add them to some group so it does not trigger the workflow? Or should we just modify what I assume is the out-of-the-box workflow "Request to complete Move operation" to replace its steps with a no-operation step? Something else?
Move operation involves create/modify/delete ACLs. You may use /useradmin console to apply the same permissions for either user/group for specific paths including /libs for '/libs/granite/omnisearch/content/metadata/site/actions'.
If you want to be very restrictive in granting ACLs then you may have to use /crx/de to apply specific ACLs on specific paths.
Could you check if there is a workflow launcher configured for the "Request to complete Move operation"? Modifying launcher would be better than the workflow model itself.
I have been faced with a similar issue long back , as my business wanted a group , where the content authors should have permission to COPY, MOVE but NOT DELETE. Unfortunately , moving a content needs delete permission also in AEM. Since moving means you should delete the node and then add the node to new location, a delete permission for the user is needed to complete this action.
I am a little confused I think. Currently the delegated administrators in question have Read, Modify, Create, Delete and Replicate, leaving Read ACL and Edit ACL unchecked. This had been done since we started with AEM 5.2, but exactly why our architect at the time did it that way is unclear. Are you saying that under AEM 6.4 we would have to allow them Read ACL and Edit ACL too?
In the past our "administrators" group people would set the ACLs for the folder structures for the delegated administrators, who would control parts of the folder structures, and then the delegated administrators would work within them without issue. Wouldn't giving them ability to Edit ACLs allow them to do whatever they wanted to the security?