Password expiry is an Apache Jackrabbit thing:Jackrabbit Oak - Password Expiry and Force Initial Password ChangeYou can change it in /system/console/configMgr, and grab the updated config in CRX DE in /apps/system/config, we drop that file in crx-quickstart/install for all of our servers.Additionall...

It doesn't look like my content-authors have access to layouting mode in AEM 6.2.  Design mode is activated by providing write access to the design, but layouting config is stored with the content node, is it a navigation item that needs access like the console nav?

Highly, highly worth mentioning, if you use the ACS ACL packager, be aware that it exports the whole _rep_policy.xml, not just the specific permissions for your authorizables.  This more than likely means that package will not be compatible with any future versions of AEM.  I.e. you're upgrading fro...

Jörg Hoh wrote... Hi Jay, I  appreciate your posting and thoroughness you put into it. You explain the basic idea quite well: First have a "deny all" rule (using wildcard ACLs where appropriate) and then give the group permission to the relevant of the repository. To be honest, I haven't had the tim...

Jörg Hoh wrote... Hi Jay, Basically I agree with the documentation, that you shouldn't use "DENY", but there is one big exception to this rule: You should have a group, which grants the minimal applicable permission set. For example you model a group "login only", which only allows to login to AEM, ...

Thanks Scott!

In addition, there are commonly used folders like /etc/designs that contain a mix of AEM and project specific code.  It’s relatively easy to blanket deny /content/* and /apps/*, but the same doesn’t apply for /etc/designs/* since there are a number of folders in there that are used by the system.  W...

As an aside, I’m also not receiving email updates when someone replies to this thread (in my inbox or spam), so I replied quickly previously from my phone when I received a satisfaction survey for this thread and saw that there were new replies.

Hi Scott,First of all, the answer is contradictory to the documentation: “Don’t use deny except for a certain group that all users should belong to which should do a wildcard deny”.  I’ve been working on trying to create a group of users by following the documentation and granting only read access w...

This issue is not yet resolved, I'll mark it as resolved as soon as I've found a solution to my issue.