Highly, highly worth mentioning, if you use the ACS ACL packager, be aware that it exports the whole _rep_policy.xml, not just the specific permissions for your authorizables. This more than likely means that package will not be compatible with any future versions of AEM. I.e. you're upgrading from 6.1 to 6.2, those _rep_policy.xml's may have entries that conflict with the latest updated policies in 6.2.If you're exporting, you'll want to hand-filter those policies and exclude anything that's no...

Jörg Hoh wrote... Hi Jay, I appreciate your posting and thoroughness you put into it. You explain the basic idea quite well: First have a "deny all" rule (using wildcard ACLs where appropriate) and then give the group permission to the relevant of the repository. To be honest, I haven't had the time to write my posting in such a level of detail, but I am glad you did it 🙂 Your approach works fine, but building your complete group structure in a tree-ish way only works well, if you operate on a ...

Thanks Scott!

In addition, there are commonly used folders like /etc/designs that contain a mix of AEM and project specific code. It’s relatively easy to blanket deny /content/* and /apps/*, but the same doesn’t apply for /etc/designs/* since there are a number of folders in there that are used by the system. We could deny all and then grant back all of the specific folders, but this sends us down a road where we’re using deny in all circumstances to define the base level of user access.It seems to me that wh...

As an aside, I’m also not receiving email updates when someone replies to this thread (in my inbox or spam), so I replied quickly previously from my phone when I received a satisfaction survey for this thread and saw that there were new replies.

Hi Scott,First of all, the answer is contradictory to the documentation: “Don’t use deny except for a certain group that all users should belong to which should do a wildcard deny”. I’ve been working on trying to create a group of users by following the documentation and granting only read access where required. Contributor has been the group that i’ve modeled my access after, however, removing jcr:read from / (and granting jcr:read to /apps and /libs, /etc) ends up breaking all of the UI’s (sit...

This issue is not yet resolved, I'll mark it as resolved as soon as I've found a solution to my issue.