Enhancements to AEM to support restricted user permissions

Hi Tim/everyone,
Is this functionality got implemented successfully? If yes, can you please share the final solution for this issue! We are also in need to implement the same functionality in our project.

Can you share the screenshots of rep:policy node?

Hi ,

I have a user with only read permissions and then added all the 6 permissions mentioned above for the user in the crx/de at the /content node.

Now , I am able to edit and update the existing annotation but i am still unable to add a new annotation. Logs show "Access denied".

Is there anything that I am still missing ?

Thanks in advance

paul.bjorkstrand​ thanks, I will check this out.

Update: Thanks paul.bjorkstrand​, checked this and worked well.

Sorry guys, I made some confusion on this. when I checked this last time, I had already given write permission on everything below jcr:content and this worked. However if you just add above 6 acls as mentioned by Paul, it doesn't work. fyi, below is the representation of rep:poilicy node

{

   "jcr:primaryType":"rep:ACL",

   "allow":{

      "jcr:primaryType":"rep:GrantACE",

      "rep:principalName":"annotations-group-example",

      "rep:privileges":[

         "jcr:read"

      ]

   },

   "allow13":{

      "jcr:primaryType":"rep:GrantACE",

      "rep:principalName":"annotations-group-example",

      "rep:privileges":[

         "rep:write"

      ],

      "rep:restrictions":{

         "jcr:primaryType":"rep:Restrictions",

         "rep:glob":"/*/cq:annotations"

      }

   },

   "allow14":{

      "jcr:primaryType":"rep:GrantACE",

      "rep:principalName":"annotations-group-example",

      "rep:privileges":[

         "rep:write"

      ],

      "rep:restrictions":{

         "jcr:primaryType":"rep:Restrictions",

         "rep:glob":"/*/cq:annotations/*"

      }

   },

   "allow15":{

      "jcr:primaryType":"rep:GrantACE",

      "rep:principalName":"annotations-group-example",

      "rep:privileges":[

         "rep:write"

      ],

      "rep:restrictions":{

         "jcr:primaryType":"rep:Restrictions",

         "rep:itemNames":[

            "cq:lastModified"

         ]

      }

   },

   "allow16":{

      "jcr:primaryType":"rep:GrantACE",

      "rep:principalName":"annotations-group-example",

      "rep:privileges":[

         "rep:write"

      ],

      "rep:restrictions":{

         "jcr:primaryType":"rep:Restrictions",

         "rep:itemNames":[

            "cq:lastModifiedBy"

         ]

      }

   },

   "allow17":{

      "jcr:primaryType":"rep:GrantACE",

      "rep:principalName":"annotations-group-example",

      "rep:privileges":[

         "rep:write"

      ],

      "rep:restrictions":{

         "jcr:primaryType":"rep:Restrictions",

         "rep:itemNames":[

            "jcr:lastModified"

         ]

      }

   },

   "allow18":{

      "jcr:primaryType":"rep:GrantACE",

      "rep:principalName":"annotations-group-example",

      "rep:privileges":[

         "rep:write"

      ],

      "rep:restrictions":{

         "jcr:primaryType":"rep:Restrictions",

         "rep:itemNames":[

            "jcr:lastModifiedBy"

         ]

      }

   }

}

As a workaround, we did something like this:

# Allows user to annotate on the pages(wildcard for everything below jcr:content, excluding jcr:content itself) but blocks modifying page properties by restricting access on jcr:content node. See also Jackrabbit Oak – Restriction Management

            - path: /content/we-retail/en

              permission: allow

              privileges: rep:write

              restrictions:

              repGlob: '/*/jcr:content/*'

This will give a permission to create, edit, modify everything below jcr:content(excluding jcr:content).

This can be done with normal path-based ACLs, but you need to allow more than just access to cq:annotations.


EDIT: I forgot to mention, the permissions below are on the /content node as allow with jcr:read & rep:write base permissions, and restrictions based on the lists below.

You need to allow write for the following rep:globs

• /*/cq:annotations
• /*/cq:annotations/*

You also need to allow write for the following rep:itemNames

• cq:lastModified
• cq:lastModifiedBy

I also added these rep:itemNames for good measure

• jcr:lastModified
• jcr:lastModifiedBy

The rep:itemNames are needed because when AEM makes annotations updates the cq:lastModified/cq:lastModifiedBy for the page when an annotation is changed (add, modify, delete).

To create them you need crx/de or a similarly powerful tool for ACL management. With crx/de, I have 6 entries for permissions, one for each of the 6 items above.

bswx​ & omallianz, this might be something you are interested in as well.

Thank you for quick reply. But that's exactly what I tried. 

1) Gave read permission to all pages. 

2) Then added allow policy for the group with rep:glob as /*/cq:annotations/*   

Still I get access denied, also edit is enabled for the all pages. Any specific example would be nice to 

Hi there,

Thanks for reaching out to Adobe Community.

Right now the permissions on a page are available as per the below doc:

https://docs.adobe.com/docs/en/aem/6-0/administer/security/security.html#Actions

However, you can raise that one as a request if you feel the need of such features pretty often.

Thanks!

Thanks - yes often clients ask for more granular access - e.g. access to only edit a single parsys or component on a particular page.  

I think the use case of being able to annotate without edit would be very common

Thanks Jörg

It's good to know that Principle ACLs with wildcards can be utilised to achieve annotation capability, although I'm going to state that these look a bit tricky for a System Administrator to configure in their current state.  

I'm trying to think of the best implementation - Maybe create a script or package that could be run by a Sys Admin.

It would be great if the product could be enhanced to support this as a usable function

Regards,

Tim