Header Content Footer
Discover best selling sofas, Lounge chairs and get an extra 10% off using the code SEDONA10

Basically an administrator takes advantage of Adobe AEM user manager tool to grant all privileges and arrange main security policies, but there are some scenario that requires an advanced configuration and it should be figure it out in a different way.
For example, to grant permissions only to view and edit pages under a specific subpage tree of the repository. Apparently it could be an easy task, but it would eventually reveals hard to arrange.

Let’s try to schematically represent the repository structure to face:
[wc_box color=”inverse” text_align=”left” margin_top=”” margin_bottom=”” class=””]

→ content

→ projectA

→ en

→ SubHome1

→ Subhome2

→ Article1

→ Article2

→ Article3

→ it

→ projectB

→ projectC


[wc_highlight color=”yellow” class=””]Our goal is to provide a full access to SubHome2 page and all its children, not allowing to see other pages[/wc_highlight] (i.e. SubHome1, it language, etc..).
It would have been easy to grant a jcr:all privilege to SubHome2 but Adobe AEM tools are based on path browsing, consequently all folders composing the requested path must be visible to get access.
In the bullet list above  in fact, we can distinguish:

  • Green: Pages with full access
  • Orange: Pages with a partial read access (basically only the cq:Page and cq:PageContent nodes)
  • Gray: Pages not visible

To apply a security configuration like this we have to use CRX tool (under Access Control tab) and configure for each folder the policies listed below, leveraging the restriction management provided by Jackrabbit OAK (Documentation).

/ ALLOW jcr:read rep:glob= Read permission to root node only
/content ALLOW jcr:read rep:glob= Read permission to content node only
/content rep:readProperties Read permission to node properties (needed for CRX navigation)
/content ALLOW jcr:read rep:glob=/*/jcr:content Read permission to see jcr:content node (for page properties)
/content/projectA ALLOW jcr:read rep:glob= Read permission to projectA node only
/content/projectA/en ALLOW jcr:read rep:glob= Read permission to EN node only
/content/projectA/en/SubHome2 ALLOW jcr:all Full access to node section

View table on plain text format
Hint: To set an empty rep:glob value fill the input field with two double quotes (“”)

Once done final user will be able to use all standard AEM tools and properly manage his area, preserving resources outside of his focus range

Leave a Reply