search

Netcentric / accesscontroltool

Rights and roles management for AEM made easy
Eclipse Public License 1.0
150 stars 91 forks source link

More restrictive service user rights #765

Open kwin opened 2 months ago

kwin commented 2 months ago

Currently the (single) service user is used for almost all operations and grants full access to the repository.

set principal ACL for actool-service
    allow jcr:all on /
    allow jcr:all on :repository 
end

The permissions should be limited to what is actually necessary.

kwin commented 2 months ago

The necessary permissions differ by functionality:

  1. Dumping Authorizables/ACLs
    • jcr:read on /home/users and /home/groups
    • jcr:readACL on /
  2. Installing ACTool configurations
    • jcr:readACL and jcr:modifyACL on /
    • jcr:read and jcr:write on /home/users/ and /home/groups
    • potentially jcr:write anywhere due to initialContent
    • jcr:read inside configurationRootPath
  3. Writing/Reading ACTool history
    • jcr:read/write on /var/statistics/actool and /apps/netcentric/achistory