search

wttech / APM

AEM Permission Management (APM) is an AEM based, cloud compatible tool focused on streamlining the permission configuration.
Apache License 2.0
54 stars 15 forks source link

STRICT READ #435

Open murleehyd opened 6 months ago

murleehyd commented 6 months ago

Hi there,

I am trying to set up group rights where a user should see only specific or dedicated folder to create and edit pages with STRICT permission: glob='STRICT' ['READ'] . However this does not seems to take effect as the user is able to see all folders under /content.

Am I doing something wrong here? Please advise.

Thank you

murleehyd commented 6 months ago

can you help on this, please?

dominik-przybyl-wttech commented 6 months ago

Hi @murleehyd , could you provide script with this entry?

murleehyd commented 6 months ago

Hi @dominik-przybyl-wttech

FOR-GROUP 'Murali_Admin' BEGIN

System Configs Rights

ALLOW '/' glob='STRICT' ['READ'] ALLOW '/jcr:system' ['READ'] ALLOW '/apps' ['READ'] ALLOW '/libs' ['READ'] ALLOW '/etc' ['READ'] ALLOW '/system' ['READ'] ALLOW '/conf' ['READ'] ALLOW '/etc/workflow/instances' ['READ', 'CREATE' ,'MODIFY']

TAG Rights

ALLOW '/content/cq:tags' glob='STRICT' ['READ'] ALLOW '/content/cq:tags/a1' ['ALL'] ALLOW '/content/cq:tags/basic' ['ALL'] ALLOW '/content/cq:tags/dam' ['ALL'] ALLOW '/content/cq:tags/default' ['ALL'] ALLOW '/content/cq:tags/a2' ['ALL'] ALLOW '/content/cq:tags/a3' ['ALL'] ALLOW '/content/cq:tags/a4' ['ALL'] ALLOW '/content/cq:tags/a5' ['ALL'] ALLOW '/content/cq:tags/a6' ['ALL'] ALLOW '/content/cq:tags/a7' ['ALL'] ALLOW '/content/cq:tags/a8' ['ALL'] ALLOW '/content/cq:tags/a9' ['ALL'] ALLOW '/content/cq:tags/a10' ['ALL']

DAM Rights

ALLOW '/content/dam' glob='STRICT' ['READ'] ALLOW '/content/dam/global' ['ALL'] ALLOW '/content/dam/Murali' ['ALL']

Experience Fragments Rights

ALLOW '/content/experience-fragments' glob='STRICT' ['READ'] ALLOW '/content/experience-fragments/Murali' ['ALL']

Content Folders and Pages Rights

ALLOW '/content' glob='STRICT' ['READ'] ALLOW '/content/sites' glob='STRICT' ['READ'] ALLOW '/content/sites/' glob='jcr:content' ['READ']

Masters Content Folder and Pages Rights

ALLOW '/content/sites/masters' glob='STRICT' ['READ'] ALLOW '/content/sites/masters/MuraliRo' ['READ'] ALLOW '/content/sites/masters/Murali' ['ALL']

Local Content Folders and Pages Rights

ALLOW '/content/sites/Murali' ['ALL'] ALLOW '/content/sites/MuraliRo' glob='STRICT' ['READ']

END

murleehyd commented 5 months ago

@dominik-przybyl-wttech - any advise?

dominik-przybyl-wttech commented 5 months ago

@murleehyd,

you can use other restrictions, for instance:

#Content Folders and Pages Rights
ALLOW '/content' restrictions={'rep:current': ['*']} ['READ']  
ALLOW '/content/sites' restrictions={'rep:current': ['*']} ['READ']
ALLOW '/content/sites' glob='/jcr:content*' ['READ']   

#Masters Content Folder and Pages Rights
ALLOW '/content/sites/masters' restrictions={'rep:current': ['*']} ['READ']
ALLOW '/content/sites/masters' glob='/jcr:content*' ['READ']   
ALLOW '/content/sites/masters/MuraliRo' ['READ']
ALLOW '/content/sites/masters/Murali' ['ALL']

or

#TAG Rights
ALLOW '/content/cq:tags' restrictions={'rep:current': ['*']} ['READ']
ALLOW '/content/cq:tags' restrictions={'rep:globs': ['/a*', '/basic*', '/dam*', '/default*']} ['READ']

Release with rep:current and rep:globs support is scheduled for Wednesday, March 27.

murleehyd commented 5 months ago

@dominik-przybyl-wttech

Thank you and I have tried as suggested. However ending up with an error message:

ALLOW | "/"["READ"]restrictions={rep:current: [""]} |   | Invalid name: Execution interrupted

dominik-przybyl-wttech commented 5 months ago

true, fix will be released on Wednesday, March 27

dprzybyl commented 5 months ago

Hi @murleehyd, apm v5.7.1 is now available

murleehyd commented 4 months ago

@dominik-przybyl-wttech @dprzybyl - perhaps I haven't provided correct info what I am trying to achieve. Apologies and here is the approach I am looking forward to get it work. The structure is like this: image

So with STRICT READ on OnPrem we are able to achieve for a user group to see only following folders: /content/sites /content/sites/masters /content/sites/Folder A

and the user group do not see below folders: /content/campaigns /content/outbound-marketing /content/**sitesassets /content/sites/Folder B

However, using this I am unable to achieve it. ALLOW '/content'restrictions={'rep:current': ['*']} ['READ']

Perhaps you have better suggestion, to have the user group to see dedicated folder only without using 'DENY' right.

Thank you in advance, Murali

murleehyd commented 4 months ago

@dprzybyl @dominik-przybyl-wttech - I think I found the root cause for glob='STRICT' ['READ'] as well as restrictions={'rep:current': ['*']} ['READ'] were not getting effective because of the Contributors group in AEM Cloud which gives read access for the users.

Once you have reviewed my comments then this can be closed as Resolved, unless if you want me to share info :)