Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

STRICT READ #435

Open
murleehyd opened this issue Feb 15, 2024 · 10 comments
Open

STRICT READ #435

murleehyd opened this issue Feb 15, 2024 · 10 comments

Comments

@murleehyd
Copy link

Hi there,

I am trying to set up group rights where a user should see only specific or dedicated folder to create and edit pages with STRICT permission: glob='STRICT' ['READ'] . However this does not seems to take effect as the user is able to see all folders under /content.

Am I doing something wrong here? Please advise.

Thank you
@murleehyd
Copy link
Author

murleehyd commented Feb 28, 2024
edited
Loading

can you help on this, please?

@dominik-przybyl-wttech
Copy link
Contributor

Hi @murleehyd ,
could you provide script with this entry?

@murleehyd
Copy link
Author

murleehyd commented Mar 6, 2024
edited
Loading

Hi @dominik-przybyl-wttech

FOR-GROUP 'Murali_Admin' BEGIN
#System Configs Rights
ALLOW '/' glob='STRICT' ['READ']
ALLOW '/jcr:system' ['READ']
ALLOW '/apps' ['READ']
ALLOW '/libs' ['READ']
ALLOW '/etc' ['READ']
ALLOW '/system' ['READ']
ALLOW '/conf' ['READ']
ALLOW '/etc/workflow/instances' ['READ', 'CREATE' ,'MODIFY']

#TAG Rights
ALLOW '/content/cq:tags' glob='STRICT' ['READ']
ALLOW '/content/cq:tags/a1' ['ALL']
ALLOW '/content/cq:tags/basic' ['ALL']
ALLOW '/content/cq:tags/dam' ['ALL']
ALLOW '/content/cq:tags/default' ['ALL']
ALLOW '/content/cq:tags/a2' ['ALL']
ALLOW '/content/cq:tags/a3' ['ALL']
ALLOW '/content/cq:tags/a4' ['ALL']
ALLOW '/content/cq:tags/a5' ['ALL']
ALLOW '/content/cq:tags/a6' ['ALL']
ALLOW '/content/cq:tags/a7' ['ALL']
ALLOW '/content/cq:tags/a8' ['ALL']
ALLOW '/content/cq:tags/a9' ['ALL']
ALLOW '/content/cq:tags/a10' ['ALL']

#DAM Rights
ALLOW '/content/dam' glob='STRICT' ['READ']
ALLOW '/content/dam/global' ['ALL']
ALLOW '/content/dam/Murali' ['ALL']

#Experience Fragments Rights
ALLOW '/content/experience-fragments' glob='STRICT' ['READ']
ALLOW '/content/experience-fragments/Murali' ['ALL']

#Content Folders and Pages Rights
ALLOW '/content' glob='STRICT' ['READ']
ALLOW '/content/sites' glob='STRICT' ['READ']
ALLOW '/content/sites/' glob='jcr:content' ['READ']

#Masters Content Folder and Pages Rights
ALLOW '/content/sites/masters' glob='STRICT' ['READ']
ALLOW '/content/sites/masters/MuraliRo' ['READ']
ALLOW '/content/sites/masters/Murali' ['ALL']

#Local Content Folders and Pages Rights
ALLOW '/content/sites/Murali' ['ALL']
ALLOW '/content/sites/MuraliRo' glob='STRICT' ['READ']

END

@murleehyd
Copy link
Author

@dominik-przybyl-wttech - any advise?

@dominik-przybyl-wttech
Copy link
Contributor

@murleehyd,

you can use other restrictions, for instance:

#Content Folders and Pages Rights
ALLOW '/content' restrictions={'rep:current': ['*']} ['READ']  
ALLOW '/content/sites' restrictions={'rep:current': ['*']} ['READ']
ALLOW '/content/sites' glob='/jcr:content*' ['READ']   

#Masters Content Folder and Pages Rights
ALLOW '/content/sites/masters' restrictions={'rep:current': ['*']} ['READ']
ALLOW '/content/sites/masters' glob='/jcr:content*' ['READ']   
ALLOW '/content/sites/masters/MuraliRo' ['READ']
ALLOW '/content/sites/masters/Murali' ['ALL']

or

#TAG Rights
ALLOW '/content/cq:tags' restrictions={'rep:current': ['*']} ['READ']
ALLOW '/content/cq:tags' restrictions={'rep:globs': ['/a*', '/basic*', '/dam*', '/default*']} ['READ']

Release with rep:current and rep:globs support is scheduled for Wednesday, March 27.

@murleehyd
Copy link
Author

@dominik-przybyl-wttech

Thank you and I have tried as suggested. However ending up with an error message:

ALLOW | "/"["READ"]restrictions={rep:current: ["*"]} |   | Invalid name: *Execution interrupted

@dominik-przybyl-wttech
Copy link
Contributor

dominik-przybyl-wttech commented Mar 22, 2024
edited
Loading

true, fix will be released on Wednesday, March 27

@dprzybyl
Copy link
Collaborator

Hi @murleehyd,
apm v5.7.1 is now available

@murleehyd
Copy link
Author

murleehyd commented Apr 15, 2024
edited
Loading

@dominik-przybyl-wttech @dprzybyl - perhaps I haven't provided correct info what I am trying to achieve. Apologies and here is the approach I am looking forward to get it work.
The structure is like this:
image

So with STRICT READ on OnPrem we are able to achieve for a user group to see only following folders:
/content/sites
/content/sites/masters
/content/sites/Folder A

and the user group do not see below folders:
/content/campaigns
/content/outbound-marketing
/content/**********sitesassets
/content/sites/Folder B

However, using this I am unable to achieve it.
ALLOW '/content'restrictions={'rep:current': ['*']} ['READ']

Perhaps you have better suggestion, to have the user group to see dedicated folder only without using 'DENY' right.

Thank you in advance,
Murali

@murleehyd
Copy link
Author

murleehyd commented Apr 18, 2024
edited
Loading

@dprzybyl @dominik-przybyl-wttech - I think I found the root cause for glob='STRICT' ['READ'] as well as restrictions={'rep:current': ['*']} ['READ'] were not getting effective because of the Contributors group in AEM Cloud which gives read access for the users.

Once you have reviewed my comments then this can be closed as Resolved, unless if you want me to share info :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@dprzybyl @dominik-przybyl-wttech @murleehyd