Question
How do I set user and group ACLs directly in CRX rather than in the CQ5 User Administration ("CQ5 Security") screen?
Overview
In CRX 2.0 / JCR 2.0 the security model changed. In the new security model, user access is defined via access control policies [1].
In CQ5, the user and group security model makes use of the standard repository privileges for JCR 2.0 [2] (as defined by the org.apache.jackrabbit.core.security.authorization.acl.ACLTemplate access control policy).
Here are some things you should know about the new security model:
- The "inherit" option no longer exists when allowing or denying access via the "CQ5 Security" administration screen.
- When you set
allowordenypermission on a given node then 3 scenarios are possible:- if the same ACE (Access Control Entry) is being inherited from a parent node and no matching ACE already exists on the node then nothing will be done.
- if the same ACE is being inherited from a parent node and a matching ACE is already defined on that path then it will be removed.
- if the same ACE is not being inherited from a parent node then the ACE will be created for that node.
- If a user is assigned membership to 2 groups and both groups have an ACE defined on the same node then the order that the access will be applied to the user is the order that they appear in "CRX Explorer" in the Security >> -> Access Control Editor... dialog. In this dialog the ACEs can be reordered via drag and drop.
To demonstrate, here is an example: group1 and group2 have access controls set for the path /content/geometrixx; group1 has deny read and group2 has allow read and user1 has membership to both group1 and group2 (exclusively). With this configuration then the access will be evaluated in the order as shown in the CRX Access Control Editor... dialog.
Answer, Resolution
In CQ5.3 and later versions, the allow/deny rules (ACEs) shown in the "CQ5 Security" (aka "User Administration") screen do not have a one to one relationship with the actual ACEs that are set in the CRX 2.x repository. The table below shows how the access controls map from CQ5 to the CRX repository:
| CRX1.4.2 | CQ5.2.1+ | CRX2.0 |
| read | read | jcr:read |
| create node | create | jcr:addChildNodes, jcr:nodeTypeManagement |
| set property | modify | jcr:modifyProperties, jcr:versionManagement, jcr:lockManagement |
| remove node | delete | jcr:removeNode, jcr:removeChildNodes |
| read acl | read ACL | jcr:readAccessControl |
| edit acl | modify ACL | jcr:modifyAccessControl |
To edit ACEs in CRX2.0:
- Log into the
http://<host>:<port>/crxweb application (http://<host>:<port>/crx/explorer in CQ5.5+) - Open Content Explorer
- Select the node you want to set ACLs on (make sure that if the node is versionable that it is not checked in, see the CRX documentation for more on this concept)
- On the top of the "CRX Explorer" window open Security >> => Access Control Editor... to open the security dialog
- In the security dialog, enable the checkbox for ACL under "Applicable Access Control Policies" then click Set Selected Policies
- click Add ACE to add a new ACE (Access Control Entry)
- browse for a user or group
- select allow or deny
- set the privileges associated with the entry
- save by clicking Ok or Apply on the bottom right of the dialog (if the "Ok" or "Apply" buttons are not visible then re-size the dialog to make it larger)
Applies to
CQ5.3, CQ5.4, CQ5.5
References
[1] http://www.day.com/specs/jcr/2.0/16_Access_Control_Management.html#AccessControlPolicies
[2] http://www.day.com/specs/jcr/2.0/16_Access_Control_Management.html (see section 16.2.3 Standard Privileges)
Twitter™ and Facebook posts are not covered under the terms of Creative Commons.