Can default Admin have read access to etc/package (repository) in publisher instance?

By default, there is a deny jcr:read ACE for everyone on the /etc/packages node. By design, no one (=everyone) has read access to /etc/packages on the publisher instance. This is defined in the runmode-specific configuration for the ACL Setup service at /libs/cq/security/config.publish/

Granting explicitly the read permission on the /etc/packages node in publisher for your user in addition to adding the user to the administrators groups provides read access to the node, overriding the everyone permission.

This restriction prevents access to the etc/packages node, as installing/uninstalling or downloading the packages including the code could present a security risk. As such, the default is no read access. Applying this permission at the packages node level allows this to inherit to all sub nodes (such as the packages). Access to the packages can provide access to the code or content packages, which may be deemed a security risk.

This work is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported License  Twitter™ and Facebook posts are not covered under the terms of Creative Commons.

Legal Notices   |   Online Privacy Policy