Objective

How to work with AEM permissions using CRXDE to simplify the permission model.  This includes:

  1. Granting users access to only edit pages under a certain branch of /content without denying them access to all sibling nodes.
  2. Optionally denying them the ability to delete pages under that branch.

Steps

To explain how to allow users to modify content under a certain branch of content without 

1. Grant the user read access to the /content/experience-fragments:

  1. Go to http://host:port/crx/de/index.jsp and log in as admin.

  2. Browse and select the node /content/experience-fragments.

  3. In the bottom right panel, select the Access Control tab.

  4. Click the green plus icon to the right to add Access Control Policy (the policy exists if you see access control entries listed - in that case, go to the next).

  5. Click the green plus icon to add Access Control Entry.

  6. Enter a Principal which is the id of the group that you want to grant the access to.

  7. Enable the check box for jcr: read

  8. Expand Advanced, under rep: glob enter double quotes ""

  9. Click OK.

2. Add access to create, read, update, and delete pages in the desired branch of experience fragments.

  1. Using CRXDe, go to the desired subpath under /content/experience-fragments, for example /content/experience-fragments/intuit.

  2. In the bottom right panel, select the Access Control tab.

  3. Click the green plus icon to the right to add Access Control Policy (the policy exists if you see access control entries listed - in that case, go to the next step).

  4. Click the green plus icon to add a new Access Control Entry.

  5. Enter a Principal which is the id of the group that you want to grant the access to.

  6. Enable the check box for jcr: read and rep: write.

  7. Click OK.

3. Grant the users access to edit pages without allowing them to delete pages.

  1. Click the green plus icon again to add another Access Control Policy.

  2. Enter the same Principal as in the previous steps.

  3. Select Deny for the Type.

  4. Expand Advanced and enable the check boxes for jcr: removeChildNodes and rep: removeProperties.

  5. Click OK.

  6. Click the green plus icon to add a new Access Control Entry.

  7. Enter a Principal as in the previous steps.

  8. Expand Advanced and enable the check boxes for jcr: removeChildNodes and rep: removeProperties.

  9. Under rep: glob, enter */jcr: content*

  10. Click OK.

This work is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported License  Twitter™ and Facebook posts are not covered under the terms of Creative Commons.

Legal Notices   |   Online Privacy Policy