Question
In some cases it might be useful to restrict access and thus visibility of select workflow-models to users/groups. How is it possible to assign effective permissions on workflow-models which are not visible in the CQ5 Security Admin?
Answer, Resolution
In order to set ACLs on workflow-models, the CRX Content Explorer has to be used. The following steps exemplify how to deny READ
access to the Publish Example workflow-model.
Please note: depending on the actual CQ version, the procedure differs slightly.
CQ5.1, CQ5.2.x
- logged in as admin, open the crx.default workspace with the CRX Content Explorer
- navigate to the Publish Example workflow-model
/etc/workflow/models/publish_example
- make sure the node is selected in the tree on the left
- in the upper toolbar, click on the Versions button and select Checkout
- the workflow-model is now editable
- next click on the Security button and select ACL Editor
- create a New Permission, select a group and deny
READ
(leave the rest untouched) - click Apply and close the window
- now checkin the workflow-model via Versions -> Checkin
At this point, all members of the above group will neither see the Publish Example workflow-model in the sidekick nor in the workflow-console.
CQ5.3
- logged in as admin, open the crx.default workspace with the CRX Content Explorer and checkout the workflow-model node (same as above)
- next click on the Security button and select Access Control Editor
- in the Applicable Access Control Policies section, mark the checkbox next to org.apache.jackrabbit.core.security.authorization.acl.ACLTemplate
- click on Set selected policies
- next click on New ACE
- browse the Principal (user/group) for which a privilege is to be set
- DENY
jcr:read
and confirm - click Apply and close the window
- now checkin the workflow-model via Versions -> Checkin
Applies to
CQ5.1, CQ5.2.x, CQ5.3