How to leverage rep:glob ACEs to manage permissions on multi-tenant systems

Search
Experience Manager User Guide

On this page

Applies to: Experience Manager

Objective

Our AEM instance has multiple tenants (e.g. different departments that shouldn't be able to access each other's sites and/or assets), how do we manage the permissions so that the tenants cannot view each other's content.

Environment

AEM 6.x.

Steps

To simplify managing permissions in a multi-tenant system, you can leverage rep:glob type ACLs.  These permissions allow you to grant users access only to what you want them to see versus having to use deny permissions.  They are defined with path patterns instead of being tied to the nodes they belong to.

To demonstrate how this is done, we will assume that we are securing a system where you have /content/siteA, /content/siteB, and /content/siteC and you want to secure it so users of siteA cannot view siteB or siteC, users of siteB cannot view A or C and C cannot view B or A. 

A. Create a group for each site

The first step is to create a common group and a group for each site's users.  For example, common-authors, siteA-authors, siteB-authors, siteC-authors.  Use the user administration UI to add the groups.

B. Grant the common-authors group read access to the /content like this:

  1. Go to http://host:port/crx/de/index.jsp and log in as admin.

  2. Browse to and select the node /content.

  3. In the bottom right panel select the Access Control tab.

  4. Click the green plus icon to the right to add a new Access Control Policy (the policy already exists if you already see access control entries listed - in that case go on to the next)

  5. Click the green plus icon that shows up after that to add a new Access Control Entry.

  6. Enter the Principal of the common user group common-authors.

  7. Select Allow for the Type.

  8. Enable the checkbox for jcr:read.

  9. Expand Advanced, under rep:glob enter double quotes "".

  10. Add two more Access Control Entry items for the samewith these settings: 

    Type Permissions rep:glob
    Allow jcr:read /jcr:primaryType
    Allow jcr:read /:childOrder

  11. Click OK.

C. Add access to modify the desired branch of experience fragments without being able to delete them.

  1. Now, also using CRXDe, go to the desired sub-path under /content/siteX, for example /content/siteA.

  2. In the bottom right panel select the Access Control tab

  3. Click the green plus icon to the right to add a new Access Control Policy (the policy already exists if you already see access control entries listed - in that case go on to the next step)

  4. Click the green plus icon again to add another Access Control Policy

  5. Enter the group id of the site as the Principal.

  6. Select Allow for the Type.

  7. Expand Advanced and enable the checkbox for the various permissions you would like to grant for full edit access, then enable jcr:readjcr:addChildNodesjcr:nodeTypeManagementjcr:modifyPropertiesjcr:versionManagementjcr:lockManagementjcr:removeNodejcr:removeChildNodesStep text.

This work is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported License  Twitter™ and Facebook posts are not covered under the terms of Creative Commons.

Legal Notices   |   Online Privacy Policy

Choose your region

Selecting a region changes the language and/or content on Adobe.com.

Americas
Brasil
Canada - English
Canada - Français
Latinoamérica
México
United States
Europe, Middle East and Africa
Africa - English
België
Belgique
Belgium - English
Česká republika
Cyprus - English
Danmark
Deutschland
Eesti
España
France
Greece - English
Ireland
Israel - English
Italia
Latvija
Lietuva
Luxembourg - Deutsch
Luxembourg - English
Luxembourg - Français
Magyarország
Malta - English
Middle East and North Africa - English
Nederland
Norge
Österreich
Polska
Portugal
România
Schweiz
Slovenija
Slovensko
Suisse
Suomi
Sverige
Svizzera
Türkiye
United Kingdom
България
Россия
Україна
الشرق الأوسط وشمال أفريقيا - اللغة العربية
ישראל - עברית
Asia - Pacific
Australia
Hong Kong S.A.R. of China
India - English
New Zealand
Southeast Asia (Includes Indonesia, Malaysia, Philippines, Singapore, Thailand, and Vietnam) - English
中国
中國香港特別行政區
台灣
日本
한국
Commonwealth of Independent States
Includes Armenia, Azerbaijan, Belarus, Georgia, Kazakhstan, Kyrgyzstan, Moldova, Tajikistan, Turkmenistan, Ukraine, Uzbekistan