Thursday, November 5, 2020

Users and Groups In AEM

 

Users and Groups In AEM

 

Users

 

Users has privileges to log in to AEM with their account.

 

Each user account is unique and holds the basic account details, together with the privileges assigned.

 

Users are often members of Groups, which simplify the allocation of these permissions and/or privileges.

 

Groups

 

Groups are collections of users and/or other groups; these are all called Members of a group.

 

Their primary purpose of creating group is to simplify the maintenance process by reducing the number of entities to be updated, as a change made to a group is applied to all members of the group.

 

Note: Usually Groups tend to remain stable, whereas users come and go more frequently.

 

Built-In Users

 

AEM installs a number of users and groups by default. These can be seen when you first access the Security Console after installation.

 

·        admin user -  System administration account with full access rights.

 

·         author user - A author account allowed to write to /content. Can be used as a webmaster as it has access to the entire /content tree.

 

 

·        anonymous user - Holds the default rights for unauthenticated access to an instance. Per default this holds the minimum access rights.

 

Built-In Groups


·        administrators - Group that gives administrator rights to all its members. Only admin is allowed to edit this group. This group has full access rights.

 

·        content-authors - Group responsible for content editing. Requires read, modify, create and delete permissions.

 

·        contributor - Basic privileges which allow the user to write content.

 

·        dam-users - Out-of-the-box reference group for a typical AEM Assets user. Members of this group have appropriate privileges to enable uploading/sharing of assets and collections.

 

·        everyone - Every user in AEM is a member of the group everyone, even though you may not see the group or the membership relation in all tools.

This group can be thought of as the default rights as it can be used to apply permissions for everyone, even users that will be created in the future.

 

·        user-administrators - Authorizes user administration, that is, the right to create users and groups.


Providing Permissions to Users/Groups

 

You can check users/groups and there permissions from user console by accessing:

 

http://localhost:4502/useradmin

 


Goto permission tab to assign permissions:

 

 

You can change the permissions granted/denied to a given user by selecting/clearing the checkboxes for the individual AEM actions. A check mark indicates that an action is allowed. No checkmark indicates that an action is denied.

 

 Definition of * and ! In the above table:

  

* - There is at least one local entry (either effective or ineffective).

 

! - There is at least one entry that currently has no effect.

 

Checking access in crxde:


To review the ACLs that are included:

 

Go to CRXDE and select the Access Control tab

 


Note: If no permissions are defined for a page then all actions are denied.

 

Some recommendations while maintaining Users/Groups:


·       Do not assign permissions directly to users. Assign them only to groups.

 

This will simplify the maintenance, as the number of groups is much smaller than the number of users, and also less volatile.

 

·       If you want a group/user to be able only to modify pages, do not grant them create or deny rights. Only grant them modify and read rights.

 

·       Use Deny sparingly. As far as possible use only Allow.

 

·       Using deny can cause unexpected effects if the permissions are applied in a different order than the order expected.

 

·       If a user is a member of more than one group, the Deny statements from one group may cancel the Allow statement from another group or vice versa.

 

It is hard to keep an overview when this happens and can easily lead to unforeseen results, whereas Allow assignments do not cause such conflicts.

 

Impersonating another User


With the Impersonate functionality, a user can work on behalf of another user.

 

This means if user-B is allowed to impersonate user-A, then user-B can take actions using the full account details of user-A.

 

This allows the impersonator accounts to complete tasks as if they were using the account they are impersonating; for example, during an absence or to share an excessive load short-term.


Note: In order for impersonating to work for non-admin users, the impersonator (in the above case user-B) is required to have READ permissions in the /home/users path.

 

User can impersonate another user by accessing http://localhost:4502/aem/start.html and selecting profile icon.

 



Creating New User and Groups


Navigate to UserAdmin console and select edit:



Enter values for creating User:

 


Enter values for creating Group:

 


Adding User or group to a group:


1.          Double-click the name of the account (user or group) that you want to assign to a group.

 

2.          Click the Groups tab. You see a list of groups that the account already belongs to.

 

3.          In the tree list, click the name of the group you want to add to the account to and drag it to the Groups pane.

 

(If you want to add multiple users, Shift+click or Control+click those names and drag them.)

 

NOTE: Don’t forget to click save.

 

 

on

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)