Configure CQ Permission

User Administration And Security

Configure CQ Permission

In this section we will cover how to configure CQ User / Group permission and Privileges.

In CQ a user or Group can have different permission (Allow Or Deny) to perform different Actions (Read, Write, Create, Modify, Read or Write ACL). In addition to this user or group can have privilege to perform action like replication or impersonation.

CQ Uses ACL evaluation to decide whether user should have access to particular resource.

There are some best practice needs to followed for assigning user / Group and permission (Source)

Best Practice:
Use Groups.

Avoid assigning access rights on a user-by-user basis. There are several reasons for this:

  • You have many more users than groups, so groups simplify the structure.

  • Groups help provide an overview over all accounts.

  • Inheritance is simpler with groups.

  • Users come and go. Groups are long-term.

  • Be Positive.

    Always use Allow statements to specify the group’s rights (wherever possible). Avoid using a Deny statement.

    Groups are evaluated in order, and the order may be defined differently per user.

    In other words: You may have little control over the order in which the statements are implemented and evaluated. If you use only Allow statements, the order does not matter.

    Keep It Simple

    Investing some time and thought when configuring a new installation will be well repaid.

    Applying a clear structure will simplify the ongoing maintenance and administration, ensuring that both your current colleagues and/or future successors can easily understand what is being implemented.

    TestUse a test installation to practice and ensure that you understand the relationships between the various users and groups.
    Default Users/GroupsAlways update the Default Users and Groups immediately after installation to help prevent any security issues.

    Also you should know what different action and symbol mean in assigning permissions (Source)

    Allow (Check mark)AEM WCM allows the user to perform the action on this page or on any child pages.
    Deny (No checkmark)AEM WCM does not allow the user to perform the action on this page nor on any child pages.

    * (asterisk)There is at least one local entry (either effective or ineffective). These wildcard ACLs are defined in CRX.
    ! (exclamation mark)There is at least one entry that currently has no effect.

    Assign permission:  
    • To Assign Permission double click on users / Group (Group recommended)
    • Click on Permission Tab
    • Navigate to path you want group / user to have access
    • Select permission and click on save
    CQ Assign Initial Permission

    • Note that in order to have access to child resource group should have access to parent resource first
    CQ Permission after save

    • You have to explicitly deny permission for resources you don't want user / group to access
    CQ Permission After Deny

    Assign Replication Privilege:

    Replication is a process of making authored content available to publish instance. We will cover how to configure replication in next Lesson.
    Some time you want to restrict Author for creating content but restrict them to make those content live on publish. You can do this by assigning replication privileges to users or groups.
    • Go to User console
    • Double Click on User or group
    • Click on Replication privilege for path.
    • Note that in order a user to have replication privilege they should have read and write access to /etc/replication, /bin, /tmp, /var/eventing and read access to /apps and /libs 
    User Impersonation:

    Last topic we will cover in User permission is user impersonation. Some time you want to impersonate as different user to see how site look like to them. For this you can use impersonation feature provided by CQ. If User-A is impersonating as User-B that mean User-A is acting on "Behalf Of" User-B by getting all it's access rights. 

    When User-A is accessing resource by Impersonating User-B, In access log you will see entry as User-B and Not as User-A.

    To assign impersonation privilege you can do following,
    • Go to User Console
    • Double click on user
    • Go to Impersonators tab
    • Drag and Drop Users that can impersonate selected user
    Assign CQ Impersonation

    • Once CQ Impersonation is assigned. Impersonated user can act "On Behalf" of actual user.
    After CQ Impersonation is Assigned