Reputation: 13457
How can I restrict a user's access to just a single node of an AEM website?
I'd like to restrict a user's access to just a specific node within an AEM website. I want them to be able to manage a blog; they should be able to view the blog (of course), add/edit/delete entries/comments, upload photos, add/remove other collaborators, etc. However, I don't want them to have access to or even see anything else within AEM.
I have tried giving access to just the blog node under the content path (/content/geometrixx/en/blog), but when I try to log into AEM as this user and edit the blog (localhost:4502/cf#/content/geometrixx/en/blog.html), I get the following error:
No resource found
Cannot serve request to /cf in /libs/sling/servlet/errorhandler/404.jsp
I've tried giving write access to the /content/geometrixx/en/blog node and read access to everything else, and it seems to work, but of course, the user is able to see way too much. It would seem there is some particular node that a user must have read access to in order to edit content nodes, but I'm not sure what that is. Any ideas?
Upvotes: 0
Views: 4059
Answers (3)
Reputation: 1
can you try to give the modified access instead of read access, /content/geometrixx/en/blog - allow read modify
As you need access to single blog node and its jcr:content
Upvotes: 0
Reputation: 37
Most importantly you really need to understand the different pieces of functionality of cq, where they reside (/libs, /apps/, /etc/, etc...) and what is required to have a page properly rendered.
Is it a requirement you have for both author and publisher? Reading https://jackrabbit.apache.org/api/2.2/org/apache/jackrabbit/core/security/authorization/GlobPattern.html can also help you set ACLs.
I suggest you create a custom group with deny jcr:all on /, and then set the ACL as described by dex and test to see if it helps.
Upvotes: 0
Reputation: 398
I would go to the /useradmin, chose the user, and in the Permissions tab I would allow access to the below and its child pages:
/content/geometrixx/en/blog - allow read modify create delete replicate
/apps/geometrixx/ - allow read only
/etc/designs/geometrixx - allow read only
/libs - allow read only
/etc/clientlibs - allow read only (optional)
/etc/workflow - allow read only (optional)
This is roughly the solution I use in our setup. As you are aware, you need to give at least read-only to the directories where cq components sit, as well as the components from your application, in this case geometrixx.
edit: Also useful to read: https://helpx.adobe.com/experience-manager/kb/CQ53ACLsMappingToCRX2.html
Upvotes: 0
Related Questions
- How to restrict access to section of website running on Azure
- IAM policy to restrict users to instances in a specific VPC
- How do you restrict access to a certain webpage?
- Restrict Access to a Node Drupal 7
- Locking down read/write access for a specific node based on user
- Deny access to specific nodes in Drupal
- how to restrict a user to access website on single machine in asp.net
- How to restrict a particular user to access the particular webpage
- Best way to control access to individual nodes
- Limit website access to one computer