Programatically Give Group Permission in AEM?

Question

i need to give group permission in AEM by use programatically instead of ALL i need only give permission [Replicate] and [Edit] and [Create]

My Codes Here :-

 privileges = new Privilege[] {accCtrlMgr.privilegeFromName(Privilege.JCR_ALL)};

Instead of [ Privilege.JCR_ALL ] i want only [Replicate] and [Edit] and [Create]

Answer 1

The JCR API package javax.jcr.security covers the authorization part, ie. what a certain user is allowed to do with the repository, but not UserManagement, which is provided by Jackrabbit as an implementation-specific feature.

Below is the code sample for giving Resource-based ACLs to a specific node/path:

public static void setAclPrivileges(String path, Session session) {
try {
    AccessControlManager aMgr = session.getAccessControlManager();

    // create privilege set
    Privilege[] privileges = new Privilege[] { 
            aMgr.privilegeFromName(Privilege.JCR_VERSION_MANAGEMENT),
            aMgr.privilegeFromName(Privilege.JCR_MODIFY_PROPERTIES),
            aMgr.privilegeFromName(Privilege.JCR_ADD_CHILD_NODES),
            aMgr.privilegeFromName(Privilege.JCR_LOCK_MANAGEMENT),
            aMgr.privilegeFromName(Privilege.JCR_NODE_TYPE_MANAGEMENT),
            aMgr.privilegeFromName(Replicator.REPLICATE_PRIVILEGE) };

    AccessControlList acl;
    try {
        // get first applicable policy (for nodes w/o a policy)
        acl = (AccessControlList) aMgr.getApplicablePolicies(path).nextAccessControlPolicy();
    } catch (NoSuchElementException e) {
        // else node already has a policy, get that one
        acl = (AccessControlList) aMgr.getPolicies(path)[0];
    }
    // remove all existing entries
    for (AccessControlEntry e : acl.getAccessControlEntries()) {
        acl.removeAccessControlEntry(e);
    }
    // add a new one for the special "everyone" principal
    acl.addAccessControlEntry(EveryonePrincipal.getInstance(), privileges);

    // the policy must be re-set
    aMgr.setPolicy(path, acl);

    // and the session must be saved for the changes to be applied
    session.save();
} catch (Exception e) {
    log.info("---> Not able to perform ACL Privileges..");
    log.info("---> Exception.." + e.getMessage());
}

}

Check Apache Jackrabbit AccessControl for more details.

Answer 2

I hope this code is helpful.

public static void setCreateEditReplicateAcl(final String aGroupPrincipal, String aPath, final UserManagementService aUserManagementService, final Session aSession) {
    try {
        UserManager userManager = aUserManagementService.getUserManager(aSession);
        AccessControlManager accessControlManager = aSession.getAccessControlManager();
        Authorizable group = userManager.getAuthorizable(aGroupPrincipal);
        Privilege[] privileges = { 
                accessControlManager.privilegeFromName(Privilege.JCR_VERSION_MANAGEMENT),
                accessControlManager.privilegeFromName(Privilege.JCR_MODIFY_PROPERTIES),
                accessControlManager.privilegeFromName(Privilege.JCR_ADD_CHILD_NODES),
                accessControlManager.privilegeFromName(Privilege.JCR_LOCK_MANAGEMENT),
                accessControlManager.privilegeFromName(Privilege.JCR_NODE_TYPE_MANAGEMENT),
                accessControlManager.privilegeFromName(Replicator.REPLICATE_PRIVILEGE)
        };
        AccessControlList aclList;
        try {
            aclList = (AccessControlList) accessControlManager.getApplicablePolicies(aPath).nextAccessControlPolicy();
        } catch (NoSuchElementException e) {
            aclList = (AccessControlList) accessControlManager.getPolicies(aPath)[0];
        }
        aclList.addAccessControlEntry(group.getPrincipal(), privileges);
        accessControlManager.setPolicy(aPath, aclList);
    } catch (Exception e) {
        throw new RuntimeException(e);
    }
}

Answer 3

If you are setting the acl with the ui, it creates the following privileges:

jcr:versionManagement, jcr:modifyProperties, jcr:addChildNodes, crx:replicate, jcr:lockManagement, jcr:nodeTypeManagement

I think this are the privileges you need.