Authorization for CQ
In this section, we will cover various concepts related to CQ Authorization and groups and users available OOTB.
Users:
Each user account in CQ is unique and holds basic information to authenticate against the repository.
Groups:
Groups are a collection of users. Groups are used to simplify permission management for a set of users.
Default users and Group in CQ (Source):
In this section, we will cover various concepts related to CQ Authorization and groups and users available OOTB.
Users:
Each user account in CQ is unique and holds basic information to authenticate against the repository.
Groups:
Groups are a collection of users. Groups are used to simplify permission management for a set of users.
Default users and Group in CQ (Source):
User ID | Type | Description | Recommendation |
admin Default password: admin | User | System administration account and member of the administrator group, with full access rights. This account is used for the connection between CQ WCM and CRX. As such its configuration cannot be edited - with the exception of the password. | Adobe strongly recommends that the password for this user account be changed from the default. Preferably upon installation, though it can be done afterwards. Other attributes cannot be configured as this account is integral to CQ5. Note: This account is not to be confused with the admin account of the Communiqué Servlet Engine. |
anonymous Default password: none | User | Holds the default rights for unauthenticated access to an instance. Per default this holds the minimum access rights. | Modifying this account has additional security implications. If you have to edit this account, make a backup copy first. If you accidentally delete this account, it will be re-created upon startup. It cannot be permanently deleted. |
author Default password: author | User | A author account allowed to write to /content . Encompasses contributor and surfer privileges. Can be used as a webmaster as it has access to the entire /content tree. | Adobe recommends that either the account is deleted completely, or the password changed from the default. Preferably upon installation, though it can be done afterwards. |
administrators | Group | Group that gives administrator rights to all its members. Only admin is allowed to edit this group. Has full access rights. | |
contributor | Group | Basic privileges which allow the user to write content (as in functionality only). Does not allocate any privileges to the /content tree - these must be specifically allocated for the individual groups or users. | |
everyone | Group | Every user in CQ WCM is a member of the group everyone , even though you may not see the group or the membership relation in all tools. This group can be thought of as the default rights as it can be used to apply permissions for everyone, even users that will be created in the future. | Do not modify or delete this group. Modifying this account has additional security implications. |
tag-administrators | Group | Group that is allowed to edit tags. | |
user-administrators | Group | Authorizes user administration, that is, the right to create users and groups. | |
workflow-editors | Group | Group that is allowed to create and modify workflow models. | |
workflow-users | Group | A user participating in a workflow must be member of group workflow-users. This gives him or her full access to: /etc/workflow/ instances so that he or she can update the workflow instance. The group is included in the standard installation, but you must manually add your users to the group. |
Action
|
Description
|
Read
|
The user is allowed to read the page and any child pages.
|
Modify
|
The user can:
· modify existing content on the page and on any child pages.
· create new paragraphs on the page or on any child page.
At the JCR level, users can modify a resource by modifying its properties, locking, versioning, nt-modifications, and they have complete write permission on nodes defining a jcr:content child node, for example cq:Page, nt:file, cq:Asset.
|
Create
|
The user can:
· create a new page or child page.
If modify is denied the subtrees below jcr:content are specifically excluded because the creation of jcr:content and its child nodes are considered a page modification. This only applies to nodes defining a jcr:content child node.
|
Delete
|
The user can:
· delete existing paragraphs from the page or any child page.
· delete a page or child page.
If modify is denied any subtrees below jcr:content are specifically excluded as removing jcr:content and its child nodes is considered a page modification. This only applies to nodes defining a jcr:content child node.
|
Read ACL
|
The user can read the access control list of the page or child pages.
|
Edit ACL
|
The user can modify the access control list of the page or any child pages.
|
Replicate
|
The user can replicate content to another environment (for example, the Publish environment). The privilege is also applied to any child pages.
|
No comments:
Post a Comment
If you have any doubts or questions, please let us know.