March 17, 2020
Estimated Post Reading Time ~

Configure User, Group and CQ Permission

Configure User And Group
In this section, we will cover how to create Users, Groups How to assign membership and change profile information including password.

Create User And Group:
CQ Provide console To create user and Group
§ Login to CQ using admin or any user with admin rights (We will cover how to change permission later). For this go to <HOST>:<PORT>/libs/cq/core/content/login.html
§ Once Login you will see the welcome screen from there click on Users Tab


§ Click on Edit -> Create -> Create Users Or Create Group to create user or group.


Assign Membership:
§ Once you create Group you can double click on the group and go to Member Tab
§ Then you can drag and drop user or group from left to member tab
§ After assigning members Hit "Save"


Change Profile Information:
§ To Change profile information double click on user or group then go to the properties tab.
§ You can also change user preference by going to preference Tab
§ Click on Save after making changes


Change User Password:
§ In order to change the user password, double click on the user
§ Click on Set Password
§ Change password and click on set password
 

Summary Of Security Console


Configure CQ Permission
In this section, we will cover how to configure CQ User / Group permission and Privileges.

In CQ a User or Group can have different permission (Allow Or Deny) to perform different Actions

(Read, Write, Create, Modify, Read or Write ACL). In addition to this user or group can have
the privilege to perform an action like replication or impersonation.

CQ Uses ACL evaluation to decide whether the user should have access to particular resource.

There are some best practice needs to follow for assigning user / Group and permission (Source)

Best Practice:
Also, you should know what different action and symbol mean in assigning permissions (Source)

Action
Allow (Checkmark)
Deny (No checkmark)
Description

AEM WCM allows the user to perform the action on this page or on any child pages.
AEM WCM does not allow the user to perform the action on this page nor on any child pages.
* (asterisk)
! (exclamation mark)
There is at least one local entry (either effective or ineffective). These wildcard ACLs are defined in CRX.
There is at least one entry that currently has no effect.

Assign permission:
To Assign Permission double click on users / Group (Group recommended)
Click on Permission Tab
Navigate to the path you want group/user to have access

Select permission and click on save




§Note that in order to have access to the child resource group should have access to parent resource first


§ You have to explicitly deny permission for resources you don't want user/group to access

Assign Replication Privilege:
Replication is a process of making authored content available to publish instance.
We will cover how to configure the replication in the next Lesson.

Sometimes you want to restrict the Author for creating content but restrict them to make
those content live on publish. You can do this by assigning replication privileges to users or groups.

§ Go to the User console
§ Double Click on User or group
§ Click on Replication privilege for the path.
§ Note that in order a user to have replication privilege they should have read and write access
to /etc/replication, /bin, /temp, /var/eventing and read access to /apps and /libs

User Impersonation:
Last topic we will cover in User permission is user impersonation. Sometimes you want to impersonate
as a different user to see how the site looks like to them. For this you can use impersonation feature
provided by CQ. If User-A is impersonating as User-B that means User-A is acting on "Behalf Of"
User-B by getting all it's access rights.

When User-A is accessing resource by Impersonating User-B, In access log you will see the entry
as User-B and Not as User-A.

To assign impersonation privilege you can do following,
§ Go to User Console
§ Double click on the user
§ Go to Impersonators tab
§ Drag and Drop Users that can impersonate selected user

Once CQ Impersonation is assigned. Impersonated user can act "On Behalf" of the actual user.


By aem4beginner

No comments:

Post a Comment

If you have any doubts or questions, please let us know.