- Permissions – This defines what paths in AEM the user can navigate through and how they can interact with a resource. For example, restricting access to the apps folder if a user is not part of the development process. AEM uses an ACL or access control list to determine what actions a user can perform.
- AEM Actions – What actions can be performed on a resource, also known as a page, in AEM which include reading, editing, and deleting.
- Privileges – These restrictions are what allows or denies a user to parts of a site’s functionality, e.g. replication of resources from within the site. Privileges are set on principles which are associated with either a specific user or group. When a user’s privileges contradict their groups the user privileges apply.
- Resources – The content that a user is trying to perform an action on also has specific authorizations that define what types of actions can be performed on it.
ACL/More about permissions
AEM uses an access control list that consists of a list of actions that a user can perform on resources within the system. These actions can include creating a new page in a given path, modify components on an existing page, and replicating data between instances. Typically these are applied to an entire group but can be set on a specific user. Another way to use the ACL is by applying the necessary permissions on specific pages, which also affect the child pages as well. The different permissions are set the same way except with either allowing or denying each permission in the list. Depending on the proper permissions associated with a user one of the following seven actions can be performed on the specified resources that they have that access to:
AEM uses an access control list that consists of a list of actions that a user can perform on resources within the system. These actions can include creating a new page in a given path, modify components on an existing page, and replicating data between instances. Typically these are applied to an entire group but can be set on a specific user. Another way to use the ACL is by applying the necessary permissions on specific pages, which also affect the child pages as well. The different permissions are set the same way except with either allowing or denying each permission in the list. Depending on the proper permissions associated with a user one of the following seven actions can be performed on the specified resources that they have that access to:
- Read – Allows the user access to read a page and all of the child pages underneath.
- Modify – Allows the user to create a new paragraph or modify the existing content on a page and it’s child pages.
- Create – Allows the user to create a page and child pages. If the modify permission has not been granted to the user any content underneath the jcr:content node can not be accessed.
- Delete – Allows the user the ability to delete pages, child pages, and any existing paragraphs that are on a page.
- Read ACL – Allows the user to read the access control list of a page and any child pages.
- Edit ACL – Allows the user to modify the access control list of a page and any child pages.
- Replicate – Allows the user to replicate pages, child pages, and content from one environment to another.
LDAP Support
There are other ways of handling user account management besides storing all the account data in AEM. For a more centralized account service an LDAP, or Lightweight Directory Access Protocol, the system can be set up to reduce the amount of manual user data that administrators have to enter in by pulling the basic user information from another system. For connecting to AEM there needs to be synchronization between the LDAP server and CRX where the LDAP credentials are saved into the CRX repository. After the connection and synchronization of the user account, an AEM user administrator would then only have to add in the different permissions for the users and groups as needed.
There are other ways of handling user account management besides storing all the account data in AEM. For a more centralized account service an LDAP, or Lightweight Directory Access Protocol, the system can be set up to reduce the amount of manual user data that administrators have to enter in by pulling the basic user information from another system. For connecting to AEM there needs to be synchronization between the LDAP server and CRX where the LDAP credentials are saved into the CRX repository. After the connection and synchronization of the user account, an AEM user administrator would then only have to add in the different permissions for the users and groups as needed.
This practice is also useful for other systems that can use the common information as well so each system’s user administrators can focus on the specifics for that software instead of general information needed in an account.
While there are different methods of managing users in AEM the concept for role defining using permissions is the same. It not only helps with securing different parts of the system but also can help reduce mistakes. This can prevent user error for example restrictions can prevent a newer user from modifying or deleting important content from within the system. There are also different schools of thought about how users should be managed and thankfully AEM’s administration is flexible enough to allow for varying implementations based on the situation.
While there are different methods of managing users in AEM the concept for role defining using permissions is the same. It not only helps with securing different parts of the system but also can help reduce mistakes. This can prevent user error for example restrictions can prevent a newer user from modifying or deleting important content from within the system. There are also different schools of thought about how users should be managed and thankfully AEM’s administration is flexible enough to allow for varying implementations based on the situation.
No comments:
Post a Comment
If you have any doubts or questions, please let us know.