May 15, 2020
Estimated Post Reading Time ~

The Access Control Tool for AEM/CQ

One thing that geeks do is devise ingenious solutions to ease the pain of performing repetitive tasks. We might spend some time to design and implement a software tool to automate tedious, routine tasks, but we always think it will save time in the long run. We just know it will, right?

Alright, sometimes we might go a bit overboard, but the tool we are introducing here does save a lot of time in the long run, as anyone who has tried to manually manage a complex system of permissions in Adobe Experience Manager (AEM) will attest. Large companies will often use AEM to drive multiple websites, each one devoted to a different market segment, in multiple languages and local variants, for desktop and mobile. They will almost always have corporate policies that define very specific roles (consumer, editor, publisher, administrator, etc.) and mandate in minute detail who can do what and where. Implement all of this and you easily end up with hundreds, if not thousands, of access control lists (ACLs).

Implementing all of this using the point-and-click interface of the AEM User Administration tool is laborious and error-prone and just calls for a simpler, automated solution. Based on our experience with several customers, we have designed and created just such a solution, in the form of the Access Control Tool.

The Access Control Tool, or ACTool for short, is a little piece of software that can be installed as an OSGi bundle onto an existing AEM installation and makes it possible to write ACLs in a set of text files and have the system read and activate them on demand. 

So why should you revert to a text editor, when easier U/I options may be available?
I can already hear the objection: How can use a text editor instead of a point-and-click interface save me time? After all, I still have to write down a long list of access control entries.

Well, for starters, you can, and should, maintain the configuration of a website, including its permissions, in a configuration revision system. Whether you use Git, Subversion, or Perforce, having a centrally stored and managed configuration is certainly a must.

For another, the ACTool provides one nifty feature that can greatly reduce the size of a typical ACL configuration: "for" loops. With "for" loops, you can write a template entry with variable parameters and have it repeated as you iterate over all the possible values for those parameters. For added awesomeness, the "for" loop can also be nested.

For the sake of an example, let's say you need to set up a site with three language versions (think of a Swiss government agency site that must support German, French, and Italian language) and maybe intranet and extranet sub-sites. For each combination of language and subsite, you need two roles: editor and publisher, just to keep things simple. This adds up to twelve roles and at least as many ACEs. Using nested loops, you can just write the following ACE definition snippet:
- FOR lang IN [ de, fr, it ]

- FOR site IN [ intranet, extranet ]
- content-${lang}-${site}-editor:
- path: /content/agency/${lang}/${site}
permission: allow
actions: read, acl_read, modify, create
- content-${lang}-${site}-publisher:
- path: /content/agency/${lang}/${site}
permission: allow
actions: read, replicate

This is cool, but the best thing about the ACTool is that we made it Open Source. That's right, you can download the source code, build it, use it, and possibly modify it. The official repository is on GitHub, where you will be also able to find the documentation.


By aem4beginner

No comments:

Post a Comment

If you have any doubts or questions, please let us know.