User Administration and Security user-administration-and-security
This chapter describes how to configure and maintain user authorization and also describes the theory behind how authentication and authorization work in AEM.
Users and Groups in AEM users-and-groups-in-aem
This section deals with the various entities and related concepts in more detail to help you configure an easy to maintain user management concept.
Users users
Users log on to AEM with their account. Each user account is unique and holds the basic account details, together with the privileges assigned.
Users are often members of Groups, which simplify the allocation of these permissions and/or privileges.
Groups groups
Groups are collections of users, or other groups, or both. These collections are all called Members of a group.
Their primary purpose is to simplify the maintenance process by reducing the number of entities to be updated, as a change made to a group is applied to all members of the group. Groups often reflect:
- a role within the application; such as someone who is allowed to surf the content, or someone who is allowed to contribute content.
- your own organization; you may want to extend the roles to differentiate between contributors from different departments when they are restricted to different branches in the content tree.
Therefore groups tend to remain stable, whereas users come and go more frequently.
With planning and a clean structure, the use of groups can reflect your structure, giving you a clear overview and an efficient mechanism for updates.
Built-in Users and Groups built-in-users-and-groups
AEM WCM installs several users and groups. These collections are seen when you first access the Security Console after installation.
The following tables list each item together with:
- a short description
- any recommendations about necessary changes
Change all default passwords (if you do not delete the account itself in certain circumstances).
Permissions in AEM permissions-in-aem
AEM uses ACLs to determine what actions a user or group and can take and where it can perform those actions.
Permissions and ACLs permissions-and-acls
Permissions define who can perform which actions on a resource. The permissions are the result of access control evaluations.
You can change the permissions granted/denied to a given user by selecting or clearing the checkboxes for the individual AEM actions. A check mark indicates that an action is allowed. No checkmark indicates that an action is denied.
Where the checkmark is in the grid also indicates what permissions users have in what locations within AEM (that is, which paths).
Actions actions
Actions can be performed on a page (resource). For each page in the hierarchy, you can specify which action the user is allowed to take on that page. Permissions enable you to allow or deny an action.
Access Control Lists and how they are evaluated access-control-lists-and-how-they-are-evaluated
AEM WCM uses Access Control Lists (ACLs) to organize the permissions being applied to the various pages.
Access Control Lists are made up of the individual permissions and are used to determine the order in which these permissions are applied. The list is formed according to the hierarchy of the pages under consideration. This list is then scanned bottom-up until the first appropriate permission to apply to a page is found.
/etc/cloudservices
/home/users/we-retail
*/social/relationships/friend/*
- or
*/social/relationships/pending-following/*
.
/content/we-retail/us/en/community
Permission States permission-states
The permissions are also applied to any child pages.
If a permission is not inherited from the parent node but has at least one local entry for it, then the following symbols are appended to the check box. A local entry is one that is created in the CRX 2.2 interface (Wildcard ACLs currently can only be created in CRX.)
For an action at a given path:
When you hover over the asterisk or exclamation mark, a tooltip provides more details about the declared entries. The tooltip is split into two parts:
The following are recommendations about managing access control lists:
-
Do not assign permissions directly to users. Assign them only to groups.
Doing so simplifies the maintenance, as the number of groups is much smaller than the number of users, and also less volatile.
-
If you want a group/user to be able only to modify pages, do not grant them create or deny rights. Only grant them modify and read rights.
-
Use Deny sparingly. As far as possible use only Allow.
Using deny can cause unexpected effects if the permissions are applied in a different order than the order expected. If a user is a member of more than one group, the Deny statements from one group may cancel the Allow statement from another group or the opposite way. It is hard to keep an overview when such a thing happens and can easily lead to unforeseen results, whereas Allow assignments do not cause such conflicts.
Adobe recommends that you work with Allow rather than Deny see Best Practices.
Before modifying either permission, be sure you understand how they work and inter-relate. See the CRX documentation that illustrates how AEM WCM evaluates access rights, and examples on setting up access control lists.
Permissions permissions
Permissions give users and groups access to AEM functionality on AEM pages.
You browse permissions by path by expanding/collapsing the nodes and you can track the permission inheritance up to the root node.
You allow or deny permissions by selecting or clearing the appropriate check boxes.
Viewing Detailed Permission Information viewing-detailed-permission-information
Along with the grid view, AEM provides a detailed view of permissions for a selected user/group at a given path. The detail view provides additional information.
In addition to viewing information, you can also include or exclude the current user or group from a group. See Adding Users or Groups while Adding Permissions. Changes made here are immediately reflected in the upper portion of the detailed view.
To access the Detail view, in the Permissions tab, click Details for any selected group/user and path.
Details are split into two parts:
Impersonating another User impersonating-another-user
With the Impersonate functionality, a user can work on behalf of another user.
That is, a user account can specify other accounts that can operate with their account. For example, if user-B is allowed to impersonate user-A, then user-B can act using the full account details of user-A.
This functionality lets impersonator accounts complete tasks as if they were using the account they are impersonating. For example, during an absence or to share an excessive load short term.
/home/users
path.Best Practices best-practices
The following describes best practices when working with permissions and privileges:
Avoid assigning access rights on a user-by-user basis. There are several reasons for this advice:
- You have many more users than groups, so groups simplify the structure.
- Groups help provide an overview over all accounts.
- Inheritance is simpler with groups.
- Users come and go. Groups are long term.
Managing Users and Groups managing-users-and-groups
Users include people using the system and foreign systems making requests to the system.
A group is a set of users.
Both can be configured using the User Administration functionality within the Security Console.
Accessing User Administration with the Security Console accessing-user-administration-with-the-security-console
You access all users, groups, and associated permissions using the Security console. All the procedures described in this section are performed in this window.
To access AEM WCM security, do one of the following:
- From the Welcome screen or various locations in AEM, click the security icon:
- Navigate directly to
https://<server>:<port>/useradmin
. Be sure you log into AEM as an administrator.
The following window displays:
The left tree lists all the users and groups currently in the system. You can select the columns you want displayed, sort the contents of the columns, and even change the order in which the columns are displayed by dragging the column-header to a new position.
The tabs provide access to various configurations:
You can allocate permissions to a user or group. Lets you control the following:
- Permissions related to particular pages/nodes. See Setting Permissions.
- Permissions related to creating and deleting pages and hierarchy modification. ??? lets you allocate privileges, such as hierarchy modification, which lets you create and delete pages,
- Permissions related to replication privileges (usually from author to publish) according to a path.
Filtering Users and Groups filtering-users-and-groups
You can filter the list by entering a filter expression, which hides all the users and groups that do not match the expression. You can also hide users and groups by using the Hide User and Hide Group buttons.
To filter users or groups:
-
In the left tree list, type your filter expression in the space provided. For example, entering admin displays all users and groups containing this string.
-
Click the magnifying glass to filter the list.
-
Click the x when you want to remove all filters.
Hiding Users and Groups hiding-users-and-groups
Hiding users or groups is another way to filter the list of all users and groups in a system. There are two toggle mechanisms. Clicking Hide User hides all users from view and clicking Hide Groups hides all groups from view (you cannot hide both users and groups at the same time). To filter the list by using a filter expression, see Filtering users and groups.
To hide users and groups:
-
In the Security console, click Hide Users or Hide Groups. The selected button appears highlighted.
-
To make either users or groups reappear, click the corresponding button again.
Creating Users and Groups creating-users-and-groups
To create a user or group:
-
In the Security console tree list, click Edit and then either Create User or Create Group.
-
Enter the required details, according to whether you are creating a user or a group.
- If you select Create User, you enter the Login ID, first and last name, e-mail address and a password. By default, AEM creates a path based on the first letter of the last name, but you can select another path.
- If you select Create Group, you enter a group ID and an optional description.
-
Click Create. The user or group you created appears in the tree list.
Deleting Users and Groups deleting-users-and-groups
To delete a user or group:
- In the Security console, select the user or group you want to delete. If you want to delete multiple items, Shift+click or Control+click to select them.
- Click Edit, then select Delete. AEM WCM asks whether you want to delete the user or group.
- Click OK to confirm or Cancel.
Modifying User and Group Properties modifying-user-and-group-properties
To modify user and group properties:
-
In the Security console, double-click the user or group name you want to modify.
-
Click the Properties tab, make the required changes, and click Save.
Changing a User Password changing-a-user-password
Use the following procedure to modify a user’s password.
-
In the Security console, double-click the user name you want to change the password for.
-
Click the Properties tab (if not already active).
-
Click Set Password. The Set Password window opens where you can change your password.
-
Enter the new password twice; as they are not displayed in clear text, this action is for confirmation - if they do not match, the system shows an error.
-
Click Set to activate the new password for the account.
Adding Users or Groups to a Group adding-users-or-groups-to-a-group
AEM offers three different ways to add users or groups to an existing group:
- When you are in the group, you can add members (either users or groups).
- When you are in the member, you can add members to groups.
- When you are working on Permissions, you can add members to groups.
Groups - Adding Users or Groups to a Group groups-adding-users-or-groups-to-a-group
The Groups tab shows you which groups the current account belongs to. You can use it to add the selected account to a group:
-
Double-click the name of the account (user or group) that you want to assign to a group.
-
Click the Groups tab. You see a list of groups that the account already belongs to.
-
In the tree list, click the name of the group you want to add to the account to and drag it to the Groups pane. (If you want to add multiple users, Shift+click or Control+click those names and drag them.)
-
Click Save to save your changes.
Members - Adding Users or Groups to a Group members-adding-users-or-groups-to-a-group
The Members tab only works for groups and shows you which users and groups belong to the current group. You can use it to add accounts to a group:
-
Double-click the name of the group to which you want to add members.
-
Click the Members tab. You see a list of members that already belong to this group.
-
In the tree list, click the name of the member you want to add to the group and drag it to the Members pane. (If you want to add multiple users, Shift+click or Control+click those names and drag them.)
-
Click Save to save your changes.
Adding Users or Groups while Adding Permissions adding-users-or-groups-while-adding-permissions
To add members to a group at in a certain path:
-
Double-click the name of the group or user that you want to add users to.
-
Click the Permissions tab.
-
Navigate to the path that you want to add permissions to and click Details. The lower part of the details window provides information about who has permissions for that page.
-
Select the check box in the Member column for the members that you want to have permissions to that path. Clear the check box for the member that you want to remove permissions for. A red triangle appears in the cell that you changed.
-
Click OK to save your changes.
Removing Users or Groups from Groups removing-users-or-groups-from-groups
AEM offers three different ways to remove users or groups from a group:
- When you are in the group profile, you can remove members (either users or groups).
- When you are in the member profile, you can remove members from groups.
- When you are working on Permissions, you can remove members from groups.
Groups - Removing Users or Groups from Groups groups-removing-users-or-groups-from-groups
To remove a user or group account from a group:
-
Double-click the name of the group or user account that you want to remove from a group.
-
Click the Groups tab. You see what groups the selected account belongs to.
-
In the Groups pane, click the name of the user or group you want to remove from the group and click Remove. (If you want to remove multiple accounts, Shift+click or Control+click those names and click Remove.)
-
Click Save to save your changes.
Members - Removing Users or Groups from Groups members-removing-users-or-groups-from-groups
To remove accounts from a group:
-
Double-click the name of the group that you want to remove members from.
-
Click the Members tab. You see a list of members that already belong to this group.
-
In the Members pane, click the name of the member you want to remove from the group and click Remove. (If you want to remove multiple users, Shift+click or Control+click those names and click Remove.)
-
Click Save to save your changes.
Removing Users or Groups while Adding Permissions removing-users-or-groups-while-adding-permissions
To remove members from a group at a certain path:
-
Double-click the name of the group or user that you want to remove users from.
-
Click the Permissions tab.
-
Navigate to the path that you want to remove permissions to and click Details. The lower part of the details window provides information about who has permissions for that page.
-
Select the check box in the Member column for the members that you want to have permissions to that path. Clear the check box for the member that you want to remove permissions for. A red triangle appears in the cell that you changed.
-
Click OK to save your changes.
User Synchronization user-synchronization
When the deployment is a publish farm, users and groups must be synchronized among all publish nodes.
To learn about user sync and how to enable it, see User Synchronization.
Managing Permissions managing-permissions
This section describes how to set permissions, including replication privileges.
Setting Permissions setting-permissions
Permissions allow users to perform certain actions on resources at certain paths. It also includes the ability to create or delete pages.
To add, modify, or delete permissions:
-
In the Security console, double-click the name of the user or group you want to set permissions for or search for nodes.
-
Click the Permissions tab.
-
In the tree grid, select a check box to allow the selected user or group to perform an action or clear a check box to deny the selected user or group to perform an action. For more information click Details.
-
When finished, click Save.
Setting Replication Privileges setting-replication-privileges
Replication privilege is the right to publish content, and it can be set for groups and users.
- Any replication rights applied to a group apply to all the users in that group.
- A user’s replication privileges supersedes a group’s replication privileges.
- The Allow replication rights have a higher precedence than the Deny replication rights. See Permissions in AEM for more information.
To set replication privileges:
-
Select the user or group from the list, double-click to open, and click Permissions.
-
In the grid, navigate to the path where you want the user to have replication privileges or search for nodes.
-
In the Replicate column at the path selected, select a check box to add the replication privilege for that user or group, or clear the check box to remove the replication privilege. AEM displays a red triangle anywhere you have made changes that have not yet been saved.
-
Click Save to save your changes.
Searching for nodes searching-for-nodes
When adding or removing permissions, you can either browse or search for the node.
There are two different types of path search:
- Path search - If the search string starts with a “/”, then it searches for the direct subnodes of the given path:
In the search box, you can do the following:
- FullText search - If the search string does not start with a “/” then a fulltext search is executed on all the nodes under the path “/content.”
To perform a search on paths or fulltext:
-
In the Security console, select a user or group and then click the Permissions tab.
-
In the Search box, enter a term to search for.
Impersonating Users impersonating-users
You can specify one or more users that are allowed to impersonate the current user. This ability means they can switch their account settings to the current user’s and act on behalf of this user.
Use this function with caution as it may allow users to perform actions that their own user cannot. When impersonating a user, users are notified that they are not logged in as themselves.
There are various scenarios when you may want to use this functionality, including:
- If you are out of the office, you can let another person impersonate you while you are away. By using this feature, you can make sure that somebody has your access rights and you do not need to modify a user profile or give out your password.
- You can use it for debugging purposes. For example, to see how the Web site looks for a user with restricted access rights. Also, if a user complains about technical problems, you can impersonate that user to diagnose and fix the problem.
To impersonate an existing user:
-
In the tree list, select the name of the person who you want to assign other users to impersonate. Double-click to open.
-
Click the Impersonators tab.
-
Click the user that you want to be able to impersonate the selected user. Drag the user (the impersonator) from the list to the Impersonate pane. The name appears in the list.
-
Click Save.
Setting User and Group Preferences setting-user-and-group-preferences
To set user and group preferences, including language, window management, and toolbar preferences:
-
Select the user or group whose preferences that you want to change in the left-hand tree. To select multiple users or groups, Ctrl+click or Shift+click your selections.
-
Click the Preferences tab.
-
Make changes, as necessary to the group or user preferences and click Save when finished.
Setting users or administrators to have the privilege to manage other users setting-users-or-administrators-to-have-the-privilege-to-manage-other-users
To set users or administrators to have the privileges to delete/activate/deactivate other users:
-
Add the user that you want to give privileges to manage other users to the administrator group and save your changes.
-
In the user’s Permissions tab, navigate to “/” and in the Replicate column, select the check box to allow replication at “/” and click Save.
The selected user can now deactivate, activate, delete, and create users.
Extending Privileges on a Project Level extending-privileges-on-a-project-level
If you plan to implement application-specific privileges, the following information describes what you must know to implement a custom privilege and how to enforce it throughout CQ:
The hierarchy-modification privilege is covered by a combination of jcr-privileges. The replication privilege is named crx:replicate that is stored/evaluated along with other privileges on the jcr repository. It is, however, not enforced on the jcr level.
The definition and registration of custom privileges is officially part of the Jackrabbit API as of version 2.4 (see also JCR-2887). Further usage is covered by JCR Access Control Management such as definedby JSR 283 (section 16). In addition, the Jackrabbit API defines a couple of extensions.
The privilege registration mechanism is reflected in the UI under Repository Configuration.
The registration of new (custom) privileges is itself protected by a built-in privilege that must be granted on the repository level. In JCR: passing ‘null’ as the ‘absPath’ parameter in the ac mgt api, see jsr 333 for details. By default, admin and all members of administrators have that privilege granted.