AEM Advanced Permissions Manager uses custom Oak restriction mechanism to provide a way to apply the permission. The permission is applied only if the defined condition is met. Currently the main example is to allow/deny access if an asset owns (or does not own) a tag.
This mechanism can be used to restrict a standard ACL permission for any asset.
AAPM requires Java 11, Maven >= 3.6.0 and AEM Cloud/6.5.
| AEM Version | AAPM |
|---|---|
| Cloud | 0.9.x |
| 6.5 | 0.9.x |
There are 2 ways to deploy:
- From zip files
- Code: aapm.all-x.x.x.jar
- Examples including predefined assets, users and groups to test quickly: aapm.examples-x.x.x.zip
- From sources
- See our developer zone
<dependency>
<groupId>com.valtech.aapm</groupId>
<artifactId>aapm.all</artifactId>
<version>LATEST</version>
<type>zip</type>
</dependency>
- /conf/valtech/aapm-examples
- /content/dam/aapm-test
- /apps/valtech/aapm
- /apps/valtech/aapm-examples
- atest-aapm-content
- atest-aapm-reader
- atest-aapm-restricted
- aapm-content
- aapm-reader
- aapm-restricted
User with the appropriate rights, can define restrictions.
A restriction is written like this:
- rep:hasPropertyValues: <restriction_type>_<unary_operator><property_type>$<property_name><binary_operator><property_value>
where:
- <restriction_type> = "allow" or "deny"
- <unary_operator> = "!" or "" (negation or not)
- <property_type> = "int", "date", "string" (currently only type "string" works well)
- <property_name> = the name of the asset node property ("cq:tags" for example)
- <binary_operator> =
- "_EQUALS_"
- "_GREATER_THAN_EQUALS_"
- "_LESS_THAN_EQUALS_"
- "_GREATER_THEN_"
- "_LESS_THEN_" (currently only "EQUALS*" works well*)
- <property_value> = the value the property has to be equal to match the restriction
You can install the aapm.examples package for the following examples. Be careful: the permission type (allow or deny) has to be the same than the "restriction type". See examples below.
- Permission type = "deny"
- hasPropertyValues: deny_string_cq:tags_EQUALS_properties:orientation/portrait
- For a restriction "R1" defined by the above line applying to a user "UserA", R1 will prevent UserA to access to all the assets tagged with orientation/portrait
- Permission type = "allow"
- You can "cancel" the restriction of example 2 in a subfolder by adding following line
- hasPropertyValues: allow_string_cq:tags_EQUALS_properties:orientation/portrait
- Permission type = "deny"
- You can use a "negate operator":
- hasPropertyValues: denystring!cq:tags_EQUALS_properties:orientation/portrait
- For a restriction "R2" defined by the above line applying to a user "UserA", R2 will prevent UserA to access to all the assets not tagged with orientation/portrait
1 - Go to permission tab (Tools/Security/Permission)
2- Click "Add ACE" and follow instructions
config file location: apps/aapm-examples/osgiconfig/config/org.apache.sling.jcr.repoinit.RepositoryInitializer-aapm.config
# Test 1: with user that has permission to see the all inside test-allow folder
- aapm-default-reader:
- path: /content/dam/aapm-test/test-allow
permission: allow
actions:
privileges: jcr:all
restrictions:
hasPropertyValues: allow#string$cq:tags==properties:orientation/portrait
# Test 2: with user that has NO permission on test-deny but with permission in test-deny/subfolder
- path: /content/dam/aapm-test/test-deny
permission: deny
actions:
privileges: jcr:all
restrictions:
hasPropertyValues: deny#string$cq:tags==properties:orientation/portrait
- path: /content/dam/aapm-test/test-deny/subfolder
permission: allow
actions:
privileges: jcr:all
restrictions:
hasPropertyValues: allow#string$cq:tags==properties:orientation/portrait
User can modify existing restriction even through yaml or permission tab.
- From yaml, just modify your permission file and redeploy.
- From restriction tab, go to permission tab (Tools/Security/Permissions) and select the existing group and edit
# Test 1
1 - Login as admin user
2 - Navigate to /content/dam/aapm-test/test-allow folder
4 - User should see all assets and sub folder
3 - Unpersonnate as atest-aapm-reader (/apps/valtech/aapm-examples/aapm/permissions/users/aapm-ace-user.yaml)
4 - Result: user will only see all assets with the tag properties:orientation/portrait
# Test 2
1 - Login as admin user
2 - Navigate to /content/dam/aapm-test/test-deny
3 - User should see all assets and sub folder
4 - Unpersonnate as atest-aapm-restricted (/apps/valtech/aapm-examples/aapm/permissions/users/aapm-ace-user.yaml)
5 - Result: user should see only assets without the tag properties:orientation/portrait in "test-deny" and all asssets in "/subfolder" (because for the group "aapm-restricted" deny access for assets with tag "properties:orientation/portrait" has been overidden by an allow access for "subfolder")
A restriction is written like this:
- rep:subFolder: <restriction_type>_<unary_operator><binary_operator><folder_relative_level>
where:
- <restriction_type> = "allow" or "deny"
- <unary_operator> = "!" or "" (negation or not)
- <binary_operator> =
- "_EQUALS_"
- "_GREATER_THAN_EQUALS_"
- "_LESS_THAN_EQUALS_"
- "_GREATER_THEN_"
- "_LESS_THEN_" (currently only "EQUALS*" works well*)
- <folder_relative_level> = The level of the folder where the restriction need to be applied relative to the folder where the ACE is set
- Path: /content/dam/test
- Privilege: [rep:write]
- Permission Type: "allow"
- Restrictions: rep:subFolder: allow_GREATER_THAN_EQUALS_2
All items under /content/dam/test/**/**/ will have rep:write access.
See our developer zone.