Friday 6 December 2019

CUG | Permissions resets on restart

Closed User Groups (CUGs)

AEM 6.3 ships with a new Closed User Group implementation intended to address the performance, scalability and security issues present with the existing implementation.





Now if projects which got upgraded to 6.3, might face this issue as their page component might be using old page properties code and will be still working due to Backward Compatibility.

That message gets displayed when "Enable" checkbox is checked and it saves value as cq:cugEnabled as we are setting it in project custom code which was referred from older version.

Where as from 6.3 it got changed to below which 
/libs/foundation/components/page/cq:dialog/content/items/tabs/items/advanced/items/column/items/authenticationrequirement/items/enable
which just sets property in page page, mixinType value as granite:AuthenticationRequired

So to get rid to this error message
"The Authentication Requirement cannot be edited because the page is using a deprecated configuration for the Closed User Group.
Please refer to the documentation."

Update page properties code and refer with new code present in above mentioned path.

Also, to enable CUG from OSGI configurations, enable it from new configurations instead of old, enabling both will cause more conflict problems.

Old OSGI Config:
Adobe Granite Closed User Group (CUG) Support

New OSGI Configs:
Apache Jackrabbit Oak CUG Configuration
Apache Jackrabbit Oak CUG Exclude List

...............................................................

Now Permission (rep:policy node) cannot be deleted for those pages which has CUG enabled. As if deleted also post server restart it will come back.

Mostly its suggested to disabled CUG in Author as its mainly for end user purpose.

So if facing any conflict issue in permissions, follow below steps:
1) Disabled CUG for that page from page properties.
2) Now from Content Repository [/crx/explorer/index.jsp] 
    Go to Access Control Editor
    Search for that page from Path and delete those permissions and Click on Apply and then close. Now on restart also permission will not get changed, until and unless CUG is enabled back.

OR can be delete using below steps post disabling CUG on Pages:
In OSGI go to Main -> Closed User Groups Migration Tool
Click on "Perform Dry run" button
Then click on "Perform migration"



This permission issue will only be faced in AEM < 6.3, as CUG and User Permission were sharing same set of permissions.
From AEM 6.3, it will use separate authorization module called oak-authorization-cug.

For more details please refer https://helpx.adobe.com/in/experience-manager/6-3/sites/administering/using/closed-user-groups.html
at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)