AEM ACL and how they are evaluated

ACL's and how they are evaluated ?


AEM Developers, Infrastructure Engineers / Dev-ops teams working in any domain regularly come across a challenge for understanding the ACL & its evaluation mechanism. 

Adobe Experience Manager is designed to cater for content authoring of multiple sites by multiple content authors. Naturally, this process needs to be controlled by strict Access Control Lists (ACLs) to manage.
AEM WCM uses Access Control Lists (ACLs) to organise the permissions being applied to the various pages.


This article addresses in a simple way on how to understand the ACL's , its different ways, 
This article covers the following -
  • How can we read and understand the ACL. 
  • Evaluation of user permissions. 
  • Concurrent Permission on ACL
Access Control Lists are made up of the individual permissions and are used to determine the order in which these permissions are actually applied. The list is formed according to the hierarchy of the pages under consideration.

How can we read and understand the ACL -

  • In AEM Permissions define who is allowed to perform which actions on a resource. The permissions are the result of access control evaluations.
  • You can change the permissions granted/denied to a given user by selecting or clearing the checkboxes for the individual AEM actions. A check mark indicates that an action is allowed. No checkmark indicates that an action is denied.
  • Where the checkmark is located in the grid also indicates what permissions users have in what locations within AEM (that is, which paths).
  • To Read and see the ACL's you have useradmin console , This is a nice UI default provided by AEM to show and check all the permission. -  http://host:port/useradmin

Evaluation of user permissions -

  • An AccessControlEntry (ACE) represents the association of one or more Privilege objects with a specific Principal.
  • A standard installation of a CRX repository is configured to use resource-based access control lists.

Resource-based ACLs : -

  • That means that a resource/node is associated with a list of allow/deny entries for certain principals (users or groups), which naturally maps to store them along the JCR node.
  • Allow rights have higher precedence than deny rights.
  • Group principals are evaluated in order, both within the hierarchy and order within a single access control list ie on the same node (CONCURRENT).
  • This list is then scanned bottom-up until the first appropriate permission to apply to a page is found.

Concurrent (on the same node) Permission on ACL :- 

The permission created first in user admin is added to the node first (1st ACE) and then the next permission is added below it (2nd ACE). 
This list is then scanned bottom-up until the first appropriate permission to apply to a page is found. 
Example -1 
Suppose, you have the following ACL for the same resource under /content/geometrixx/
en/products.


If a user is part of the two groups ‘allowed-it’ and ‘restricted-it’, you can see that the
access to the page products is denied because the ACL deny in read access is the rule
at the bottom.

Example - 2
Now, if the order of the ACL is the opposite, a user, part of two groups, allowed-it and
restricted-it, will have access /to the products page (because the ACL allow in read access
is the rule at the bottom).

Comments

Popular Posts

AEM Security Headers

Configure/Decoding AEM AuditLogs

How to WhiteList IP through AEM Dispatcher ?