Hi Julian Darn, that was the ticket. I was so convinced that the top permission would win that I never tried that. So reordering the permission so that the tenant group is last in the list of policies does do what I want.
I am sorta missing the view in AEM that shows which permission is applied. Thanks - Andy > On Apr 24, 2020, at 1:04 AM, Julian Sedding <[email protected]> wrote: > > Hi > > I get the impression that you assume an “allow” has precedence over “deny”. > I am pretty sure that “user” permissions have precedence over “group” > permissions, but otherwise the order of the ACL is relevant (last wins). > Try reordering your ACL and see if that helps. > > Regards > Julian > > > On Fri, 24 Apr 2020 at 07:52, Andreas Schaefer <[email protected]> > wrote: > >> Hi >> >> I might doing something wrong but I am running into issues with Sling >> resource permissions. This is my setup: >> >> - User: perm_17_user >> - Group: perm_17_group >> - Group: tenant_all >> - User is part of both groups >> - Everyone has read access to / >> - Resource: /content/perm_17 >> - perm_17_group has jar:all granted >> - tenant_all has jcr:all denied >> >> Groups: >> >> curl -u admin:admin http://localhost:8080/home/groups.2.json | jq >> { >> "jcr:primaryType": "rep:AuthorizableFolder", >> "tenants": { >> "jcr:primaryType": "rep:AuthorizableFolder", >> "HDE3HZ3kFOirj8vCLpgj5": { >> "jcr:primaryType": "rep:Group", >> "jcr:mixinTypes": [ >> "rep:AccessControllable" >> ], >> "jcr:createdBy": "admin", >> "jcr:created": "Thu Apr 23 2020 15:58:06 GMT-0700", >> "rep:principalName": "all_tenants", >> "jcr:uuid": "c273e21f-1cf9-3f59-80e8-a760e7930b8d", >> "rep:members": [ >> "3c23d2bf-61a4-3204-bde0-6a3e86d2d04b", >> "42cd1880-d41d-3b27-ab4a-f0235da1715c", >> "00344a23-f67d-3f6b-951e-71c2ae5e0482", >> "ef43d954-cf0d-3d61-9ab2-b9a5259619c0", >> "a197e96b-cf2b-3cbd-bab4-103bd0e1646d" >> ], >> "rep:authorizableId": "all_tenants" >> }, >> "QMRo8OL5zNSaHnA4zK4YV": { >> "jcr:primaryType": "rep:Group", >> "jcr:mixinTypes": [ >> "rep:AccessControllable" >> ], >> "jcr:createdBy": "peregrine-service-user", >> "jcr:created": "Thu Apr 23 2020 18:02:27 GMT-0700", >> "rep:principalName": "perm_17_group", >> "jcr:uuid": "a197e96b-cf2b-3cbd-bab4-103bd0e1646d", >> "rep:members": [ >> "6e0b16ee-cdf4-3a65-9a22-951b7828ce52" >> ], >> "rep:authorizableId": "perm_17_group" >> }, >> >> Users: >> >> curl -u admin:admin http://localhost:8080/home/users.2.json | jq >> { >> "jcr:primaryType": "rep:AuthorizableFolder", >> "tenants": { >> "jcr:primaryType": "rep:AuthorizableFolder", >> "7G1VbW9W5bThqIYQRNFbH": { >> "jcr:primaryType": "rep:User", >> "jcr:mixinTypes": [ >> "rep:AccessControllable" >> ], >> "jcr:createdBy": "peregrine-service-user", >> "rep:password": >> "{SHA-256}e6a0e743c84a57c9-1000-097a1bab311072202e27e03b4561b5238909a2426c708da982b85a5d78f02fba", >> "jcr:created": "Thu Apr 23 2020 18:02:27 GMT-0700", >> "rep:principalName": "perm_17_user", >> "jcr:uuid": "6e0b16ee-cdf4-3a65-9a22-951b7828ce52", >> "rep:authorizableId": "perm_17_user" >> }, >> >> EACL List: >> >> curl -u admin:admin http://localhost:8080/content/perm_17.eacl.json | jq >> { >> "perm_17_group": { >> "principal": "perm_17_group", >> "granted": [ >> "jcr:all" >> ], >> "order": 0 >> }, >> "all_tenants": { >> "principal": "all_tenants", >> "denied": [ >> "jcr:all" >> ], >> "order": 1 >> }, >> >> Finally when I list the resources in /content for user perm_17_user then >> it will not list perm_17: >> >> curl -u perm_17_user:perm_17_user http://localhost:8080/content.1.json | >> jq >> >> When I replace the group with the user to grant jcr:all then it does >> return that resource: >> >> curl -u perm_17_user:perm_17_user http://localhost:8080/content.1.json | >> jq >> { >> "jcr:primaryType": "sling:OrderedFolder", >> "jcr:mixinTypes": [ >> "rep:AccessControllable" >> ], >> "jcr:createdBy": "admin", >> "jcr:created": "Thu Apr 23 2020 15:58:06 GMT-0700", >> "nodejs": { >> "jcr:primaryType": "sling:Folder", >> "jcr:createdBy": "admin", >> "jcr:title": "Sling Node Package Manager", >> "jcr:created": "Thu Apr 23 2020 15:59:49 GMT-0700", >> "jcr:description": "Sling Node Package Manager Content Root" >> }, >> "perm_17": { >> "jcr:primaryType": "per:Site", >> "jcr:mixinTypes": [ >> "rep:AccessControllable" >> ], >> "jcr:title": "perm_17", >> "template": false, >> "sourceSite": "themecleanflex", >> "internal": false >> >> This looks like the group membership of the user is not checked against >> the group. >> Is there anything I do wrong, it this a known issue or a bug? >> >> Cheers - Andy Schaefer >> >>
