hi jorge that should be easy to do by configuring your system to trigger the 'AccessControlAction' upon user/group creation. this action is part of the default action provider implementation and you can configure the desired privileges granted for users and group, respectively.
in the OSGi console the provider is labeled "Apache Jackrabbit Oak AuthorizableActionProvider" and the corresponding configuration option "Configure AccessControlAction: User Privileges". the documentation for the actions is located at http://jackrabbit.apache.org/oak/docs/security/user/authorizableaction.html there should be tests available in oak-core that illustrate the behavior if you wanted to see it in action. hope that helps angela ________________________________________ From: jorgeeflorez . <jorgeeduardoflo...@gmail.com> Sent: Friday, May 31, 2019 2:34 PM To: oak-dev@jackrabbit.apache.org Subject: ldap user permission Hello, I am currently implementing user login using a ldap server. So far so good. I am able enter to the repositories and when the user that is logging in doesn't exist in the repository, it is automatically created. I am seeing that the created users have no privileges (which makes sense). Unfortunately, I am using a property from the authorizable to get the modules the user can see in the application. And when a new user logs in, he is not able to get its own authorizable and I cannot read the property. Is there an "easy" way to assign, to the user that is created automatically, jcr:read to it's own authorizable's path? If there is not I think I will go with the alternative. Just check if he has the permission, if not, grant it before getting its own authorizable... Thanks. Jorge Eduardo Flórez