Unveiling the power of AEM’s permission system

Customers have all sorts of requirements how they want their content to be protected. Not only folder-based but also based on properties, tags and even time.

The good thing is that the permission system of AEM is very powerful. In addition to simple allow/deny rules you can extend rules with restrictions.

The most known one is the “rep:glob“. But did you know that you can implement your own restrictions to cover even exotic use-cases?

This talk will give insights how to develop custom restrictions and present our OpenSource tool “AEM Advanced Restrictions“ that covers lots of use-cases.

Beo

I expect this to work both, cloud and onPrem, isnt it?

Bartłomiej Gątarski

Yes, works on both

The netcentric actool is capable to manage permissions from config, is there a reason you decided to implement your own solution versus the actool?

Konrad Windszus

Both approaches can (and probably should) be combined. You can set arbitrary restrictions with ACTool (https://github.com/Netcentric/accesscontroltool/blob/develop/docs/Configuration.md#configuration-of-aces)

Tomek Niedzwiedz

@Konrad Windszus does that include property-level permissions?

Konrad Windszus

Property level permissions require using restrictions, which is supported by the tool.

Is there performance impact of this already known/evaluated?

(see answer in talk video)

Tomek Niedzwiedz

Do property-based restrictions that rely on reading the repository as part of the implementation have much of a performance penalty? How often is the code implementing the interface invoked?

(see answer in talk video)

Konrad Windszus

Have you considered donating the AEM agnostic ones to Oak directly (https://jackrabbit.apache.org/oak/docs/security/authorization/restriction.html#built-in-restrictions)?

(see answer in talk video)

What about using this extending of restriction access to Create Custom restriction on aem publisher instances? We had a usecase where we had to Limit access on publishers

RolandGruber

There is no limitation to author, you can use it on publish the same way.

Is this kind of acl maintainable without crxde?

RolandGruber

Yes, you can use AEM UI and e.g. AC Tool.

Is "allow" required for power user if power user already has full access based on path and restricted users are "denied" as shown in example?

RolandGruber

This depends if the power user is also member of the restricted group. If not, then the rule is not needed. But often, power user rights are based on the restricted rights.

Yegor Kozlov

It's very typical to customize the UI and show/hide buttons that are only available to the user, or the selected object, for example, to hide the Publish button if the asset has the dam:confidential property. Did you customize it that far?

RolandGruber

AEM will hide some functionality out of the box when permissions are missing.

Can the same be achieved on brand portal side?

RolandGruber

No, brand portal is a separate application and not connected to AEM's permissions.

Does your tool support also extension points e.g. to add a custom permission check?

RolandGruber

No, but feel free to create a pull request if you have an interesting restriction type. If you want to keep it privately, take our code as template.