Mastering AEM Authorization: Best Practices for Security & Performance
Effective authorization management is crucial for large-scale AEM environments where misconfiguration can lead to security gaps and performance slowdowns.
In this session, the core team behind AEM’s authorization system will reveal common pitfalls, share best practices, and demonstrate how to optimize access control for both security and speed.
Walk away with actionable insights to streamline permissions in your AEM projects!
Henry Kuijpers
Is all this nice stuff already usable by Sling's ResourceResolver? (It looks like it's proprietary to the Jackrabbit API?) (The getBoundPrincipals, etc)
Tomasz Sobczyk
Do you have a recommended approach for testing permissions? Unit + mocks / integration tests against the instance? Something else?
Georg Henzler
You can also use https://github.com/Netcentric/access-control-validator
Angela
For quickstart build we internally use server-side tests. Happy to help build an addition to the ac tool or a sling extension. We are aware that this would help a lot. Ping us
Piotr
Do you know/recommended any automation tool/library which simplifies permissions testing in AEM?
Henry Kuijpers
Probably a lot of people are using AC Tool to manage permissions in an AEM instance -- @kwin: Some nice stuff to add? :-D
Helge
How can we check from which (sub)group a permission for a path is inherited on cloud service that does not have a /useradmin ?
Angela
We are working on improved permission ui capabilities in touch ui and repo browser. Alejandro is leading that effort... we also have that need internally for troubleshooting.
wolf
How do you propose to grant access to external groups (assuming you can’t control their names, as the company IdP typically will not follow product conventions) without making the external group a member of an in-built group - e.g. „contributors”. The slide only recommended avoiding it, but did not propose what to do instead.
Angela
See slides: sling repo init allows now to setup permission for non-existing principals and afaik also allows to add members before they exist. As far as contributors are concerned: on CS author with IMS integration contributors are configured in the auto-membership option i.e. everyone is a member of contributors. With dynamic sync enabled now by default, this membership is dynamically computed and not stored with the contributor group i.e. no penalty from having the group grow big. Btw: Nicola will talk about the dynamic membership tomorrow in last presentation. Super important topic to be aware of in my humble opinion