Of most common multi-tenant websites, user groups are used to determine what AEM content authors can make changes to. The most popular requirement for a multi-tenant website is the ability to only edit tags for a specific brand. In this case, the way you can achieve this is by permissions. In this blog, we will ensure that all “WKND Members” will be able to create, read, update, and delete nodes under /content/cq:tags/wknd-shared, while these members will not be able to read any other tags listed under /content/cq:tags/*.
- Steps to Restrict Tags for User Groups in AEM
- Go to Tools > Security > Permissions
- Find Your User Group
- Click on “Add ACE”
- Add Path /content/cq:tags
- Privileges: Add jcr:read
- Set Permission Type to Deny
- Add Restrictions rep:glob=/
- Press Add
- Allow Access to /content/cq:tags/wknd-shared
- Click on “Add ACE”
- Add Path /content/cq:tags/wknd-shared
- Set Permission Type to Allow
- Conclusion
1. Steps to Restrict Tags for User Groups in AEM
2. Go to Tools > Security > Permissions
Navigate to the permissions section of the AEM author instance to start configuring the permissions for the user group.
3. Find Your User Group
Search for the user group that you want to configure. In this example, we will be using the “WKND Members” group.
4. Click on “Add ACE”
Add a new Access Control Entry (ACE) to define the permissions for the group.
5. Add Path /content/cq:tags
This will hide all the tags from the user group initially.
6. Privileges: Add jcr:read
Grant read privileges to the path /content/cq:tags.
7. Set Permission Type to Deny
This will ensure that the group does not have access to read the tags by default.
8. Add Restrictions rep:glob=/
This restriction will hide all top-level cq:tag resources. It effectively denies access to all tags under /content/cq:tags for the specified group.
Explanation: The rep:glob=/ restriction specifies that the denial applies to all child nodes of the specified path. This means the group will not be able to see any of the tags under /content/cq:tags.
9. Press Add to Save
Confirm and add this ACE to enforce the denial of read access.
10. Allow Access to /content/cq:tags/wknd-shared
Now, we need to explicitly allow access to the specific tags we want the group to manage.
11. Click on “Add ACE”
Add another ACE to define the permissions for the specific tags.
12. Add Path /content/cq:tags/wknd-shared
Specify the path to the tags that should be visible and editable by the group.
13. Set Permission Type to Allow
Ensure that the permission type is set to allow, so the group can manage these tags.
Conclusion
By following these steps, the “WKND Members” user group will be able to create, read, update, and delete nodes under /content/cq:tags/wknd-shared, while being restricted from accessing any other tags under /content/cq:tags/*.
This approach ensures that content authors have the appropriate level of access for their specific brand without exposing unnecessary data or tags.
Managing permissions in a multi-tenant AEM environment is crucial for ensuring that content authors can only access and modify the resources relevant to their brand. By carefully setting up access control entries and restrictions, you can achieve a secure and efficient content authoring process.