It is common to have multiple CQ Publisher instances in different environments (DEV, QA, PROD, etc.). When you make user administration and security changes toward users and groups on the production server, you may want to bring them down to the lower DEV and QA environments so they don't go out of sync. In such scenario, you have to copy over both user/group definition and the permission definition. This post shows you how to copy users and groups you set up on one CQ instance (source CQ) to another instance (destination CQ), and how to bring over the permissions (resource-based ACLs) from the source CQ to the destination CQ. copy users and groups definitionTo copy over users and groups definition from one CQ to another, we'd take the approach of packaging users/groups definition up into a package, then install the package to the destination CQ. We simply use CQ's package capability to package up everything under /home which hold users/groups definition into a package with AC Handling set to 'overwrite.' The 'overwrite' access control tells JcrPackageDefinition to overwrite the ACLs in the destination CQ upon installing a package. When copy over users/groups definition via package installation, we wan the underlying ACLs also be copied over (overwritten). To create such package, go on to the source CQ to create a package with the following package named UsersGroups.zip with filter and AC Handling: Then, move on to the destination CQ side, install the above created UsersGroups.zip package. The 'overwrite' AC Handling will tell the package importer to overwrite ACL's upon installation. The installation process of the package will complete in a minute but the front-end javascript will hang for unknown reason (may be related to the ACLs?) until you use another window to log yourself (admin user) back in. When you're back in, check out User Admin console on the destination CQ instance (e.g., at http://<host>:4502/useradmin) to make sure now the console reflects what's there on the source CQ. copy permissions (ACLs) pertaining to all nodesPolicies that control how users and groups can access resources are saved in ACL nodes: Resource-based ACLs are stored per resource/node in a special child rep:policy node. This one will have a list of rep:GrantACE child nodes (usually named allow, allow0,...) for grant access control entries and rep:DenyACE child nodes (usually named deny, deny0,...) for deny access control entries. These ACLs that contains ACEs are all over the places under content nodes. Unfortunately, the out-of-the-box package builder does not support to extract these nodes out, we can use a 'create-package' tool developed by Yogesh Upadhyay to create a package based on XPath to extract ACL nodes :
Lastly, on the destination CQ instance, install ACLDump.zip package to overwrite all ACL permissions on the destination CQ. Installation should complete in a minute or two but the front-end javascript will hang until you use another window to log back in. Congratulations, you've just completed copying over users, groups, and security policies from one CQ to another. code walkthroughThe following code snippets are extracted from the POST.jsp file of createPackage by yogi1306 on sourceforge. In his code, he uses JcrPackageManager to create a package of matched resources for download. <%@include file="/libs/foundation/global.jsp"%> // 1 [1] declares the sling, cq and jstl taglibs and exposes the regularly used scripting objects (e.g. resourceResolver) defined by the <cq:defineObjects /> tag. [2] Searches for resources using the given query (e.g. /jcr:root//element(*,rep:ACL)) formulated in "jcr xpath" language. [3] Returns a repository-based package manager. [4] Add matched resources to be packaged up to the filter of the package definition. [5] Assemble a package based on its definition. Generate the package under repository's default location (/etc/packages/<package-group>/), which is available for download through CQ Package Manager. [6] A button to download the package available in the CQ Package Manager. references
11 Comments
Ravi KS
11/21/2013 01:43:19 pm
Excellent tools. It works fine without any errors :)
Reply
Chetan
7/13/2015 05:23:58 am
Hi,
Reply
Sunil Kumar Singh
11/8/2015 11:23:32 pm
I was trying to migrate users and permission from AEM6.0 to AEM6.1. While running the package I am getting the blank screen. Does this package require some changes to perform the same in AEM 6.0.
Reply
Hsufeng
11/9/2015 01:48:43 am
This tool was never tested on the new AEM6. If you ever successfully make this work for AEM6.0 in the future, please share your experience. Thanks!
Reply
Kevin Bell
11/17/2015 01:44:28 pm
It worked great on 5.6.1 sp2 with one exception, it did not bring in the properties; First Name, Last Name and email address. Is there a way to capture those as well?
Reply
shekhar
3/8/2016 10:30:07 am
how do I add filters??? I just do not want to export all the users and permissions. I just want to export our own company users,permissions.. I have created 'abc' node of type authorizableFolder in groups and users, and I have included groups and users of mine. How do i extract only my users and permissions. Could you please
Reply
shekhar
3/8/2016 10:57:56 am
Component that threw Exception: /apps/tools/components/createPackage/POST.jsp
Reply
Sunag
3/14/2016 03:38:50 am
Hi Samer, Leave a Reply. |
Categories
All
Archives
May 2020
|