It is common to have multiple CQ Publisher instances in different environments (DEV, QA, PROD, etc.). When you make user administration and security changes toward users and groups on the production server, you may want to bring them down to the lower DEV and QA environments so they don't go out of sync. In such scenario, you have to copy over both user/group definition and the permission definition. This post shows you how to copy users and groups you set up on one CQ instance (source CQ) to another instance (destination CQ), and how to bring over the permissions (resource-based ACLs) from the source CQ to the destination CQ.
copy users and groups definition
To copy over users and groups definition from one CQ to another, we'd take the approach of packaging users/groups definition up into a package, then install the package to the destination CQ. We simply use CQ's package capability to package up everything under /home which hold users/groups definition into a package with AC Handling set to 'overwrite.' The 'overwrite' access control tells JcrPackageDefinition to overwrite the ACLs in the destination CQ upon installing a package. When copy over users/groups definition via package installation, we wan the underlying ACLs also be copied over (overwritten).
To create such package, go on to the source CQ to create a package with the following package named UsersGroups.zip with filter and AC Handling:
copy permissions (ACLs) pertaining to all nodes
Policies that control how users and groups can access resources are saved in ACL nodes:
Resource-based ACLs are stored per resource/node in a special child rep:policy node. This one will have a list of rep:GrantACE child nodes (usually named allow, allow0,...) for grant access control entries and rep:DenyACE child nodes (usually named deny, deny0,...) for deny access control entries.
These ACLs that contains ACEs are all over the places under content nodes. Unfortunately, the out-of-the-box package builder does not support to extract these nodes out, we can use a 'create-package' tool developed by Yogesh Upadhyay to create a package based on XPath to extract ACL nodes :
Congratulations, you've just completed copying over users, groups, and security policies from one CQ to another.
The following code snippets are extracted from the POST.jsp file of createPackage by yogi1306 on sourceforge. In his code, he uses JcrPackageManager to create a package of matched resources for download.
<%@include file="/libs/foundation/global.jsp"%> // 1
 declares the sling, cq and jstl taglibs and exposes the regularly used scripting objects (e.g. resourceResolver) defined by the <cq:defineObjects /> tag.
 Searches for resources using the given query (e.g. /jcr:root//element(*,rep:ACL)) formulated in "jcr xpath" language.
 Returns a repository-based package manager.
 Add matched resources to be packaged up to the filter of the package definition.
 Assemble a package based on its definition. Generate the package under repository's default location (/etc/packages/<package-group>/), which is available for download through CQ Package Manager.
 A button to download the package available in the CQ Package Manager.