accesscontroltool icon indicating copy to clipboard operation
accesscontroltool copied to clipboard
verified publisher icon Netcentric

AC Tool removes group association with custom group on AEM 6.5

Open hiralketanshah opened this issue 5 years ago • 3 comments

Hello,

We’re using Netcentric AC Tool release 2.5.3 to manage custom permissions in our AEM 6.5 project. We recently ran into an issue where group association with custom group is getting removed automatically after the build. Steps to reproduce :

  1. Add a group media-agency in the yaml file and let the AC tool create it in AEM.
  2. Now, create a new group test-group directly in AEM and associate it to the media-agency. image Now, deploy the code into AEM again, may be with no changes at all. Just a simple deployment. Exepected result : media-agency will still be associated to test-group. Actual result : media-agency is no longer associated to the test-group.

This isn't the same behaviour of group association with user. Group association with user will be persisted even after multiple deployments to the server. Tried adding keepExistingMembershipsForGroupNamesRegEx: .* into the yaml file as well but didn't work as expected.

Any insights on how do I make it work for group associations? or is this a bug that needs to be addressed?

Thanks in advance. Regards, Hiral Shah

hiralketanshah avatar Nov 25 '20 16:11 hiralketanshah

This is expected and documented in https://github.com/Netcentric/accesscontroltool/blob/develop/docs/AdvancedFeatures.md#configure-unmanaged-aspects.

kwin avatar Nov 25 '20 19:11 kwin

@kwin Thanks for the link to the documentation. Does that mean that adding the below code in yaml files would allow the custom AEM group to inherit from ACTool managed groups?

  • group_config: defaultUnmanagedExternalIsMemberOfRegex: .* defaultUnmanagedExternalMembersRegex: .*

If yes, I did try the same on my local, but didn't work. Also, this is not the case with Users. If an AEM user inherits from ACTool managed group, then it will persists the same always, after deployment as well. Let me know if I am missing something.

hiralketanshah avatar Nov 25 '20 19:11 hiralketanshah

Does that mean that adding the below code in yaml files would allow the custom AEM group to inherit from ACTool managed groups? group_config: defaultUnmanagedExternalIsMemberOfRegex: .* defaultUnmanagedExternalMembersRegex: .*

defaultUnmanaged* is not supported within group_config but only within global_config (https://github.com/Netcentric/accesscontroltool/blob/develop/docs/AdvancedFeatures.md#configure-memberships-oftowards-externally-managed-groups)

Also, this is not the case with Users.

This is expected, citing from https://github.com/Netcentric/accesscontroltool/blob/develop/docs/AdvancedFeatures.md#configure-unmanaged-aspects

relationships to groups and system users are removed - relationships to regular users are untouched (those are often assigned by user administrators, LDAP or SSO)

kwin avatar Nov 25 '20 20:11 kwin