Deploying ACLs with Netcentric accesscontroltool in AEM

The current blog focuses on deploying ACLs via Netcentric AccessControlTool in AEM 6.5 and AEM as a Cloud Service.

Challenges faced

• Issue 1: The latest Project structure recommends deployment of third-party packages via embed statement. Though, I was able to deploy “accesscontroltool-oakindex-package” via embed, “accesscontroltool-package” didn’t install.
  • Resolution: Use sub-package for deployment of “accesscontroltool-package“ [No longer an issue with latest version. Was able to install “accesscontroltool-oakindex-package” via embed]
• Issue 2: We had created a separate module for ACL deployment. The module needs to be deployed only after “accesscontroltool-package” is installed. When using Cloud Manager, the acl module was deployed prior to deployment of any other maven module.
  • Resolution: Declare the dependency of acl module on “accesscontroltool-package“. Also assure that the cloudManagerTarget is set to none.
• Issue 3: Custom user groups are created in AEM, but ACLs are missing.
  • Resolution: If the issue occurs only on first installation for the maven project, then one should check the order in which modules are deployed. For example: If ACL should be applied on a content path, which is unavailable, then ACL set-up would fail. In this case, ACL module should be installed only after all necessary paths are available in AEM. So, either ui.content is deployed prior to ACL module or repo-init script should be used for creating paths before installing ACLs

Code Snippets

Sharing the configurations that need to be part of multiple pom.xml in the project structure. Appending the snippets in the appropriate pom.xml should resolve both the challenges mentioned above.

Step-1: Create a new maven module for deploying ACLs. (Lets call it acl module)

• Create basic structure to put the yaml files for setting up ACLs. Example: /apps/techrevel/acls/runmodes/groups.author. The ACL tool respects runmodes, so you should create the folders accordingly.
• Include the path in filter.xml
• Add a config “biz.netcentric.cq.tools.actool.impl.AcInstallationServiceImpl.cfg.json” to ui.config module. It defines the paths that the Netcentric tool would scan for yaml files

{
  "configurationRootPaths":[
       "/apps/techrevel/acl/runmodes/global.author",
       "/apps/techrevel/acl/global",
       "/apps/techrevel/acl/runmodes/group.author.dev"
  ]
}

• Create yaml files to create groups and assign ACLs. Start with very basic.

Step-2: Configure “acl” module for deployment in parent pom.xml

Update the module section of parent pom to include the acl module.

<module>acl</module>

Step-3: Declare “Netcentric Accesscontroltool” dependency in project’s main pom.xml

	<!– Netcentric ACL Tool –>
	<dependency>
	<groupId>biz.netcentric.cq.tools.accesscontroltool</groupId>
	<artifactId>accesscontroltool-package</artifactId>
	<!– classifier used for AEM as a Cloud Service instane. Leave out for On-premise –>
	<classifier>cloud</classifier>
	<type>content-package</type>
	<version>3.0.9</version>
	</dependency>
	<!– Oak Index for Netcentric ACL Tool –>
	<dependency>
	<groupId>biz.netcentric.cq.tools.accesscontroltool</groupId>
	<artifactId>accesscontroltool-oakindex-package</artifactId>
	<type>zip</type>
	<!– classifier used for AEM as a Cloud Service instane. Leave out for On-premise –>
	<classifier>cloud</classifier>
	<version>3.0.9</version>
	</dependency>

view raw AaaCS project pom.xml hosted with ❤ by GitHub

Step-4: Embed “Netcentric Accesscontroltool” + ACL module for deployment via “all” module

Add the following snippets in relevant sections of “all“ module’s pom.xml

	<!– Declare the embedded in the corressponding section –>
	<!– Netcentric ACL Tool –>
	<embedded>
	<groupId>biz.netcentric.cq.tools.accesscontroltool</groupId>
	<artifactId>accesscontroltool-package</artifactId>
	<!– classifier used for AEM as a Cloud Service instance –>
	<classifier>cloud</classifier>
	<type>content-package</type>
	<target>/apps/techrevel-vendor-packages/application/install</target>
	</embedded>
	<embedded>
	<groupId>biz.netcentric.cq.tools.accesscontroltool</groupId>
	<artifactId>accesscontroltool-oakindex-package</artifactId>
	<type>zip</type>
	<!– classifier used for AEM as a Cloud Service instance –>
	<classifier>cloud</classifier>
	<target>/apps/techrevel-vendor-packages/application/install</target>
	</embedded>
	<dependency>
	<groupId>com.techrevel</groupId>
	<artifactId>techrevel.acl</artifactId>
	<version>${project.version}</version>
	<type>zip</type>
	</dependency>
	<!– Declare the dependencies in the corressponding section –>
	<!– Netcentric ACL Tool –>
	<dependency>
	<groupId>biz.netcentric.cq.tools.accesscontroltool</groupId>
	<artifactId>accesscontroltool-package</artifactId>
	<!– classifier used for AEM as a Cloud Service instance –>
	<classifier>cloud</classifier>
	<type>content-package</type>
	</dependency>
	<!– Oak Index for Netcentric ACL Tool –>
	<dependency>
	<groupId>biz.netcentric.cq.tools.accesscontroltool</groupId>
	<artifactId>accesscontroltool-oakindex-package</artifactId>
	<!– classifier used for AEM as a Cloud Service instance –>
	<classifier>cloud</classifier>
	<type>zip</type>
	</dependency>
	<dependency>
	<groupId>com.techrevel</groupId>
	<artifactId>techrevel.acl</artifactId>
	<version>3.0.9</version>
	<type>zip</type>
	</dependency>

view raw all pom.xml hosted with ❤ by GitHub

Step-5: Declare the “Netcentric Accesscontroltool” + “ui.apps.structure” dependency in acl module

This step assures that the acl module is installed after accesscontroltool-package. Thus, the install hook needed by acl module will be available. Add the following snippets in relevant sections of “acl” module’s pom.xml

Also, configure cloudManagerTarget as none. This assures that the acl module is installed via all module and not separately. Refer link for details.

	<!– ====================================================================== –>
	<!– B U I L D D E F I N I T I O N –>
	<!– ====================================================================== –>
	<build>
	<plugins>
	<plugin>
	<groupId>org.apache.jackrabbit</groupId>
	<artifactId>filevault-package-maven-plugin</artifactId>
	<configuration>
	<packageType>mixed</packageType>
	<repositoryStructurePackages>
	<repositoryStructurePackage>
	<groupId>com.techrevel</groupId>
	<artifactId>techrevel.ui.apps.structure</artifactId>
	</repositoryStructurePackage>
	</repositoryStructurePackages>
	<properties>
	<cloudManagerTarget>none</cloudManagerTarget>
	<!– declare the install hook also for cloud to ease local development with the AEM SDK (when installed in the actual cloud service the startup hook is used automatically instead, even with this configuration –>
	<installhook.actool.class>biz.netcentric.cq.tools.actool.installhook.AcToolInstallHook</installhook.actool.class>
	</properties>
	<!– package type mixed is required due to the install hook –>
	<packageType>mixed</packageType>
	<dependencies>
	<dependency>
	<groupId>biz.netcentric.cq.tools.accesscontroltool</groupId>
	<artifactId>accesscontroltool-package</artifactId>
	<classifier>cloud</classifier>
	</dependency>
	</dependencies>
	</configuration>
	</plugin>
	<plugin>
	<groupId>com.day.jcr.vault</groupId>
	<artifactId>content-package-maven-plugin</artifactId>
	<configuration>
	<verbose>true</verbose>
	<failOnError>true</failOnError>
	</configuration>
	</plugin>
	</plugins>
	</build>
	<dependencies>
	<dependency>
	<groupId>com.techrevel</groupId>
	<artifactId>techrevel.ui.apps.structure</artifactId>
	<version>${project.version}</version>
	<type>zip</type>
	</dependency>
	<!– Netcentric ACL Tool –>
	<dependency>
	<groupId>biz.netcentric.cq.tools.accesscontroltool</groupId>
	<artifactId>accesscontroltool-package</artifactId>
	<classifier>cloud</classifier>
	<type>content-package</type>
	</dependency>
	<!–Oak Index for Netcentric ACL Tool –>
	<dependency>
	<groupId>biz.netcentric.cq.tools.accesscontroltool</groupId>
	<artifactId>accesscontroltool-oakindex-package</artifactId>
	<classifier>cloud</classifier>
	<type>zip</type>
	</dependency>
	</dependencies>

view raw AasCS acl pom.xml hosted with ❤ by GitHub

Notes:

• Always keep a buffer for any surprises on deploying to AEM as a Cloud Service. There can be surprises/issues.
  • As you are not allowed to install immutable content manually, order of the packages is very important. So, even if all looks fine locally, you might see surprises on Cloud.
  • To simulate Cloud deployments, deploy “all” package, not individual modules
• To set permissions in /libs, use repo-init scripts.