5 Replies Latest reply on May 3, 2013 2:48 PM by Sham HC

    Is it possible to "un deny" permissions to a node?

    hdwu Level 1

      I realize the best practice is to always use Allow and avoid Deny due to having little control over the order in which the Allow/Deny statements are implemented and evaluated.

       

      We mistakenly Allowed access to a particular node, and merely want to remove the Allow statement, but this action produces a 'Deny' statement. Is there any way for me to go back to a blank box with no declared entry?

        • 1. Re: Is it possible to "un deny" permissions to a node?
          Sham HC Level 7

          Hi hdwu,

           

          When you provided the allow access cq creates an allow privelage under rep:policy node. When you deny it removes the allow privelage created in step one & does not create a deny privellage.   So you can go to useradmin and safely remove the permission.  Are you seeing a different behaviour?

           

          Thanks,

          Sham

          • 2. Re: Is it possible to "un deny" permissions to a node?
            hdwu Level 1

            Yes... here's the situation:

             

            User X is a member of both Group A and Group B

             

            Group A previously had Read/Modify/Create/Delete/Replicate to Node XYZ; permissions have been modified for this node so they are now only allowed Read access for Node XX. When I look at the Permissions Tab in the Security Console, Node XYZ has * next to the empty boxes for Modify/Create/Delete/Replicate:

            deny.png

             

            Group B has ALLOW for Read/Modify/Create/Delete/Replicate to Node XYZ.

             

            When User X is a member of both groups, the lower Group B permissions are trumping, and the user is unable to modify the content in node XYZ.

            If I remove User X from Group A, they can edit the content in node XYZ.

             

            When you say 'So you can go to useradmin and safely remove the permission', is 'useradmin' the Security Console? Or is there some other back door where I can remove the DENY statement?

            • 3. Re: Is it possible to "un deny" permissions to a node?
              Sham HC Level 7

              Hi hdwu,

               

                 Take a look at the evaluation [1] & then change permission accordingly.

               

              [1]    http://dev.day.com/docs/en/cq/current/administering/security.html#Access Control Lists and how they are evaluated

               

              Thanks,

              Sham

              @adobe_sham

              1 person found this helpful
              • 4. Re: Is it possible to "un deny" permissions to a node?
                hdwu Level 1

                Thanks for the link- it's nice to know the order in which the nodes are evaluated.

                 

                Does this mean that the access 'trumping' that I'm experiencing is due to Group B having a page lower in the hierarchy (and thus applied first), and NOT because I applied 'ALLOW' permissions to a particular node and then 'DENY'?

                 

                If so, are there any tricks to get around this when a user needs to be in multiple groups?

                • 5. Re: Is it possible to "un deny" permissions to a node?
                  Sham HC Level 7

                  Hi hdwu,

                   

                  Your understand is right that the Deny statements from one group canceled the Allow statement from another group.

                  Sorry, short of trick to help you since there is a little control over the order. 

                   

                  Thanks,

                  Sham

                  @adobe_sham