1 year ago

#373573

test-img

Lee Daniels

How can I restrict AEM users to view and start specific workflow instances using AC Tool rep:glob in .yaml files?

I have the Netcentric accesscontroltool deployed on my AEM instance, and we are using it to set permissions for specific users to access specific workflow models and instances. While this is working correctly for models, I am having trouble allowing a user to only be able to start an instance of one specific model (Email Campaign Workflow). Here is my .yaml code (I have workflow permissions in /etc, /libs, and /var and /conf parent folders set already, so I'm excluding those to show only the relevant paths):

- path: /var/workflow/models/email-campaign
  permission: allow
  actions:
  privileges: jcr:read,jcr:lockManagemenet,jcr:versionManagement,rep:write
  restrictions:
    rep:glob: null

- path: /conf/global/settings/workflow/models/email-campaign
  permission: allow
  actions:
  privileges: jcr:read,jcr:lockManagemenet,jcr:versionManagement,rep:write
  restrictions:
    rep:glob: null

- path: /var/workflow/instances
  permission: allow
  actions:
  privileges: jcr:read,jcr:lockManagemenet,jcr:versionManagement,rep:write
  restrictions:
    rep:glob: ""

- path: /var/workflow/instances
  permission: allow
  actions:
  privileges: jcr:read,jcr:lockManagemenet,jcr:versionManagement,rep:write
  restrictions:
    rep:glob: /*/

- path: /var/workflow/instances
  permission: allow
  actions:
  privileges: jcr:read,jcr:lockManagemenet,jcr:versionManagement,rep:write
  restrictions:
    rep:glob: /*/*/

- path: /var/workflow/instances
  permission: allow
  actions:
  privileges: jcr:read,jcr:lockManagemenet,jcr:versionManagement,rep:write
  restrictions:
    rep:glob: /*/*/*/

- path: /var/workflow/instances
  permission: allow
  actions:
  privileges: jcr:read,jcr:lockManagemenet,jcr:versionManagement,rep:write
  restrictions:
    rep:glob: /*/*/email-campaign-workflow*

I'm able to see the specific instances in /libs/cq/workflow/admin/console/content/instances.html and in /libs/cq/workflow/admin/console/content/models.html, but when I try to start an instance of this workflow, I'm getting the following error in my Network tab in the console:

enter image description here enter image description here

I'm pretty new at rep:glob restrictions, so if anyone could please let me know which extra permissions to add, that would be awesome.

permissions

yaml

workflow

aem

acl

0 Answers

Your Answer

Accepted video resources

Posts

Questions

Blogs

Jobs