Adobe Experience Manager (AEM) 6.3 ships out with new Closed User Group (CUG) implementation. The new implementation is based on Apache Jackrabbit OAK module named oak-authorization-cug.
The new implementation provides authorization to view content for specific principals with read access to the target node and its subtree, without interfering with other access control lists’ (ACL) permission on the node. What this really means is, in the Authoring environment, we will need to protect a folder tree that has restricted ACLs with certain privileges like read and write. In Publish environment, we don’t need similar ACLs and can provide a tree with authorization to specific principals only, only those principals will be able to view content.
oak-authorization-cug is implemented as pluggable module, and it can be configured through “Apache Jackrabbit Oak CUG Configuration” via AEM Web Console Configuration Manager.
By default, in AEM 6.3 authoring instance, this is disabled. In the publish instance, “CUG Evaluation Enabled” checkbox is checked by default.
CUG Repository Implementation
Prior to AEM 6.3, when CUG is applied on the page, the principal has been added on the content node as shown below.
With AEM 6.3 onwards, CUG is applied as an extension with CugPolicy, which extends PrincipalSetPolicy and JackrabbitAccessControlPolicy. When you apply CUG on a page in the repository, it creates a separate node under the page primary type of rep:CugPolicy with principal name as attribute. This is illustrated below.
CugPolicy includes specific privileges like jcr:read, rep:readProperties and rep:readNodes. In the above example, principal hiking-member will have read access to /content/we-retail/men. Other principals will not have access to “men” page.
Note: Future version of AEM will not support old CUG support, so it is time to use the new CUG implementation.
Backward Compatibility
After seeing the change in implementation for CUG in AEM 6.3, now the question arises regarding backward compatibility for the content migrated from older versions of AEM.
To use the new CUG implementation, we need to change the old CUG applied on the pages. Is it possible to manually go over each page and re-apply CUGs?
AEM 6.3 comes with a CUG Migration tool in the Adobe Experience Manager Web Console. You can find the tool through the following url: http://localhost:4502/system/console/cug-migration
Once you navigate to the migration tool page, you can run the migration process as follows.
- Provide the content page under which you need to convert all pages with the old CUG implementation. Then click on the “Perform dry run” button. The dry run will show the list of pages that have the old CUG implementation. See the below image.
- Next step is to run the actual migration. Click on the “Perform Migration” button. Once the migration completes, it shows the paths of the page and status as migrated. See below image.
To learn more, here are a couple of links on CUG in AEM 6.3: