Keeping permissions in sync across environments is an issue for most organizations. In AEM, you can export permissions using packages but this becomes a tedious process if you need to do this on a regular basis.
I won’t say that the AC Tool solves the problem completely but it’s a good place to start. In future posts, I will tell you how to extend the functionality to give you more control over what you need for your specific organization.
What this tool does give you is a way to retrieve your permission information from your environments in the form of YAML files. It also provides an installation hook to deploy your yaml files to environments based on runmodes. This means that you can have permissions for all of your environments in one code repository, it will only deploy the relevant permissions to the targeted environments with the matching runmodes.
This is already a huge step forward from the manual process.
Installation
There are two packages you will need for installation. The first is the AC Tool package, the second is the oak index file for the same version. Though the index file is optional, it’s recommended for those who have a large number of groups. Personally, I don’t see a reason for not installing it either way.
One thing you want to keep in mind is that you should install the package only once per environment. This means you do not want to make a part of your regular code deployment, which can cause issues with your deployments.
Creating YAML Files
Once you have the packages installed you can access the tool in two ways, either through the JMX console or through the tools navigation in AEM Tools Console.
Using the Netcentric Dashboard can pull the latest dump file or upload a package with your YAML files for testing.
Deploying Updates
Once you have your files retrieved and modified for import you can deploy them to your environment; remember, this is runmode based so make sure your runmodes are valid for the environment you’re targeting. If you are only deploying to a single environment, you don’t have to use runmodes.
To deploy you can create a maven project that packages your yaml file structure. If you add the Netcentric hook, it will automatically take effect. If you would rather double-check things, leave out the hook, and use the “Apply” feature in the Netcentric Dashboard for your changes to take effect. Remember to put in the path to your yaml files before you try to apply the updates.
This configuration will deploy only to environments with an author and a localdev run mode.
Once you have deployed your files, you can check the logs to see if it successfully updated the permissions you expected. If you aren’t seeing anything in the logs, you may want to check the package installation to make sure it was successful. If there are any errors in the YAML files, it will create an error and stop the installation.
Tips
- Whenever possible, don’t redeploy OOTB system users or groups. There’s really no need to unless you’re using them for a specific reason.
- Don’t create new users other than test users or system users.
- Do use this tool for removing obsolete users and groups. This way you can remove them from all environments consistently.
You can find more information on the AC Tool, including example files on their github website.
https://github.com/Netcentric/accesscontroltool
Installation package files and oak index files are managed in maven, which can be found here:
https://repo1.maven.org/maven2/biz/netcentric/cq/tools/accesscontroltool/accesscontroltool-package/
Have you found a better way of addressing the need to keep permissions in sync? If so, I would love to hear about it!
