How to Generate Access Control Tool (AC Tool) files with CONGA

Problem

When you use the Access Control Tool to manage the groups and ACLs on your AEM instance it may be required to generate the corresponding YAML files with CONGa when it's content is depending on your environments, roles and configuration.

Solution

It is possible to generate an AEM package that contains one or multiple YAML files containing configurations for AC Tool. As there is no CONGA post processor for AC Tool YAML files this has to be generated in multiple steps.

Example for the file declarations within the CONGA role file - this generates two YAML files, includes them in one AEM content package, and deletes the intermediate files afterwards:

# AEM Communities Permissions for Author and Publish - using Access Control Tool YAML file
- file: myproject-aem-communities-permissions-author.yaml
  dir: packages
  template: myproject-aem-communities-permissions-author.yaml.hbs
- file: myproject-aem-communities-permissions-publish.yaml
  dir: packages
  template: myproject-aem-communities-permissions-publish.yaml.hbs
- file: myproject-aem-communities-permissions.json
  dir: packages
  template: myproject-aem-communities-permissions.json.hbs
  postProcessors:
  - aem-contentpackage
  postProcessorOptions:
    contentPackage:
      name: myproject-aem-communities-permissions
      rootPath: /apps/myproject/communities-permissions
      files:
      - path: /apps/myproject/communities-permissions/permissions.author/permissions.yaml
        file: myproject-aem-communities-permissions-author.yaml
        dir: packages
        delete: true
      - path: /apps/myproject/communities-permissions/permissions.publish/permissions.yaml
        file: myproject-aem-communities-permissions-publish.yaml
        dir: packages
        delete: true
      properties:
        installhook.actool.class: biz.netcentric.cq.tools.actool.installhook.AcToolInstallHook

Example myproject-aem-communities-permissions-author.yaml:

- group_config: 

  # everyone is a built-in group that exists already at the given path
  - everyone:
    - path: /home/groups/e/everyone
      # everything outside the given paths should not be managed by the ac tool
      unmanagedAcePathsRegex: ^(?!(/libs/social/console/content/sites|/libs/cq/core/content/nav/communities/sites)).*$

- ace_config:

  # Deny access to Community Site Wizard for everyone (except admins) 
  - everyone:
    - path: /libs/social/console/content/sites
      permission: deny
      privileges: jcr:all
    - path: /libs/cq/core/content/nav/communities/sites
      permission: deny
      privileges: jcr:all

Example myproject-aem-communities-permissions-publish.yaml:

- user_config:

{{#if communities.usersync.enabled}}
  # Create user 'usersync-admin' 
  - usersync-admin:
    - name: {{communities.usersync.adminUser}}
      isMemberOf: administrators
      password: "{{aemCryptoEncrypt communities.usersync.adminPassword ignoreMissingKey=true}}"
      path: cug
{{/if}}

- ace_config:

{{#if communities.usersync.enabled}}
  # Set ACLS for user 'usersync-admin' 
  - usersync-admin:
    - path: /home
      permission: allow
      privileges: jcr:all
      repGlob: "*/activities/*"
{{/if}}

Example myproject-aem-communities-permissions.json:

{
  "jcr:primaryType": "sling:Folder"
}

To deploy the AC Tool itself with CONGA add these lines to your CONGA role file (before the content package with the YAML files):

# Netcentric AC Tool (version defined in POM)
- url: mvn:biz.netcentric.cq.tools.accesscontroltool/accesscontroltool-package//zip
  dir: packages