How to Generate Access Control Tool (AC Tool) files with CONGA
Problem
When you use the Access Control Tool to manage the groups and ACLs on your AEM instance it may be required to generate the corresponding YAML files with CONGa when it's content is depending on your environments, roles and configuration.
Solution
It is possible to generate an AEM package that contains one or multiple YAML files containing configurations for AC Tool. As there is no CONGA post processor for AC Tool YAML files this has to be generated in multiple steps.
Example for the file declarations within the CONGA role file - this generates two YAML files, includes them in one AEM content package, and deletes the intermediate files afterwards:
# AEM Communities Permissions for Author and Publish - using Access Control Tool YAML file - file: myproject-aem-communities-permissions-author.yaml dir: packages template: myproject-aem-communities-permissions-author.yaml.hbs - file: myproject-aem-communities-permissions-publish.yaml dir: packages template: myproject-aem-communities-permissions-publish.yaml.hbs - file: myproject-aem-communities-permissions.json dir: packages template: myproject-aem-communities-permissions.json.hbs postProcessors: - aem-contentpackage postProcessorOptions: contentPackage: name: myproject-aem-communities-permissions rootPath: /apps/myproject/communities-permissions files: - path: /apps/myproject/communities-permissions/permissions.author/permissions.yaml file: myproject-aem-communities-permissions-author.yaml dir: packages delete: true - path: /apps/myproject/communities-permissions/permissions.publish/permissions.yaml file: myproject-aem-communities-permissions-publish.yaml dir: packages delete: true properties: installhook.actool.class: biz.netcentric.cq.tools.actool.installhook.AcToolInstallHook
Example myproject-aem-communities-permissions-author.yaml:
- group_config: # everyone is a built-in group that exists already at the given path - everyone: - path: /home/groups/e/everyone # everything outside the given paths should not be managed by the ac tool unmanagedAcePathsRegex: ^(?!(/libs/social/console/content/sites|/libs/cq/core/content/nav/communities/sites)).*$ - ace_config: # Deny access to Community Site Wizard for everyone (except admins) - everyone: - path: /libs/social/console/content/sites permission: deny privileges: jcr:all - path: /libs/cq/core/content/nav/communities/sites permission: deny privileges: jcr:all
Example myproject-aem-communities-permissions-publish.yaml:
- user_config: {{#if communities.usersync.enabled}} # Create user 'usersync-admin' - usersync-admin: - name: {{communities.usersync.adminUser}} isMemberOf: administrators password: "{{aemCryptoEncrypt communities.usersync.adminPassword ignoreMissingKey=true}}" path: cug {{/if}} - ace_config: {{#if communities.usersync.enabled}} # Set ACLS for user 'usersync-admin' - usersync-admin: - path: /home permission: allow privileges: jcr:all repGlob: "*/activities/*" {{/if}}
Example myproject-aem-communities-permissions.json:
{ "jcr:primaryType": "sling:Folder" }
To deploy the AC Tool itself with CONGA add these lines to your CONGA role file (before the content package with the YAML files):
# Netcentric AC Tool (version defined in POM) - url: mvn:biz.netcentric.cq.tools.accesscontroltool/accesscontroltool-package//zip dir: packages
Related articles