Migrating AEM Users Groups & ACLs

There are a dozen posts about migrating users and groups for AEM and I have not found one that was fully correct yet, hopefully if you are finding similar this will help

Start with ACLs and follow the generic directions here:
https://helpx.adobe.com/experience-manager/kb/how-to-migrate-ACLs-from-one-AEM-instance-to-another.html
the path for the packager is
/miscadmin#/etc/acs-commons/packagers
remove all users unless migrating a specific list of user IDs
specify the paths
/etc/tags(/.*)
/etc/workflows/models(/.*)
/etc/dam/metadataeditor(/.*)
/etc/dam/tools(/.*)
/etc/dam/imageserver/macros(/.*)
/etc/replication/agents.author(/.*)
/libs/dam/gui/content/reports(/.*)
/libs/cq/core/content/nav(/.*)
/libs/dam/content/reports(/.*)
/content/dam(/.*)
/libs/cq/core/content/nav(/.*)
/conf(/.*)
/content/SITE(/.*)
are usually recommended, but any custom areas should be included. You do not want to remove all paths as that will specify all and likely fail.
create the package and install on the destination server.

create a groups package that includes

filter /home/groups
  exclude /home/groups/community
  exclude /home/groups/default
  exclude /home/groups/forms
  exclude /home/groups/mac
  exclude /home/groups/media
  exclude /home/groups/projects

build download and install the groups package on the destination server.

next identify the admin user path and anonymous user path for the source AEM instance and the destination folder for the admin user and anonymous user.

for instance if the source admin user path is /home/users/F/FHwU5RtdJrElQD83OIQV (easily found under /miscadmin or by looking at the url path from the touch user security screen)
then SRC ADMIN USER PATH = /home/users/F/FHwU5RtdJrElQD83OIQV

if /home/users/F/FHwU5RtdJrElQD83OIQV is the DST ADMIN USER PATH then
DST ADMIN FOLDER PATH = /home/users/F

create a users package that has

filter /home/users
  exclude /home/users/.*/.tokens
  exclude /home/users/.*/.tokens
  exclude /home/users/a/anonymous
  exclude /home/users/geometrixx
  exclude /home/users/mac
  exclude /home/users/media
  exclude /home/users/projects
  exclude /home/users/system
  exclude {SRC ADMIN USER PATH}
  exclude {SRC ANONYMOUS USER PATH}
  exclude {DST ADMIN FOLDER PATH}
  exclude {DST ANONYMOUS FOLDER PATH}


build download and install this package to the destination

this will exclude all users in the 2 folders that contain admin and anonymous in the destination
fix this by creating a package on the source with all the users in those parent directories.
there should be multiple filters with a subsequent exclude
for instance if /home/users/h was excluded and the below path is a user on source:

filter /home/users/h/heby6dvTRh46Zny4ghTA
  exclude /home/users/h/heby6dvTRh46Zny4ghTA/.tokens

repeat as necessary for all users in the 2 paths
build, download and install this package to the destination

EXCEPTION:
because you cannot migrate the /home or /home/users folder directly user permissions within the home folder are lost, specifically full access to own user.
You should be able to edit the following python script with the author url and the admin password and then run it to grant all users read to the home dir and full permissions on their own account.
different user permissions can be achieved in the update_user_perms function if needed

you can validate what this script is doing will work by running the below curl on a test user

Example assumes that /home/users/h/heby6dvTRh46Zny4ghTA is their path and that the test user is “testuser”, but you can also confirm the authorizableId by looking at the json at http://localhost:4502/home/users/h/heby6dvTRh46Zny4ghTA.1.json

use caution as this script is tested on AEM 6.3 only by me and could obviously use a little clean up


curl -u "admin:PASSWORD" -X POST -FauthorizableId=testuser -Fchangelog=path:/home/users/h/heby6dvTRh46Zny4ghTA,read:true,modify:true,create:true,delete:true,acl_read:true,acl_edit:true,replicate:true http://localhost:4502/.cqactions.html


SCRIPT