Migrating AEM Users Groups & ACLs
November 28, 2017 Leave a comment
There are a dozen posts about migrating users and groups for AEM and I have not found one that was fully correct yet, hopefully if you are finding similar this will help
Start with ACLs and follow the generic directions here:
https://helpx.adobe.com/experience-manager/kb/how-to-migrate-ACLs-from-one-AEM-instance-to-another.html
the path for the packager is
/miscadmin#/etc/acs-commons/packagers
remove all users unless migrating a specific list of user IDs
specify the paths
/etc/tags(/.*)
/etc/workflows/models(/.*)
/etc/dam/metadataeditor(/.*)
/etc/dam/tools(/.*)
/etc/dam/imageserver/macros(/.*)
/etc/replication/agents.author(/.*)
/libs/dam/gui/content/reports(/.*)
/libs/cq/core/content/nav(/.*)
/libs/dam/content/reports(/.*)
/content/dam(/.*)
/libs/cq/core/content/nav(/.*)
/conf(/.*)
/content/SITE(/.*)
are usually recommended, but any custom areas should be included. You do not want to remove all paths as that will specify all and likely fail.
create the package and install on the destination server.
create a groups package that includes
filter /home/groups
exclude /home/groups/community
exclude /home/groups/default
exclude /home/groups/forms
exclude /home/groups/mac
exclude /home/groups/media
exclude /home/groups/projects
build download and install the groups package on the destination server.
next identify the admin user path and anonymous user path for the source AEM instance and the destination folder for the admin user and anonymous user.
for instance if the source admin user path is /home/users/F/FHwU5RtdJrElQD83OIQV (easily found under /miscadmin or by looking at the url path from the touch user security screen)
then SRC ADMIN USER PATH = /home/users/F/FHwU5RtdJrElQD83OIQV
if /home/users/F/FHwU5RtdJrElQD83OIQV is the DST ADMIN USER PATH then
DST ADMIN FOLDER PATH = /home/users/F
create a users package that has
filter /home/users
exclude /home/users/.*/.tokens
exclude /home/users/.*/.tokens
exclude /home/users/a/anonymous
exclude /home/users/geometrixx
exclude /home/users/mac
exclude /home/users/media
exclude /home/users/projects
exclude /home/users/system
exclude {SRC ADMIN USER PATH}
exclude {SRC ANONYMOUS USER PATH}
exclude {DST ADMIN FOLDER PATH}
exclude {DST ANONYMOUS FOLDER PATH}
build download and install this package to the destination
this will exclude all users in the 2 folders that contain admin and anonymous in the destination
fix this by creating a package on the source with all the users in those parent directories.
there should be multiple filters with a subsequent exclude
for instance if /home/users/h was excluded and the below path is a user on source:
filter /home/users/h/heby6dvTRh46Zny4ghTA
exclude /home/users/h/heby6dvTRh46Zny4ghTA/.tokens
repeat as necessary for all users in the 2 paths
build, download and install this package to the destination
EXCEPTION:
because you cannot migrate the /home or /home/users folder directly user permissions within the home folder are lost, specifically full access to own user.
You should be able to edit the following python script with the author url and the admin password and then run it to grant all users read to the home dir and full permissions on their own account.
different user permissions can be achieved in the update_user_perms function if needed
you can validate what this script is doing will work by running the below curl on a test user
Example assumes that /home/users/h/heby6dvTRh46Zny4ghTA is their path and that the test user is “testuser”, but you can also confirm the authorizableId by looking at the json at http://localhost:4502/home/users/h/heby6dvTRh46Zny4ghTA.1.json
use caution as this script is tested on AEM 6.3 only by me and could obviously use a little clean up
curl -u "admin:PASSWORD" -X POST -FauthorizableId=testuser -Fchangelog=path:/home/users/h/heby6dvTRh46Zny4ghTA,read:true,modify:true,create:true,delete:true,acl_read:true,acl_edit:true,replicate:true http://localhost:4502/.cqactions.html
SCRIPT
Culture of Quality Engineering 