Create System User in AEM

AEM 6.1 comes with lot of features, one of those is allowing developer or content authors to create system user from CRX explorer. I have updated this post for creating system user in AEM 6.3 and how to package system user and its permissions, so that it can be easily deployed on any instance like dev,qa or prod.

The focus of this tutorial is to have a clear understanding about:

System User In AEM:-


Till AEM 6 we have the liberty to use any user as service user, for invoking and executing any service. But from AEM 6.1 there was a slight change on how to define the ServiceUserMapping and how the service user or system user has to be created.

If we try to assign any arbitrary user as service user in AEM 6.1 we would face below error :

org.apache.sling.api.resource.LoginException: Cannot derive user name for bundle ch.inside.cqblog-bundle [452] and sub service readService

Note:- From AEM 6.1 service users can only be mapped to system users (jcr:primaryType = rep:SystemUser).

Why System User are Introduced:-


Use of admin session and admin resource resolver through ResourceresolverFactory is now deprecated, that’s why from AEM 6.1 Adobe forces developers to create system users and map them to Service User Mapper in Felix Console.

  • Prevent excessive use of administrative JCR Sessions and ResourceResolvers.
  • Allow services access to ResourceResolvers and JCR Sessions without requiring to hard-code or configure passwords.
  • Allow services to use service users and/or system user which are specially configured for service level access.

Create System User in AEM:-


A system user can either be created by definition in your application content package or manual creation in the CRX Explorer through “User Administration”. As this is a system user, no need to set a password.

  • Go to CRX Explorer.
    user_administration_crx_explorer_aem6
  • Click on User Administration.
  • Click on Create system User from Top Bar.
    •  UserId- testSystemUser (User Id of system user you want to assign)
    • Intermediate Path – /home/users/systemNote:- Path where you want to store system user. If no path is provided it will store user at some arbitrary node. This field is optional, but it is always advisable to provide path so that it will be easy to track user.

create_system-user_aem_crx_explorer_manually

  • Click on Green check box.
  • Your system user is successfully created.
    system_user_created_aem_6.1
  • You can also view system user details from CRX DE at this path /home/user/system.
    system_user_crx_de_location_aem

Define Service User Mapper in AEM :-


For defining a service user mapper, a new configuration can be created using Apache sling Service User Mapper Service Amendment.

  • Go to Felix Console configurations.
  • Search for “service user mapper” configuration.
  • Click on Plus sign against Apache sling Service User Mapper Service Amendment to create new factory configuration.
  • Enter Service Mapping Details
    • Enter entry in form of BundleId:subserviceName=userName.

Apache_sling_Service_User_Mapper_Service_Amendment_aem

  • For example in below screenshot:
    • bundleId = com.adobe.cq.cq-dms-tagmanager
    • subServiceName =tagmanagement
    • systemUser Name =tagmanagerservice

apache_sling_service_mapper_example_aem

For example in our case, we want to add testSystemUser system user mapping in Apache sling Service User Mapper Service Amendment. Follow below steps to add entry into service user mapper service in aem:-

Lets Assume below details:-

  • bundleId = com.aemlearning (You can find your bundle symbolic name under your core pom.xml )
  • subServiceName = testSystemUser (Used in your java for getting resource resolver based on subService Name)
  • systemUser Name = testSystemUser (Your system user Name, that you have given at time of creation of system user)

create-service-user-mapper-aem

How to package system user using acs commons acl packager:-


In aem, if we have to export users or groups from one environment to another we use packages. To transfer permissions along with user we use acs commons acl packager.

As a pre-requisite lets first add permission to our testSystemUser. Lets consider we want this system user for content editing usage.

  • Navigate to User Admin Console.
  • Search for your user (testSystemUser).
  • Select your user and go to Permissions Tab.
  • Provide full access to /content folder. By selecting all check box against content row. You can ignore replicate checkbox as we don’t want this user for replication.
  • Click on save.

add-permissions-system-user-aem

Follow below steps to create ACS Commons ACL Packager:-

  • Log in to AEM Author.
  • Navigate to the Classic UI Tools Console (In case of Touch UI, You can navigate to  Tools–>Operations –> Configuration )
  • Under the acs-commons folder, create a folder named packagers. (name should be packagers, Title you can keep according to your choice, If you keep any other folder name apart from packagers then no template will be displayed).
    NOTE: As of acs commons version 1.6.0, this folder is created automatically
    create-acs-common-packagers-folder
  • Under the packagers folder, create a new Page of Template type “ACL Packager”

create-page-acs-common-packager-template

  • Double click on newly created page.
  • Click Edit.
  • Enter values in dialog to configure the package rules and configuration.
    • Add Principal Names:- Add names of user that you want to export.
    • Include Patterns:- Add path from which you want to add rep:Policy or permissions

add-principle-user-acs-commons-packager

  • Click OK , It will display a brief overview of your ACL Package.
    acl-packager-overview
  • Click On Preview button output a list of the access control entries which will be packaged.
    preview-acl-packager-permissions
  • Click on Create Package. That’s it you are done. You have successfully created acl packager package for system user at /etc/packages/AEMCQ5Tutorials/Package System User-1.0.0.zip . Navigate to crx package manager build and download your package. You can now import it on any environment where ever you want.
    Note:- Once you have create a package you cannot change, package configuration. For changing package configuration you need to create a new acl package.

acl-packager-aem-created

Spread the love

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.