While working on setting CQ Users/Groups Permissions, I discovered something rather weird happened within AEM/Adobe CQ. I think it's a bug. Or maybe not, I'll let you decide what that is and feel free to chime in. The "issues or bugs" are discussed below within this article.


1. What I did:

  1. I created a list of groups.
  2. I set permissions to the groups.
  3. I created a list of users.
  4. I assigned group(s) to the users.
  5. I set specific permission(s) for some users.
  6. I replicated the newly created groups and users to my publish instance.

2. Problems/issues/bugs:

  1. None of the permissions were replicated.
  2. Note that, based on this article: CQ Users and Groups Permissions... that I wrote, AEM6 stores its permissions inside /jcr:system/rep:permissionStore/crx.default node. So, I cannot replicate the permissions or package it and install on my publish instance because the nodes stored under /jcr:system/rep:permissionStore/crx.default are protected.

3. Workaround:

  1. I went to my publish instance and manually set the permissions all over again, to sync up with what I have done on my author instance.
  2. While manually setting permissions on the publish instance, for a specific reason, I had to remove all my users/groups (I just created on the author instance and replicated to my publish instance) from my publish instance. So, I removed all the new users/groups. FYI, I removed the users/groups via http://localhost:4503/useradmin and not http://localhost:4503/crx/de/index.jsp.

4. An interesting observation, ISSUE?:

  1. The users/groups were removed.
  2. However, my permissions that are stored within the /jcr:system/rep:permissionStore/crx.default node, never get removed.
  3. I regard this as an issue because:
    • On my author instance: I continue to make my changes on the author instance and replicate the users/groups over.
    • On my publish instance: I checked my users/groups permissions, all the old permissions are still there; hence all my newly replicated users/groups inherit all the old permissions that I set (before I removed my users/groups).
    • Obviously, to fix this, I have to go back to item #3 (workaround).


Note: if you need screenshots, I can provide as well.