If you need to transfer users and groups in AEM from one server to another or from one AEM instance to another then you need to create a package of users/groups along with rep:policy nodes. It is important to include rep:policy nodes as the permissions are stored at the individual target nodes instead of group/ user node. We need to Include all individual rep:policy nodes where you have given access to groups.
If users are included in the package then :
Add Exclude rule to users for token: /home/users/.*/.tokens
The Recommended option is to use acs-aem-commons tool to create a separate ACL package to migrate the ACLs. This utility picks the rep:policy nodes automatically so we don't have to worry about it.
Follow the below steps :
While configuring package, it is important that you select all the principles i.e. users or groups which you want to export under "Principal Names". You can keep the "Include Patterns" field blank to ensure that all nodes which have rep:policy node are included automatically. You don't have to include them selectively because doing that may be cucumbersome and there are chances you may miss few entries.
You need to check "Include principles" option if the selected principals do not exist in target environment otherwise you can keep it unchecked.
Set ACL Handling to overwrite (or Merge**)
If users are included in the package then :
Add Exclude rule to users for token: /home/users/.*/.tokens
The Recommended option is to use acs-aem-commons tool to create a separate ACL package to migrate the ACLs. This utility picks the rep:policy nodes automatically so we don't have to worry about it.
Follow the below steps :
1. Create the ACL package as shown below -
2. Configure the ACL package
Once package is created open the ACL package page and configure it for groups and users definition.While configuring package, it is important that you select all the principles i.e. users or groups which you want to export under "Principal Names". You can keep the "Include Patterns" field blank to ensure that all nodes which have rep:policy node are included automatically. You don't have to include them selectively because doing that may be cucumbersome and there are chances you may miss few entries.
You need to check "Include principles" option if the selected principals do not exist in target environment otherwise you can keep it unchecked.
**In case the "overwrite" does not work for you, try with "merge" option.
Now build the package and download.
Reference: https://adobe-consulting-services.github.io/acs-aem-commons/features/acl-packager.html
Reference: https://adobe-consulting-services.github.io/acs-aem-commons/features/acl-packager.html
3. Install the package in destination AEM instance
Note :- I suggest to perform/ verify this in a test instance first. Ensure you take back of existing User/group definitions before you upload the package in destination AEM instance.
Troubleshooting:
Once you have installed the package in destination, cross verify the users, groups and permission. Make changes in your filter definition in Step 1 as required if you see any issues and build/ install again.
In case the permissions does not reflect properly, check if you have given the permission at root level i.e. selecting the check all option at the top. Sometimes this give issue so instead of giving permissions at root level, give permissions at sub root level i.e. /content, /etc, /home, /libs etc.
In case the permissions does not reflect properly, check if you have given the permission at root level i.e. selecting the check all option at the top. Sometimes this give issue so instead of giving permissions at root level, give permissions at sub root level i.e. /content, /etc, /home, /libs etc.
Hi vivek ,
ReplyDeleteThe article was very helpful , i have created ACL package for user groups migration in AEM 6.0 and while installing the package in AEM 6.3 instance im getting the below error can u help me with this.
Could not Install Package
“javax.jcr.nodetype.ConstraintViolationException: OakConstraint0031: Cyclic group membership detected in groupla-workflow-user”