We considered existing solutions before starting our own AC Tool. These are basically Jackrabbit FileVault content packages (including rep:policy nodes), Sling repository initialization and the ACL Setup Service provided by AEM.
Aspect | AC Tool | Repo Init | Content Package | ACL Setup Service |
---|---|---|---|---|
Readability | ✅ config can be read by less technical persons | ❌ JSON format mixed with custom Repo Init format | ❌ hard to read even for developers | 🔶 readable for small setups |
Run mode support | ✅ | 🔶 indirectly via providing multiple configs | ❌ | 🔶 indirectly via providing multiple configs |
Setting ACLs for any content position | ✅ | ✅ | 🔶 if path does not exist, invalid pages are created | ✅ |
Creation of groups possible | ✅ | ✅ | ✅ | ❌ |
Order of ACEs is ensured | order of ACEs is ensured | ❌ works for initial creation, but not incrementally | ❌ works for initial creation, but not incrementally | ❌ works for initial creation, but not incrementally |
Old entries can be deleted | ✅ a diff is created for each node and entries are added/removed as needed | 🔶 yes but the operation has to be specified explicitly while the AC tool automatically removes what is not needed | ❌ old entries are untouched and have to be deleted manually | ❌ old entries are untouched and have to be deleted manually |
Consistency Checks regarding AC setup | ✅ | ❌ | ❌ | :x: |
Maintainability | ✅ Single configuration file per project keeps ACL setup in one place. Can be split up to multiple files (e.g. one per tenant). | ❌ Does not scale well for large projects | ❌ package with many filter rules and complex structure has to be created | 🔶 Everything is kept in one file (OSGi configuration), good for small projects but gets too big for large instances. |
Duplication in configuration | ✅ supports variables, ifs and loops | ❌ Some duplication is usually required | ❌ all paths have to be contained in package | ❌ all paths have to be explicitly listed in OSGi config |
Automatic Group Location Migration | ✅ if the location of a group changes in the config file, the AC Tool automatically migrates the group location and all references to it in the content | ❌ no | ❌ all paths in content package have to be changed manually | ❌ cannot handle groups |
Import/Export | ✅ import and export of Yaml files | ❌ no | ❌ no standard tool in AEM for exporting ACEs but ✅ ACL Packager can be used | ❌ no export of the effective permissions of an instance |
Reproducibility | ✅ It is possible to ensure that ACL settings in any system are exactly as defined. | ❌ Repo Init does not specify a target state but a number of operations to be performed. It is hard to ensure that all environments will have the exact same configuration (as this also depends on the current state of an environment | ❌ Old ACLs are not removed. Therefore, it can only be ensured that the defined ACLs are there but there may be additional ones active as well. | ❌ Old ACLs are not removed. Therefore, it can only be ensured that the defined ACLs are there but there may be additional ones active as well. |
Availability | 🔶 requires installation of an additional package | ✅ included out-of-the-box | ✅ part of deployment packages | ✅ included out-of-the-box |