You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@sling.apache.org by gi...@apache.org on 2022/11/18 18:55:11 UTC
[sling-site] branch asf-site updated: Automatic website deployment from https://ci-builds.apache.org/job/Sling/job/modules/job/sling-site/job/master/580/
This is an automated email from the ASF dual-hosted git repository.
git-site-role pushed a commit to branch asf-site
in repository https://gitbox.apache.org/repos/asf/sling-site.git
The following commit(s) were added to refs/heads/asf-site by this push:
new 6ac91880c Automatic website deployment from https://ci-builds.apache.org/job/Sling/job/modules/job/sling-site/job/master/580/
6ac91880c is described below
commit 6ac91880c46d5a7d018fdb8423304e7ae97057e3
Author: jenkins <bu...@apache.org>
AuthorDate: Fri Nov 18 18:55:08 2022 +0000
Automatic website deployment from https://ci-builds.apache.org/job/Sling/job/modules/job/sling-site/job/master/580/
---
...aging-permissions-jackrabbit-accessmanager.html | 278 ++++++++++++++++++---
sitemap.xml | 4 +-
2 files changed, 248 insertions(+), 34 deletions(-)
diff --git a/documentation/bundles/managing-permissions-jackrabbit-accessmanager.html b/documentation/bundles/managing-permissions-jackrabbit-accessmanager.html
index 0cccfb71e..a2be94268 100644
--- a/documentation/bundles/managing-permissions-jackrabbit-accessmanager.html
+++ b/documentation/bundles/managing-permissions-jackrabbit-accessmanager.html
@@ -132,40 +132,74 @@
</nav><script src='/res/jquery-3.2.1.min.js' type='text/javascript'></script><script src='/res/tocjs-1-1-2.js' type='text/javascript'></script><script type='text/javascript'>$(document).ready(function() { $('#generatedToC').toc({'selector':'h1[class!=title],h2,h3','ulClass':'menu-list'}); } );</script><div class="content is-marginless">
<div class="row"><div><section><p>The <code>jackrabbit-accessmanager</code> bundle delivers a REST interface to manipulate users permissions in the JCR. After installing the <code>jackrabbit-accessmanager</code> bundle the REST services are exposed under the path of the node where you will manipulate the permissions for a user with a specific selector like <code>modifyAce</code>, <code>acl</code>, <code>eacl</code> and <code>deleteAce</code>. <!-- TODO reactivate TOC once JBake moves to [...]
</p>
-<h2><a href="#privileges" id="privileges">Privileges</a></h2>
+<h2><a href="#built-in-privileges" id="built-in-privileges">Built-in Privileges</a></h2>
<table>
<thead>
<tr><th>Name </th><th> Description</th></tr>
</thead>
<tbody>
-<tr><td>jcr:read </td><td> the privilege to retrieve a node and get its properties and their values</td></tr>
-<tr><td>jcr:readAccessControl </td><td> the privilege to get the access control policy of a node</td></tr>
-<tr><td>jcr:modifyProperties </td><td> the privilege to create, modify and remove the properties of a node</td></tr>
-<tr><td>jcr:addChildNodes </td><td> the privilege to create child nodes of a node</td></tr>
-<tr><td>jcr:removeChildNodes </td><td> the privilege to remove child nodes of a node</td></tr>
-<tr><td>jcr:removeNode </td><td> the privilege to remove a node</td></tr>
-<tr><td>jcr:write </td><td> an aggregate privilege that contains: jcr:modifyProperties jcr:addChildNodes jcr:removeNode jcr:removeChildNodes</td></tr>
-<tr><td>jcr:modifyAccessControl </td><td> the privilege to modify the access control policies of a node</td></tr>
-<tr><td>jcr:lockManagement </td><td> the privilege to lock and unlock a node</td></tr>
-<tr><td>jcr:versionManagement </td><td> the privilege to perform versioning operations on a node</td></tr>
-<tr><td>jcr:nodeTypeManagement </td><td> the privilege to add and remove mixin node types and change the primary node type of a node</td></tr>
-<tr><td>jcr:retentionManagement </td><td> the privilege to perform retention management operations on a node</td></tr>
-<tr><td>jcr:lifecycleManagement </td><td> the privilege to perform lifecycle operations on a node</td></tr>
-<tr><td>jcr:all </td><td> an aggregate privilege that contains all predefined privileges</td></tr>
+<tr><td><code>jcr:all</code> </td><td> aggregate that contains all defined privileges</td></tr>
+<tr><td><code> ┣━ jcr:read</code> </td><td> aggregate to read the node and its properties</td></tr>
+<tr><td><code> ┃ ┣━ rep:readNodes</code> </td><td> read the children of the node</td></tr>
+<tr><td><code> ┃ ┗━ rep:readProperties</code> </td><td> read properties of the node</td></tr>
+<tr><td><code> ┣━ rep:write</code> </td><td> aggregate that contains full write privileges</td></tr>
+<tr><td><code> ┃ ┣━ jcr:write</code> </td><td> aggregate that simple write privileges</td></tr>
+<tr><td><code> ┃ ┃ ┣━ jcr:addChildNodes</code> </td><td> create child nodes of the node</td></tr>
+<tr><td><code> ┃ ┃ ┣━ jcr:modifyProperties</code> </td><td> aggregate to create, modify and remove the properties of the node</td></tr>
+<tr><td><code> ┃ ┃ ┃ ┣━ rep:addProperties</code> </td><td> add new properties to the node</td></tr>
+<tr><td><code> ┃ ┃ ┃ ┣━ rep:alterProperties</code> </td><td> alter existing properties of the node</td></tr>
+<tr><td><code> ┃ ┃ ┃ ┗━ rep:removeProperties</code> </td><td> remove existing properties of the node</td></tr>
+<tr><td><code> ┃ ┃ ┣━ jcr:removeChildNodes</code> </td><td> remove child nodes of the node</td></tr>
+<tr><td><code> ┃ ┃ ┗━ jcr:removeNode</code> </td><td> remove the node</td></tr>
+<tr><td><code> ┃ ┗━ jcr:nodeTypeManagement</code> </td><td> add and remove mixin node types and change the primary node type of the node</td></tr>
+<tr><td><code> ┣━ jcr:readAccessControl</code> </td><td> read the access control policy of the node</td></tr>
+<tr><td><code> ┣━ jcr:modifyAccessControl</code> </td><td> modify the access control policies of the node</td></tr>
+<tr><td><code> ┣━ rep:indexDefinitionManagement</code> </td><td> manage index definitions</td></tr>
+<tr><td><code> ┣━ jcr:lifecycleManagement</code> </td><td> perform lifecycle operations on the node</td></tr>
+<tr><td><code> ┣━ jcr:lockManagement</code> </td><td> lock and unlock the node</td></tr>
+<tr><td><code> ┣━ jcr:namespaceManagement</code> </td><td> managed namespaces</td></tr>
+<tr><td><code> ┣━ jcr:nodeTypeDefinitionManagement</code> </td><td> manage node type definitions</td></tr>
+<tr><td><code> ┣━ rep:privilegeManagement</code> </td><td> manage privilege definitions</td></tr>
+<tr><td><code> ┣━ jcr:retentionManagement</code> </td><td> retention management operations on the node</td></tr>
+<tr><td><code> ┣━ rep:userManagement</code> </td><td> manage users and groups</td></tr>
+<tr><td><code> ┣━ jcr:versionManagement</code> </td><td> perform versioning operations on the node</td></tr>
+<tr><td><code> ┗━ jcr:workspaceManagement</code> </td><td> manage workspaces</td></tr>
+</tbody>
+</table>
+<h2><a href="#built-in-restrictions" id="built-in-restrictions">Built-in Restrictions</a></h2>
+<p>See <a href="https://jackrabbit.apache.org/oak/docs/security/authorization/restriction.html">Restriction Management</a> or <a href="https://sling.apache.org/documentation/bundles/sling-oak-restrictions.html">Sling Oak Restrictions</a> for details and examples.</p>
+<table>
+<thead>
+<tr><th>Name </th><th> Since</th></tr>
+</thead>
+<tbody>
+<tr><td><code>rep:glob</code> </td><td> Oak 1.0</td></tr>
+<tr><td><code>rep:ntNames</code> </td><td> Oak 1.0</td></tr>
+<tr><td><code>rep:prefixes</code> </td><td> Oak 1.0</td></tr>
+<tr><td><code>rep:itemNames</code> </td><td> Oak 1.3.8</td></tr>
+<tr><td><code>rep:current</code> </td><td> Oak 1.42.0</td></tr>
+<tr><td><code>rep:globs</code> </td><td> Oak 1.44.0</td></tr>
+<tr><td><code>rep:subtrees</code> </td><td> Oak 1.44.0</td></tr>
+<tr><td><code>sling:resourceTypes</code> </td><td> Sling Oak Restrictions 1.0.0</td></tr>
+<tr><td><code>sling:resourceTypesWithDescendants</code> </td><td> Sling Oak Restrictions 1.0.0</td></tr>
</tbody>
</table>
<h2><a href="#add-or-modify-permissions" id="add-or-modify-permissions">Add or modify permissions</a></h2>
<p>To modify the permissions for a node POST a request to <code>/<path-to-the-node>.modifyAce.<html or json></code>. The following parameters are available:</p>
<table>
<thead>
-<tr><th>Name </th><th> Description</th></tr>
+<tr><th>Name </th><th> Since </th><th> Description</th></tr>
</thead>
<tbody>
-<tr><td>principalId </td><td> The id of the user or group to modify the access rights for</td></tr>
-<tr><td>order </td><td> The position of the entry within the list (see below for details)</td></tr>
-<tr><td>privilege@[privilege_name] </td><td> One param for each privilege to modify. The value must be either 'granted', 'denied' or 'none'.</td></tr>
-<tr><td>restriction@[restriction_name] </td><td> (since 3.0.4) One param for each restriction value. The same parameter name may be used again for multi-value restrictions. The value is the target value of the restriction.</td></tr>
-<tr><td>restriction@[restriction_name]@Delete </td><td> (since 3.0.4) One param for each restriction to delete. The parameter value is ignored and can be anything.</td></tr>
+<tr><td><code>principalId</code> </td><td> </td><td> The id of the user or group to modify the access rights for</td></tr>
+<tr><td><code>order</code> </td><td> </td><td> The position of the entry within the list (see below for details)</td></tr>
+<tr><td><code>privilege@[privilege_name]</code> </td><td> </td><td> One param for each privilege to modify. The value must be either 'allow', 'deny' or 'none'. For backward compatibility, 'granted' or 'denied' are accepted as aliases for 'allow' or 'deny'.</td></tr>
+<tr><td><code>restriction@[restriction_name]</code> </td><td> 3.0.4 </td><td> One param for each restriction value. The same parameter name may be used again for multi-value restrictions. The value is the target value of the restriction.</td></tr>
+<tr><td><code>restriction@[restriction_name]@Delete</code> </td><td> 3.0.4 </td><td> One param for each restriction to delete. The parameter value is ignored and can be anything.</td></tr>
+<tr><td><code>privilege@[privilege_name]@Delete</code> </td><td> 3.1.0 </td><td> One param for each privilege to delete. The parameter value must be either 'allow', 'deny' or 'all' to specify which state to delete from.</td></tr>
+<tr><td><code>restriction@[privilege_name]@[restriction_name]@Allow</code> </td><td> 3.1.0 </td><td> One param for each restriction value to apply to the 'allow' privilege. The same parameter name may be used again for multi-value restrictions. The value is the target value of the restriction to be set.</td></tr>
+<tr><td><code>restriction@[privilege_name]@[restriction_name]@Deny</code> </td><td> 3.1.0 </td><td> One param for each restriction value to apply to the 'deny' privilege. The same parameter name may be used again for multi-value restrictions. The value is the target value of the restriction to be set.</td></tr>
+<tr><td><code>restriction@[privilege_name]@[restriction_name]@Delete</code> </td><td> 3.1.0 </td><td> One param for each restriction to delete. The parameter value must be either 'allow', 'deny' or 'all' to specify which state to delete from.</td></tr>
</tbody>
</table>
<p>The <code>order</code> parameter may have the following values:</p>
@@ -181,6 +215,17 @@
<tr><td>numeric </td><td> Place the target entry at the indicated numeric place amongst its siblings where <em>0</em> is equivalent to <code>first</code> and <em>1</em> means the second place</td></tr>
</tbody>
</table>
+<h4><a href="#parameters-conflict-resolution" id="parameters-conflict-resolution">Parameters Conflict Resolution</a></h4>
+<p><em>since version 3.1.0 for <a href="https://issues.apache.org/jira/browse/SLING-11243">SLING-11243</a></em></p>
+<p>The request parameters may be ambiguous or create a conflict. Below is the steps that are taken to resolve conflicts:</p>
+<ol>
+<li>The already existing ACE state is loaded from the repository (if any).</li>
+<li>All <code>privilege@[privilege_name]@Delete</code> parameters (if any) are processed to remove the specified privileges.</li>
+<li>All <code>restriction@[restriction_name]@Delete</code> and <code>restriction@[privilege_name]@[restriction_name]@Delete</code> parameters (if any) are processed to remove the specified restrictions that still exist.</li>
+<li>All <code>privilege@[privilege_name]</code> parameters (if any) are processed to allow, deny or remove the privilege based on the parameter value. When there are multiple applicable parameters, they are sorted before processing based on the longest privilege depth. For example, privilege "rep:addProperties" (depth=4) would be processed after "jcr:modifyProperties" (depth=3) as it is considered more specific.</li>
+<li>All <code>restriction@[privilege_name]@[restriction_name]@[Allow|Deny]</code> parameters (if any) are processed to update the restriction for the allow or deny privilege based on the parameter value. When there are multiple applicable parameters, they are sorted before processing based on the longest depth of the privilege. For example, privilege "rep:addProperties" (depth=4) would be processed after "jcr:modifyProperties" (depth=3) as it is considered more speci [...]
+<li>For any privileges remaining in the set, consolidate any aggregates that have all their contained privileges set. For example, if "rep:readNodes" and "rep:readProperties" are both set with the same restrictions, then a "jcr:read" privilege will replace those two.</li>
+</ol>
<p>Responses:</p>
<table>
<thead>
@@ -192,17 +237,54 @@
</tbody>
</table>
<p>Example with curl:</p>
-<pre><code>curl -FprincipalId=myuser -Fprivilege@jcr:read=granted http://localhost:8080/test/node.modifyAce.html
+<pre><code>curl -FprincipalId=myuser -Fprivilege@jcr:read=allow http://localhost:8080/test/node.modifyAce.html
</code></pre>
-<p>Single value restriction example with curl:</p>
-<pre><code>curl -FprincipalId=myuser -Fprivilege@jcr:read=granted -Frestriction@rep:glob=child1 http://localhost:8080/test/node.modifyAce.html
+<p>Single value restriction example:</p>
+<pre><code>curl -FprincipalId=myuser -Fprivilege@jcr:read=allow -Frestriction@rep:glob=child1 http://localhost:8080/test/node.modifyAce.html
</code></pre>
-<p>Multi value restriction example with curl:</p>
-<pre><code>curl -FprincipalId=myuser -Fprivilege@jcr:read=granted -Frestriction@rep:itemNames=name1 -Frestriction@rep:itemNames=name2 http://localhost:8080/test/node.modifyAce.html
+<p>Multi value restriction example:</p>
+<pre><code>curl -FprincipalId=myuser -Fprivilege@jcr:read=allow -Frestriction@rep:itemNames=name1 -Frestriction@rep:itemNames=name2 http://localhost:8080/test/node.modifyAce.html
</code></pre>
-<p>Remove existing restriction example with curl:</p>
+<p>Remove existing restriction example:</p>
<pre><code>curl -FprincipalId=myuser -Frestriction@rep:glob@Delete=yes http://localhost:8080/test/node.modifyAce.html
</code></pre>
+<p>Allow privilege with restrictions on descendant privilege example:</p>
+<pre><code>curl -FprincipalId=myuser -Fprivilege@jcr:read=allow -Frestriction@rep:readProperties@rep:glob@Allow=glob1 http://localhost:8080/test/node.modifyAce.html
+</code></pre>
+<h3><a href="#add-or-modify-principal-based-permissions" id="add-or-modify-principal-based-permissions">Add or modify principal based permissions</a></h3>
+<p><em>since version 3.1.0 for <a href="https://issues.apache.org/jira/browse/SLING-11272">SLING-11272</a></em></p>
+<p>To modify the principal based permissions for a node POST a request to <code>/<path-to-the-node>.modifyPAce.<html or json></code>. The following parameters are available:</p>
+<table>
+<thead>
+<tr><th>Name </th><th> Since </th><th> Description</th></tr>
+</thead>
+<tbody>
+<tr><td><code>principalId</code> </td><td> </td><td> The id of the service user to modify the access rights for</td></tr>
+<tr><td><code>privilege@[privilege_name]</code> </td><td> </td><td> One param for each privilege to modify. The value must be 'allow' or 'none'.</td></tr>
+<tr><td><code>restriction@[restriction_name]</code> </td><td> 3.0.4 </td><td> One param for each restriction value. The same parameter name may be used again for multi-value restrictions. The value is the target value of the restriction.</td></tr>
+<tr><td><code>restriction@[restriction_name]@Delete</code> </td><td> 3.0.4 </td><td> One param for each restriction to delete. The parameter value is ignored and can be anything.</td></tr>
+<tr><td><code>privilege@[privilege_name]@Delete</code> </td><td> 3.1.0 </td><td> One param for each privilege to delete. The parameter value must be 'allow'.</td></tr>
+<tr><td><code>restriction@[privilege_name]@[restriction_name]@Allow</code> </td><td> 3.1.0 </td><td> One param for each restriction value to apply to the 'allow' privilege. The same parameter name may be used again for multi-value restrictions. The value is the target value of the restriction to be set.</td></tr>
+<tr><td><code>restriction@[privilege_name]@[restriction_name]@Delete</code> </td><td> 3.1.0 </td><td> One param for each restriction to delete. The parameter value must be 'allow' to specify which state to delete from.</td></tr>
+</tbody>
+</table>
+<p>NOTE: The resource path for a principal based entry does not need to exist yet to be set. Also, a special resource path of <code>/:repository</code> can be used for setting repo-level permissions.</p>
+<p>Responses:</p>
+<table>
+<thead>
+<tr><th>Status Code </th><th> Description</th></tr>
+</thead>
+<tbody>
+<tr><td>200 </td><td> Success</td></tr>
+<tr><td>500 </td><td> Failure, HTML (or JSON) explains failure.</td></tr>
+</tbody>
+</table>
+<p>Example with curl:</p>
+<pre><code>curl -FprincipalId=myServiceUserId -Fprivilege@jcr:read=allow http://localhost:8080/test/node.modifyPAce.html
+</code></pre>
+<p>Example for repo-level permissions not for a specific resource:</p>
+<pre><code>curl -FprincipalId=myServiceUserId -Fprivilege@jcr:read=allow http://localhost:8080/:repository.modifyPAce.html
+</code></pre>
<h2><a href="#delete-permissions" id="delete-permissions">Delete permissions</a></h2>
<p>To delete permissions for a node POST a request to <code>/<path-to-the-node>.deleteAce.<html or json></code>. The following parameters are available:</p>
<table>
@@ -226,20 +308,152 @@
<p>Example with curl:</p>
<pre><code>curl -F:applyTo=myuser http://localhost:8080/test/node.deleteAce.html
</code></pre>
+<h3><a href="#delete-principal-based-permissions" id="delete-principal-based-permissions">Delete principal based permissions</a></h3>
+<p><em>since version 3.1.0 for <a href="https://issues.apache.org/jira/browse/SLING-11272">SLING-11272</a></em></p>
+<p>To delete principal based permissions for a node POST a request to <code>/<path-to-the-node>.deletePAce.<html or json></code>. The following parameters are available:</p>
+<table>
+<thead>
+<tr><th>Parameter Name </th><th> Required </th><th> Description</th></tr>
+</thead>
+<tbody>
+<tr><td><code>:applyTo</code> </td><td> yes </td><td> An array of ids of the service users whose permissions are to be deleted.</td></tr>
+</tbody>
+</table>
+<p>Responses:</p>
+<table>
+<thead>
+<tr><th>Status Code </th><th> Description</th></tr>
+</thead>
+<tbody>
+<tr><td>200 </td><td> Success</td></tr>
+<tr><td>500 </td><td> Failure, HTML (or JSON) explains failure.</td></tr>
+</tbody>
+</table>
+<p>Example with curl:</p>
+<pre><code>curl -F:applyTo=myServiceUserId http://localhost:8080/test/node.deletePAce.html
+</code></pre>
+<p>Example for repo-level permissions not for a specific resource:</p>
+<pre><code>curl -FprincipalId=myServiceUserId http://localhost:8080/:repository.deletePAce.html
+</code></pre>
<h2><a href="#get-permissions" id="get-permissions">Get permissions</a></h2>
-<h3><a href="#bound-permissions" id="bound-permissions">Bound Permissions</a></h3>
-<p>To get the permissions bound to a particular node in a json format for a node send a GET request to <code>/<path-to-the-node>.acl.json</code>.</p>
+<h3><a href="#defined-permissions-list" id="defined-permissions-list">Defined Permissions List</a></h3>
+<p>To get the permissions defined on a particular node in a json format, send a GET request to <code>/<path-to-the-node>.acl.json</code>.</p>
<p>Example:</p>
<pre><code>http://localhost:8080/test/node.acl.json
</code></pre>
-<h3><a href="#effective-permissions" id="effective-permissions">Effective Permissions</a></h3>
-<p>To get the permissions which are effective for a particular node in a json format for a node send a GET request to <code>/<path-to-the-node>.eacl.json</code>.</p>
+<h3><a href="#effective-permissions-list" id="effective-permissions-list">Effective Permissions List</a></h3>
+<p>To get the permissions which are effective for a particular node in a json format, send a GET request to <code>/<path-to-the-node>.eacl.json</code>.</p>
<p>Example:</p>
<pre><code>http://localhost:8080/test/node.eacl.json
</code></pre>
<div class="note">
See section 16.3 of the JCR 2.0 specification for an explanation of the difference between bound and effective policies.
</div>
+<h3><a href="#defined-permissions-entry" id="defined-permissions-entry">Defined Permissions Entry</a></h3>
+<p><em>since version 3.1.0 for <a href="https://issues.apache.org/jira/browse/SLING-11271">SLING-11271</a></em></p>
+<p>To get the permissions bound to a particular node for a specific person in a json format, send a GET request to <code>/<path-to-the-node>.ace.json?pid=[principalId]</code>.</p>
+<table>
+<thead>
+<tr><th>Parameter Name </th><th> Required </th><th> Description</th></tr>
+</thead>
+<tbody>
+<tr><td><code>pid</code> </td><td> yes </td><td> The id of the user or group whose permissions are to be retrieved.</td></tr>
+</tbody>
+</table>
+<p>Responses:</p>
+<table>
+<thead>
+<tr><th>Status Code </th><th> Description</th></tr>
+</thead>
+<tbody>
+<tr><td>200 </td><td> Success</td></tr>
+<tr><td>404 </td><td> No entry is defined for the specified principal id</td></tr>
+<tr><td>500 </td><td> Failure, HTML (or JSON) explains failure.</td></tr>
+</tbody>
+</table>
+<p>Example:</p>
+<pre><code>http://localhost:8080/test/node.ace.json?pid=everyone
+</code></pre>
+<h3><a href="#effective-permissions-entry" id="effective-permissions-entry">Effective Permissions Entry</a></h3>
+<p><em>since version 3.1.0 for <a href="https://issues.apache.org/jira/browse/SLING-11271">SLING-11271</a></em></p>
+<p>To get the permissions which are effective for a particular node and for a specific person in a json format, send a GET request to <code>/<path-to-the-node>.eace.json?pid=[principalId]</code>.</p>
+<table>
+<thead>
+<tr><th>Parameter Name </th><th> Required </th><th> Description</th></tr>
+</thead>
+<tbody>
+<tr><td><code>pid</code> </td><td> yes </td><td> The id of the user or group whose permissions are to be retrieved.</td></tr>
+</tbody>
+</table>
+<p>Responses:</p>
+<table>
+<thead>
+<tr><th>Status Code </th><th> Description</th></tr>
+</thead>
+<tbody>
+<tr><td>200 </td><td> Success</td></tr>
+<tr><td>404 </td><td> No entry is defined for the specified principal id</td></tr>
+<tr><td>500 </td><td> Failure, HTML (or JSON) explains failure.</td></tr>
+</tbody>
+</table>
+<p>Example:</p>
+<pre><code>http://localhost:8080/test/node.eace.json?pid=everyone
+</code></pre>
+<h3><a href="#defined-principal-based-permissions-entry" id="defined-principal-based-permissions-entry">Defined Principal Based Permissions Entry</a></h3>
+<p><em>since version 3.1.0 for <a href="https://issues.apache.org/jira/browse/SLING-11272">SLING-11272</a></em></p>
+<p>To get the principal based permissions which are defined for a particular node and for a specific person in a json format, send a GET request to <code>/<path-to-the-node>.pace.json?pid=[principalId]</code>.</p>
+<table>
+<thead>
+<tr><th>Parameter Name </th><th> Required </th><th> Description</th></tr>
+</thead>
+<tbody>
+<tr><td><code>pid</code> </td><td> yes </td><td> The id of the service user whose principal based permissions are to be retrieved.</td></tr>
+</tbody>
+</table>
+<p>Responses:</p>
+<table>
+<thead>
+<tr><th>Status Code </th><th> Description</th></tr>
+</thead>
+<tbody>
+<tr><td>200 </td><td> Success</td></tr>
+<tr><td>404 </td><td> No entry is defined for the specified principal id</td></tr>
+<tr><td>500 </td><td> Failure, HTML (or JSON) explains failure.</td></tr>
+</tbody>
+</table>
+<p>Example:</p>
+<pre><code>http://localhost:8080/test/node.pace.json?pid=serviceUserId
+</code></pre>
+<h2><a href="#migration-from-3x-version" id="migration-from-3x-version">Migration from 3.x version</a></h2>
+<p><em>since version 3.1.0 for <a href="https://issues.apache.org/jira/browse/SLING-11233">SLING-11233</a></em></p>
+<p>In the previous versions, the restriction details in the ACL json output could be ambiguous in some situations. For <a href="https://issues.apache.org/jira/browse/SLING-11233">SLING-11233</a> the JSON output structure was changed. The previous "granted/denied/restrictions" items in each ACE were replaced with a "privileges" structure whose items are the allow or deny privileges. Each privilege now has a "deny" and/or "allow" child whose value [...]
+<p>Any code that was expecting the previous JSON structure will need to be adjusted to compensate for the new structure.</p>
+<p>For example:</p>
+<pre><code>{
+ "user1":{
+ "principal":"user1",
+ "order":0,
+ "privileges":{
+ "jcr:read":{
+ "allow":{
+ "rep:glob":"glob1"
+ }
+ },
+ "jcr:readAccessControl":{
+ "allow":{
+ "rep:itemNames":[
+ "name1",
+ "name2"
+ ]
+ }
+ },
+ "rep:write":{
+ "deny":true
+ }
+ }
+ }
+}
+</code></pre>
</section></div></div>
</div>
</div>
@@ -251,7 +465,7 @@ See section 16.3 of the JCR 2.0 specification for an explanation of the differen
content/documentation/bundles/managing-permissions-jackrabbit-accessmanager.md
</a>
</div> <div class="revisionInfo">
- Last modified by <span class="author">Eric Norman</span> on <span class="comment">2020-10-11</span>
+ Last modified by <span class="author">Eric Norman</span> on <span class="comment">2022-11-18</span>
</div><p>
Apache Sling, Sling, Apache, the Apache feather logo, and the Apache Sling project
logo are trademarks of The Apache Software Foundation. All other marks mentioned
diff --git a/sitemap.xml b/sitemap.xml
index d46567122..c769d6a3c 100644
--- a/sitemap.xml
+++ b/sitemap.xml
@@ -1,6 +1,8 @@
<?xml version="1.0"?>
<urlset xmlns="http://www.sitemaps.org/schemas/sitemap/0.9" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.sitemaps.org/schemas/sitemap/0.9 http://www.sitemaps.org/schemas/sitemap/0.9/sitemap.xsd">
<url>
+ <loc>https://sling.apache.org/documentation/bundles/managing-permissions-jackrabbit-accessmanager.html</loc><lastmod>2022-11-18</lastmod>
+ </url><url>
<loc>https://sling.apache.org/project-information/project-team.html</loc><lastmod>2022-10-31</lastmod>
</url><url>
<loc>https://sling.apache.org/old-stuff/scriptengineintegration/groovy-support.html</loc><lastmod>2017-09-29</lastmod>
@@ -130,8 +132,6 @@
<loc>https://sling.apache.org/documentation/bundles/resource-merger.html</loc><lastmod>2022-08-06</lastmod>
</url><url>
<loc>https://sling.apache.org/documentation/bundles/osgi-installer.html</loc><lastmod>2022-05-31</lastmod>
- </url><url>
- <loc>https://sling.apache.org/documentation/bundles/managing-permissions-jackrabbit-accessmanager.html</loc><lastmod>2020-10-11</lastmod>
</url><url>
<loc>https://sling.apache.org/documentation/bundles/dynamic-includes.html</loc><lastmod>2018-09-12</lastmod>
</url><url>