Validation of the final permission of a user & compare it to an older state

[joerghoh]

I inherited an overly complex roles&rights structure, which was fortunately already being implemented with the AC tool. Right now I am in the process of cleaning up these, and it goes together with a great amount of validation and testing if the changed setup results in the same permissions for given users or if their permission have been changed (hopefully in the way I anticipated).

Right now the only way to find out is to manually check this, which is often incomplete and a consuming process. It would be great if that could be automated in a way, that I can review a diff of effective changes for certain users and paths (which I have do define upfront). Executing this in an AEM instance is ok (although using an In-Memory Oak repo for easier automation would be great).

This would lead to a greater confidence into changes and avoids unnecessary reworks caused by user feedback.

[ghenzler]

Two options come to my mind that work today:

• https://github.com/Netcentric/access-control-validator can be used
• you could use JMX to dump all ACLs after deployment and commit it to a git repo (using some external automation like Jenkins) - that would give you a great history of what exactly has changed when effectively

Now the latter one could maybe also be created automatically saving a diff compared to the last time at the execution sub folder of /var/statistics/achistory (downside is that it would have to query all ACLs again which takes the bulk of the execution time for large installations) - but maybe having it externally in a git repo is even more useful.

[jochenkoschorke]

Regarding https://github.com/Netcentric/access-control-validator, version 1.0.0 has been released meanwhile