Permission denied error

[RichuKakkar1]

we are using netcentric yaml scripts to apply permssions in AEMaacs. Everything was working fine few weeks back when we ran last updated scripts in AEM cloud - QA . Now when we tried running the same scripts for QA and UAT again, it says permission denied error. There has been no change in the scripts and we can't see anything in error logs. Although there have been AEM updates in cloud with 2025.1.19149.20250116T154450Z.

Upon checking request and aem request logs-

https://author-p101803-e981799.adobeaemcloud.com/mnt/overlay/netcentric/actool/content/overview/content/items/actoolpanel
Request Method:
POST
Status Code:
403 Forbidden

Could anyone help on what could be the issue ?

[chathoth]

I'm encountering the same issue today. I would greatly appreciate it if anyone could share a solution.

[GianSerr]

Also me I'm facing the same error in the cloud, in local is working fine (SDK: 2025.1.19149.20250116T154450Z-241100 and netcentric.actool version: 3.3.0)

[Positronic-Brain]

Can anybody export detailed logs of the issue?

[GianSerr]

By cloud logs, I see that the bundle is unregistered and never re-registered:

31.01.2025 10:47:44.638 [cm-p******-e******-aem-author-******-sqcwb] INFO [FelixLogListener] Events.Service.org.apache.sling.serviceusermapper Service [org.apache.sling.serviceusermapping.impl.ServiceUserMapperImpl.amended~ncActoolSystemUser,808, [org.apache.sling.serviceusermapping.impl.MappingConfigAmendment]] ServiceEvent UNREGISTERING

I don't know if could be usefull this log, but is the only one I found, no error are printed in the errorlog

[GianSerr]

I collected more logs from my last deployment, it seems that AC Tool is registered and after a minute is unregistered and finally stopped.

The logs are shown below, I hope they help

Registering

31.01.2025 10:45:37.666 [cm-p******-e******-aem-author-6cb57654df-nw57q] INFO [ResourceResolverFactory registration] biz.netcentric.cq.tools.actool.impl.AcInstallationServiceImpl Activated AC Tool at start level 30 default config path: []
31.01.2025 10:45:37.669 [cm-p******-e******-aem-author-6cb57654df-nw57q] INFO [ResourceResolverFactory registration] biz.netcentric.cq.tools.actool.startuphook.impl.AcToolStartupHookServiceImpl AcTool Startup Hook (start level: 30 isCloudReady: true activationMode: CLOUD_ONLY runAsyncForMutableConent: true)
31.01.2025 10:45:37.671 [cm-p******-e******-aem-author-6cb57654df-nw57q] INFO [ResourceResolverFactory registration] biz.netcentric.cq.tools.actool.startuphook.impl.AcToolStartupHookServiceImpl Repo is running with Composite NodeStore: true
31.01.2025 10:45:37.698 [cm-p******-e******-aem-author-6cb57654df-nw57q] INFO [ResourceResolverFactory registration] biz.netcentric.cq.tools.actool.startuphook.impl.AcToolStartupHookServiceImpl Running AcTool asynchronously on mutable content of composite node store (config runAsyncForMutableConent=true)...
31.01.2025 10:45:37.698 [cm-p******-e******-aem-author-6cb57654df-nw57q] INFO [ResourceResolverFactory registration] biz.netcentric.cq.tools.actool.startuphook.impl.AcToolStartupHookServiceImpl Running AcTool with paths [/bin, /conf, /content, /etc, /home, /system, /tmp, /var, ^/$, ^$]...
31.01.2025 10:45:37.702 [cm-p******-e******-aem-author-6cb57654df-nw57q] INFO [FelixLogListener] Events.Service.biz.netcentric.cq.tools.accesscontroltool.bundle Service [biz.netcentric.cq.tools.actool.installhook.impl.AcToolInstallHookServiceImpl,7727, [biz.netcentric.cq.tools.actool.installhook.AcToolInstallHookService]] ServiceEvent REGISTERED
31.01.2025 10:45:37.709 [cm-p******-e******-aem-author-6cb57654df-nw57q] INFO [FelixLogListener] Events.Service.biz.netcentric.cq.tools.accesscontroltool.bundle Service [biz.netcentric.cq.tools.actool.jmx.AceServiceMBeanImpl,7728, [biz.netcentric.cq.tools.actool.jmx.AceServiceMBean]] ServiceEvent REGISTERED
31.01.2025 10:45:37.711 [cm-p******-e******-aem-author-6cb57654df-nw57q] INFO [FelixLogListener] Events.Service.biz.netcentric.cq.tools.accesscontroltool.bundle Service [biz.netcentric.cq.tools.actool.ui.AcToolUiService,7729, [biz.netcentric.cq.tools.actool.ui.AcToolUiService]] ServiceEvent REGISTERED
31.01.2025 10:45:37.714 [cm-p******-e******-aem-author-6cb57654df-nw57q] INFO [FelixLogListener] Events.Service.biz.netcentric.cq.tools.accesscontroltool.bundle Service [biz.netcentric.cq.tools.actool.ui.AcToolTouchUiServlet,7730, [javax.servlet.Servlet]] ServiceEvent REGISTERED
31.01.2025 10:45:37.742 [cm-p******-e******-aem-author-6cb57654df-nw57q] WARN [ResourceResolverFactory registration] org.apache.felix.webconsole Legacy webconsole plugin found. Update this to the Jakarta Servlet API: Service 7731([javax.servlet.Servlet]) from bundle biz.netcentric.cq.tools.accesscontroltool.bundle:3.3.0(643)
31.01.2025 10:45:37.744 [cm-p******-e******-aem-author-6cb57654df-nw57q] INFO [FelixLogListener] Events.Service.biz.netcentric.cq.tools.accesscontroltool.bundle Service [biz.netcentric.cq.tools.actool.ui.AcToolWebconsolePlugin,7731, [javax.servlet.Servlet]] ServiceEvent REGISTERED
31.01.2025 10:45:37.746 [cm-p******-e******-aem-author-6cb57654df-nw57q] INFO [FelixLogListener] Events.Service.biz.netcentric.cq.tools.accesscontroltool.bundle Service [biz.netcentric.cq.tools.actool.impl.JcrInstallUrlHandler,7732, [org.osgi.service.url.URLStreamHandlerService]] ServiceEvent REGISTERED

Unregistering
31.01.2025 10:46:37.799 [cm-p******-e******-aem-author-545bf64d7b-9mtmj] INFO [FelixLogListener] Events.Service.biz.netcentric.cq.tools.accesscontroltool.bundle Service [biz.netcentric.cq.tools.actool.aceinstaller.AceBeanInstallerIncremental,5285, [biz.netcentric.cq.tools.actool.aceinstaller.AceBeanInstaller]] ServiceEvent UNREGISTERING
31.01.2025 10:46:37.803 [cm-p******-e******-aem-author-545bf64d7b-9mtmj] INFO [FelixLogListener] Events.Service.biz.netcentric.cq.tools.accesscontroltool.bundle Service [biz.netcentric.cq.tools.actool.aem.AemCryptoDecryptionService,5287, [biz.netcentric.cq.tools.actool.crypto.DecryptionService]] ServiceEvent UNREGISTERING
31.01.2025 10:46:37.804 [cm-p******-e******-aem-author-545bf64d7b-9mtmj] INFO [FelixLogListener] Events.Service.biz.netcentric.cq.tools.accesscontroltool.bundle Service [biz.netcentric.cq.tools.actool.authorizableinstaller.impl.AuthorizableInstallerServiceImpl,5288, [biz.netcentric.cq.tools.actool.authorizableinstaller.AuthorizableInstallerService]] ServiceEvent UNREGISTERING
31.01.2025 10:46:37.808 [cm-p******-e******-aem-author-545bf64d7b-9mtmj] INFO [FelixLogListener] Events.Service.biz.netcentric.cq.tools.accesscontroltool.bundle Service [biz.netcentric.cq.tools.actool.configreader.TestUserConfigsCreator,5323, [biz.netcentric.cq.tools.actool.configreader.TestUserConfigsCreator]] ServiceEvent UNREGISTERING
31.01.2025 10:46:37.809 [cm-p******-e******-aem-author-545bf64d7b-9mtmj] INFO [FelixLogListener] Events.Service.biz.netcentric.cq.tools.accesscontroltool.bundle Service [biz.netcentric.cq.tools.actool.configreader.YamlConfigurationMerger,5342, [biz.netcentric.cq.tools.actool.configreader.ConfigurationMerger]] ServiceEvent UNREGISTERING
31.01.2025 10:46:37.815 [cm-p******-e******-aem-author-545bf64d7b-9mtmj] INFO [FelixLogListener] Events.Service.biz.netcentric.cq.tools.accesscontroltool.bundle Service [biz.netcentric.cq.tools.actool.configreader.YamlConfigReader,5299, [biz.netcentric.cq.tools.actool.configreader.ConfigReader]] ServiceEvent UNREGISTERING
31.01.2025 10:46:37.822 [cm-p******-e******-aem-author-545bf64d7b-9mtmj] INFO [FelixLogListener] Events.Service.biz.netcentric.cq.tools.accesscontroltool.bundle Service [biz.netcentric.cq.tools.actool.authorizableinstaller.impl.ExternalGroupInstallerServiceImpl,5289, [biz.netcentric.cq.tools.actool.authorizableinstaller.impl.ExternalGroupInstallerServiceImpl]] ServiceEvent UNREGISTERING
31.01.2025 10:46:37.825 [cm-p******-e******-aem-author-545bf64d7b-9mtmj] INFO [FelixLogListener] Events.Service.biz.netcentric.cq.tools.accesscontroltool.bundle Service [biz.netcentric.cq.tools.actool.authorizableinstaller.impl.ImpersonationInstallerServiceImpl,5290, [biz.netcentric.cq.tools.actool.authorizableinstaller.impl.ImpersonationInstallerServiceImpl]] ServiceEvent UNREGISTERING
31.01.2025 10:46:37.828 [cm-p******-e******-aem-author-545bf64d7b-9mtmj] INFO [FelixLogListener] Events.Service.biz.netcentric.cq.tools.accesscontroltool.bundle Service [biz.netcentric.cq.tools.actool.configmodel.pkcs.JcaPkcs8EncryptedPrivateKeyDecryptor,5294, [biz.netcentric.cq.tools.actool.configmodel.pkcs.PrivateKeyDecryptor]] ServiceEvent UNREGISTERING
31.01.2025 10:46:37.831 [cm-p******-e******-aem-author-545bf64d7b-9mtmj] INFO [FelixLogListener] Events.Service.biz.netcentric.cq.tools.accesscontroltool.bundle Service [biz.netcentric.cq.tools.actool.configreader.ConfigFilesRetrieverImpl,5321, [biz.netcentric.cq.tools.actool.configreader.ConfigFilesRetriever]] ServiceEvent UNREGISTERING
31.01.2025 10:46:37.834 [cm-p******-e******-aem-author-545bf64d7b-9mtmj] INFO [FelixLogListener] Events.Service.biz.netcentric.cq.tools.accesscontroltool.bundle Service [biz.netcentric.cq.tools.actool.configreader.VirtualGroupProcessor,5298, [biz.netcentric.cq.tools.actool.configreader.VirtualGroupProcessor]] ServiceEvent UNREGISTERING
31.01.2025 10:46:37.838 [cm-p******-e******-aem-author-545bf64d7b-9mtmj] INFO [FelixLogListener] Events.Service.biz.netcentric.cq.tools.accesscontroltool.bundle Service [biz.netcentric.cq.tools.actool.configreader.YamlMacroChildNodeObjectsProviderImpl,5300, [biz.netcentric.cq.tools.actool.configreader.YamlMacroChildNodeObjectsProvider]] ServiceEvent UNREGISTERING
31.01.2025 10:46:37.839 [cm-p******-e******-aem-author-545bf64d7b-9mtmj] INFO [FelixLogListener] Events.Service.biz.netcentric.cq.tools.accesscontroltool.bundle Service [biz.netcentric.cq.tools.actool.configreader.YamlMacroProcessorImpl,5301, [biz.netcentric.cq.tools.actool.configreader.YamlMacroProcessor]] ServiceEvent UNREGISTERING
31.01.2025 10:46:37.844 [cm-p******-e******-aem-author-545bf64d7b-9mtmj] INFO [FelixLogListener] Events.Service.biz.netcentric.cq.tools.accesscontroltool.bundle Service [biz.netcentric.cq.tools.actool.crypto.SimpleDecryptionService,5302, [biz.netcentric.cq.tools.actool.crypto.DecryptionService]] ServiceEvent UNREGISTERING
31.01.2025 10:46:37.846 [cm-p******-e******-aem-author-545bf64d7b-9mtmj] INFO [FelixLogListener] Events.Service.biz.netcentric.cq.tools.accesscontroltool.bundle Service [biz.netcentric.cq.tools.actool.dumpservice.impl.DumpServiceImpl,5304, [biz.netcentric.cq.tools.actool.dumpservice.ConfigDumpService]] ServiceEvent UNREGISTERING
31.01.2025 10:46:37.849 [cm-p******-e******-aem-author-545bf64d7b-9mtmj] INFO [FelixLogListener] Events.Service.biz.netcentric.cq.tools.accesscontroltool.bundle Service [biz.netcentric.cq.tools.actool.healthcheck.LastRunSuccessHealthCheck,5306, [org.apache.sling.hc.api.HealthCheck]] ServiceEvent UNREGISTERING
31.01.2025 10:46:37.852 [cm-p******-e******-aem-author-545bf64d7b-9mtmj] INFO [FelixLogListener] Events.Service.biz.netcentric.cq.tools.accesscontroltool.bundle Service [biz.netcentric.cq.tools.actool.history.impl.AcHistoryServiceImpl,5305, [biz.netcentric.cq.tools.actool.history.AcHistoryService]] ServiceEvent UNREGISTERING
31.01.2025 10:46:37.855 [cm-p******-e******-aem-author-545bf64d7b-9mtmj] INFO [FelixLogListener] Events.Service.biz.netcentric.cq.tools.accesscontroltool.bundle Service [biz.netcentric.cq.tools.actool.impl.AcConfigChangeTracker,5307, [biz.netcentric.cq.tools.actool.impl.AcConfigChangeTracker]] ServiceEvent UNREGISTERING
31.01.2025 10:46:37.858 [cm-p******-e******-aem-author-545bf64d7b-9mtmj] INFO [FelixLogListener] Events.Service.biz.netcentric.cq.tools.accesscontroltool.bundle Service [biz.netcentric.cq.tools.actool.impl.JcrInstallUrlHandler,5313, [org.osgi.service.url.URLStreamHandlerService]] ServiceEvent UNREGISTERING
31.01.2025 10:46:37.861 [cm-p******-e******-aem-author-545bf64d7b-9mtmj] INFO [FelixLogListener] Events.Service.biz.netcentric.cq.tools.accesscontroltool.bundle Service [biz.netcentric.cq.tools.actool.slingsettings.ExtendedSlingSettingsServiceImpl,5319, [biz.netcentric.cq.tools.actool.slingsettings.ExtendedSlingSettingsService]] ServiceEvent UNREGISTERING
31.01.2025 10:46:37.865 [cm-p******-e******-aem-author-545bf64d7b-9mtmj] INFO [FelixLogListener] Events.Service.biz.netcentric.cq.tools.accesscontroltool.bundle Service [biz.netcentric.cq.tools.actool.ui.WebConsoleConfigTracker,5327, [biz.netcentric.cq.tools.actool.ui.WebConsoleConfigTracker, org.osgi.service.cm.ConfigurationListener]] ServiceEvent UNREGISTERING
31.01.2025 10:46:37.868 [cm-p******-e******-aem-author-545bf64d7b-9mtmj] INFO [FelixLogListener] Events.Service.biz.netcentric.cq.tools.accesscontroltool.bundle Service [biz.netcentric.cq.tools.actool.user.impl.UserProcessorImpl,5334, [biz.netcentric.cq.tools.actool.user.UserProcessor]] ServiceEvent UNREGISTERING
31.01.2025 10:46:37.870 [cm-p******-e******-aem-author-545bf64d7b-9mtmj] INFO [FelixLogListener] Events.Service.biz.netcentric.cq.tools.accesscontroltool.bundle Service [biz.netcentric.cq.tools.actool.validators.ExternalGroupsInIsMemberOfValidator,5338, [biz.netcentric.cq.tools.actool.validators.ExternalGroupsInIsMemberOfValidator]] ServiceEvent UNREGISTERING
31.01.2025 10:46:37.873 [cm-p******-e******-aem-author-545bf64d7b-9mtmj] INFO [FelixLogListener] Events.Service.biz.netcentric.cq.tools.accesscontroltool.bundle Service [biz.netcentric.cq.tools.actool.validators.impl.ObsoleteAuthorizablesValidatorImpl,5341, [biz.netcentric.cq.tools.actool.validators.ObsoleteAuthorizablesValidator]] ServiceEvent UNREGISTERING
31.01.2025 10:46:37.876 [cm-p******-e******-aem-author-545bf64d7b-9mtmj] INFO [FelixLogListener] Events.Service.biz.netcentric.cq.tools.accesscontroltool.bundle Service [5277, [org.osgi.service.cm.ManagedService]] ServiceEvent UNREGISTERING
31.01.2025 10:46:37.878 [cm-p******-e******-aem-author-545bf64d7b-9mtmj] INFO [FelixLogListener] Events.Bundle.biz.netcentric.cq.tools.accesscontroltool.bundle BundleEvent STOPPED

[kwin]

The log shows two different kubernetes pods (aem-author-545bf64d7b-9mtmj and aem-author-6cb57654df-nw57q) so I am pretty sure on the relevant pod the bundle is still active. Please look at

accesscontroltool/accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/ui/AcToolUiService.java

Line 164 in 7056c99

private boolean hasAccessToFelixWebConsole(HttpServletRequest req) {

for when you get a 403.

Compare with https://github.com/Netcentric/accesscontroltool/blob/develop/docs/ApplyConfig.md#touch-ui

The same interface as available via Web Console is also available via Touch UI at Tools -> Security -> Netcentric AC Tool if you are admin on the instance. When using AEM as a Cloud Service, the console will be available if you are in the admin group for the AEM env as set up in adminconsole

[GianSerr]

thanks for your reply @kwin
could you be more precise, I checked the code you suggested and I saw that the popup saying Permission Denied appears when I receive a 403, but the question is why do I receive 403 if I am part of the Admin group of the instance, actually I am admin of all the permissions that can be given from the admin console.

Until a fortnight ago I was able to invoke the tool without any problem.

Could you please be more precise?
what can i check?

Console Error:

thanks in advance

[kwin]

Please adjust the log level to DEBUG to see the underlying issue. There are quite some DEBUG logs in

accesscontroltool/accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/ui/AcToolUiService.java

Lines 164 to 199 in 7056c99

	private boolean hasAccessToFelixWebConsole(HttpServletRequest req) {
	if (!(req instanceof SlingHttpServletRequest)) {
	// outside Sling this is only called by the Felix Web Console, which has its own security layer
	LOG.debug("Outside Sling no additional security checks are performed!");
	return true;
	}
	try {
	User requestUser = SlingHttpServletRequest.class.cast(req).getResourceResolver().adaptTo(User.class);
	if (requestUser != null) {
	if (StringUtils.equals(requestUser.getID(), "admin")) {
	LOG.debug("Admin user is allowed to apply AC Tool");
	return true;
	}
	if (ArrayUtils.contains(webConsoleConfig.getAllowedUsers(), requestUser.getID())) {
	LOG.debug("User {} is allowed to apply AC Tool (allowed users: {})", requestUser.getID(), ArrayUtils.toString(webConsoleConfig.getAllowedUsers()));
	return true;
	}
	Iterator<Group> memberOfIt = requestUser.memberOf();
	while (memberOfIt.hasNext()) {
	Group memberOfGroup = memberOfIt.next();
	if (ArrayUtils.contains(webConsoleConfig.getAllowedGroups(), memberOfGroup.getID())) {
	LOG.debug("Group {} is allowed to apply AC Tool (allowed groups: {})", memberOfGroup.getID(), ArrayUtils.toString(webConsoleConfig.getAllowedGroups()));
	return true;
	}
	}
	}
	LOG.debug("Could not get associated user for Sling request");
	return false;
	} catch (Exception e) {
	throw new IllegalStateException("Could not check if user may apply AC Tool configuration: " + e, e);
	}
	}

which should help find the underlying issue. Maybe this is a regression triggered by https://experienceleague.adobe.com/en/docs/experience-manager-cloud-service/content/security/changes-in-user-group-and-product-profile-synchronization?lang=en. You can also check in /ui#/aem/security/users.html which groups you are member of to see if this really the admin one which has access to Felix Web Console.

[kwin]

Seems the default OSGi configuration for PID org.apache.sling.extensions.webconsolesecurityprovider.internal.SlingWebConsoleSecurityProvider has changed. It does no longer grant the IMS Admin Groups any kind of access. I will investigate with which version of AEMaaCS this has changed...

It looks like this in 2025.1.19149

{
    "pid": "org.apache.sling.extensions.webconsolesecurityprovider.internal.SlingWebConsoleSecurityProvider",
    "properties": {
        "groups": [
            "administrators",
            "fragment-web-console",
            "CM_DEVELOPER_ROLE_PROFILE",
            "Cloud Manager - Developer Role",
            "CM_CS_DEVELOPER_ROLE_PROFILE",
            "Developer - Cloud Service"
        ]
    }
}

This was like this since quite some time but due to this change https://experienceleague.adobe.com/en/docs/experience-manager-cloud-service/content/security/changes-in-user-group-and-product-profile-synchronization?lang=en e.g. the Cloud Manager groups are no longer visible (i.e. completely irrelevant in this config). Before all users having access to CloudManager implicitly had access to ACTool as well...

[kwin]

Probably leveraging our own config to manage the access (similar to what Groovyconsole does, orbinson/aem-groovy-console#55) is reasonable. That way it should be more stable.
The environment variable $[env:aemCloudAdministrators;default=administrators] should expose the group name of the IMS managed AEM admin product profile, we could leverage that in the default OSGi config value.

[GianSerr]

Ok, thanks @kwin,
let me know please.

do you need the logs in debug level?
I'm going to create the logs.

thanks

[kwin]

@GianSerr No additional logs necessary. This should be fixed with #782, supposed to be included in the upcoming ACTool release.

[mkaczorowski]

Hello @kwin,

It looks like this in 2025.1.19149

Are you sure that the project you checked it on doesn't have configuration overridden?

AEM Release 2025.1.19149.20250116T154450Z still have it as it used to be (issue is reproducible and appeared after Adobe's group clean-up).

  {
   "pid": "org.apache.sling.extensions.webconsolesecurityprovider.internal.SlingWebConsoleSecurityProvider",
   "properties": {
     "groups": [
       "administrators",
       "$[env:aemCloudAdministrators;default=administrators]",
       "CM_DEVELOPER_ROLE_PROFILE",
       "Cloud Manager - Developer Role",
       "CM_CS_DEVELOPER_ROLE_PROFILE",
       "Developer - Cloud Service"
     ]
   }
 }

[kwin]

I checked directly with the developer console on Cloud instances. @mkaczorowski: How did you check? Could also be thaz the environment variable aemCloudAdministrators is no longer populated…

[mkaczorowski]

I checked exactly like you did (developer console on the author cloud environment with version I mentioned above).

Could also be thaz the environment variable aemCloudAdministrators is no longer populated

That’s my assumption as well, though I haven’t been able to confirm it yet.

[kwin]

@mkaczorowski You are right, I just confirmed on a plain AEMaaCS cloud author instance, and indeed there the config is

{
    "pid": "org.apache.sling.extensions.webconsolesecurityprovider.internal.SlingWebConsoleSecurityProvider",
    "properties": {
        "groups": [
            "administrators",
            "$[env:aemCloudAdministrators;default=administrators]",
            "CM_DEVELOPER_ROLE_PROFILE",
            "Cloud Manager - Developer Role",
            "CM_CS_DEVELOPER_ROLE_PROFILE",
            "Developer - Cloud Service"
        ]
    }
},

[kwin]

@GianSerr Please check the OSGi config for PID org.apache.sling.extensions.webconsolesecurityprovider.internal.SlingWebConsoleSecurityProvider and the group memberships of the affected user.

[RichuKakkar1]

Hi @kwin @mkaczorowski ,

I have administrative rights through adminconsole and facing the issue.

From your last comment to check the config for PID, I see below config for
2025.1.19149.20250116T154450Z

• pid: "org.apache.sling.extensions.webconsolesecurityprovider.internal.SlingWebConsoleSecurityProvider"
  properties:
  groups:
  • "administrators"
  • "$[env:aemCloudAdministrators;default=administrators]"
  • "CM_DEVELOPER_ROLE_PROFILE"
  • "Cloud Manager - Developer Role"
  • "CM_CS_DEVELOPER_ROLE_PROFILE"
  • "Developer - Cloud Service"

I couldn't catch much of the conversation on what could be the reason for the permission denied. Could you care to elaborate and provide next steps on what needs to be done to get it resolved ? Is it something that requires fix in tool ?

[kwin]

@RichuKakkar1 Please check and share the group memberships of your user inside AEM! The reason for this behavior is not clear yet.

[RichuKakkar1]

pls ignore the custom groups, I have admin rights for the particular env- [cbdt_mod_my_rdo_editor, cbdt_mod_my_rdo_approver, cbdt_lub_hk_id_admin, cbdt_mod_tr_rdo_approver, cbdt_lub_ae_dir_approver, cbdt_mod_my_rdo_admin, cbdt_mob_global_lim_approver, Adobe_Other Experience Cloud products, cbdt_lub_be_id_editor, cbdt_avi_dir_fue_approver, cbdt_avi_global_lub_approver, cbdt_cof_hk_dir_approver, cbdt_mod_tr_rdo_editor, cbdt_mod_hk_rba_editor, cbdt_lub_us_id_approver, cbdt_lub_hk_dir_approver, cbdt_lub_th_dir_editor, cbdt_avi_jv_fue_approver, cbdt_lub_jp_dir_approver, cbdt_lub_gb_dir_editor, AEM Administrators - author - Program 101803 - Environment 960714, cbdt_lub_gb_dir_admin, cbdt_cof_th_id_approver, cbdt_lub_gb_id_editor, cbdt_lub_at_dir_editor, cbdt_mod_hk_rba_admin, sch_superuser, cbdt_lub_hk_id_approver, cbdt_mod_de_mfa_editor, cbdt_lub_mo_id_approver, cbdt_cof_th_dir_approver, AEM Users-8e47719835873ea89eb33ae6ca20d943, cbdt_mod_ca_editor, cbdt_mod_tr_rdo_admin, cbdt_mod_hk_rba_approver, AEM Administrators - Service, AEM Users - Service, cbdt_lub_kg_md_editor, cbdt_lub_at_dir_approver, cbdt_cof_ae_id_approver, cbdt_lub_ua_md_approver, cbdt_lub_th_id_approver, cbdt_lub_jp_id_approver, cbdt_lub_in_id_approver, cbdt_avi_global_fue_approver]

[kwin]

I could reproduce now with a default OSGi configuration for org.apache.sling.extensions.webconsolesecurityprovider.internal.SlingWebConsoleSecurityProvider. Still not sure why the permission check is broken, investigating...

[GianSerr]

Hi @kwin , I checked my OSGi config org.apache.sling.extensions.webconsolesecurityprovider.internal.SlingWebConsoleSecurityProvider

I added on my user Administrators group and seems I'm able to invoke the service