- A quick overview of Authentication and Authorization
- Authorization for CQ WCM - The Concepts
- Configuring the Users and Groups
- Accessing User Administration with the Security Console
- Filtering Users and Groups
- Hiding Users and Groups
- Creating Users and Groups
- Deleting Users and Groups
- Modifying User and Group Properties
- Changing a User Password
- Groups - adding a User or Group to a Group
- Members - adding Users or Groups to a Group
- Setting Page Permissions
- Setting Replication Privileges
- Setting Privileges
- Impersonating Users
- Setting User and Group Preferences
This chapter describes how to configure and maintain user authorization and also describes the theory behind how authentication and authorization work in CQ WCM.
Authentication is the process of identifying, and verifying, a user.
The process of authentication and login can be broken down as follows:
Authentication information is extracted from the request. In CQ this is done by an authentication handler.
The authentication information is then checked to determine whether it is sufficient and/or correct. In CQ this is performed by the login modules.
The appropriate response is initiated.
For CQ, initial authentication uses a standard HTML-login form in conjunction with the Authorization Header Authentication Handler. The HTML-form must have fields for the user name and password (the same field names must then be used by the Authorization Header Authentication Handler).
You can also use a similar form for controlled access to various areas of your website.
The various authentication methods can be realized by using different login modules.
For example, CQ can interact with a LDAP server that stores user information centrally, eliminating the need for duplication. This central server is then used to verify login information which enables you to realize Single Sign On, both with other in-house applications and external Portals. See CRX - LDAP Authentication for further information.
Authorization determines whether a user is allowed to take action on specific areas within the system. For example, a user can be authorized to read or update a specific page.
Authorization is managed using a series of entities:
A user accesses a system using their user account. A user models either a human user or an external system connected to the system. The user account holds the details needed for accessing CQ; a key purpose of an account is to provide the information for the authentication and login processes - allowing a user to log in.
A group is a collection of users and/or other groups. A change in the permissions/privileges assigned to a group is automatically applied to all users in that group. A user does not have to belong to any group, but often belongs to several.
Actions are performed on a resource. For example, a user can read, edit or delete a page, amongst other actions.
A permission allows a user to perform an action on a given resource within the repository. Permissions are stored, and can be seen, at resource level within the repository.
Privileges allow access to functionality available within the application; for example, replication of a specific path, or the ability to update the page hierarchy (including creating new pages).
Resources define the functionality to be accessed.