AEM Restricted Backup User

AEM Restricted Backup User

The AEM backup curl command is often passed using admin credentials however for security reasons it may be undesirable to store the AEM admin user's credentials in plaintext form in a system script. To mitigate this instead a generic user can be created and be granted more specific access rights to the granite backup console. This will allow to restrict what this user has the ability to do by only having granted rights to start, stop, and view a list of backups.

Limited User account

To do this we first need to go into the AEM user manager interface and simple create a generic user to be used for backups. The name for this user is not important as long as it is identifiable to what its purpose is.

Once created the screenshot below should illustrate exactly what permissions this user should be assigned in order to be able to kickoff backup jobs.

Backup User Permissions

Backup Script Changes

Since we are not granting this generic user access to the OSGI console it cannot use the normal curl command specified in AEM Documentation (typically something like http://localhost:4504/system/console/jmx/com.adobe.granite:type=Repository/op/startBackup/java.lang.String?target=repositoryBackup.zip). Instead we need to post the curl command to the granite console which is very similar to the previous command with some minor path changes. An example command would be as such curl -u userName:Password -X POST http://localhost:4502/libs/granite/backup/content/admin/backups/?delay=10\&target=repositoryBackup.zip

References

Adobe AEM Backup & Restore

Share this post

0 Comments

comments powered by Disqus