We considered existing solutions before starting our own AC Tool. These are basically content packages (including rep:policy nodes) and the ACL Setup Service provided by AEM.
| Aspect | AC Tool | Content Package | ACL Setup Service |
|---|---|---|---|
| Readability | ✅ config can be read by less technical persons | ❌ hard to read even for developers | 🔶 readable for small setups |
| Run mode support | ✅ | ❌ | ❌ |
| Setting ACLs for a content position | ✅ | 🔶 if path does not exist, invalid pages are created | ✅ |
| Creation of groups possible | ✅ | ✅ | ❌ |
| Order of ACEs is ensured | order of ACEs is ensured | ❌ works for initial creation, but not incrementally | ❌ works for initial creation, but not incrementally |
| Old entries can be deleted | ✅ before applying ACEs to a content node, all entries are removed to ensure the ACL exactly as provided by AC Tool configuration file | ❌ old entries are untouched and have to be deleted manually | ❌ old entries are untouched and have to be deleted manually |
| Consistency Checks regarding AC setup | ✅ | ❌ | :x: |
| Maintainability | ✅ Single configuration file per project keeps ACL setup in one place. Can be split up to multiple files (e.g. one per tenant). | ❌ package with many filter rules and complex structure has to be created | 🔶 Everything is kept in one file (OSGi configuration), good for small projects but gets too big for large instances. |
| Duplication in configuration | ✅ supports wildcards and loops | ❌ all paths have to be contained in package | ❌ all paths have to be explicitly listed in OSGi config |
| Automatic Group Location Migration | ✅ if the location of a group changes in the config file, the AC Tool automatically migrates the group location and all references to it in the content | ❌ all paths in content package have to be changed manually | ❌ cannot handle groups |
| Import/Export | ✅ import and export of Yaml files | ❌ no standard tool in AEM for exporting ACEs but ✅ ACL Packager can be used | ❌ no export of the effective permissions of an instance |
| Reproducibility | ✅ It is possible to ensure that ACL settings in any system are exactly as defined. | ❌ Old ACLs are not removed. Therefore, it can only be ensured that the defined ACLs are there but there may be additional ones active as well. | ❌ Old ACLs are not removed. Therefore, it can only be ensured that the defined ACLs are there but there may be additional ones active as well. |
| Availability | 🔶 requires installation of additional package | ✅ part of deployment packages | ✅ included out-of-the-box |