close

Filter

loading table of contents...

Release Notes / Version 10.2107

Table Of Contents

Changed Login Services and System Users

The login service and user for the connection to the Content Server have changed for Studio Server , CAE Feeder and User Changes App . In previous releases, all of these applications logged in as user "webserver" and with login service "webserver", which gave them rights to read and write all content, and to log in as different users without a password, for example to write content in the name of another user. This has been changed in order to give applications only the rights required for their operation. The Studio Server and the User Changes App now log in with the newly introduced login service "studio" and user "studio". The CAE Feeder now logs in with the existing login service "feeder" and user "feeder". The CAE and the Elastic Worker still use the login service "webserver" and user "webserver" but the rights of this account have been restricted.

The connections of the Studio Server and User Changes App are still privileged as it was the case in previous releases. They can log in as different users without providing a password, but user "studio" only grants read rights on content for the connection session. This is sufficient because content is always written in the name of an editor user and not as system user "studio". Project extensions that modify content from the connection session should be changed to switch to a session with sufficient rights. Alternatively, you could also grant more rights to the "studio" user.

The CAE Feeder now only has read rights on content and its connection is no longer privileged. This is sufficient for its operation.

The connections of the CAE and Elastic Worker don't have rights to modify content anymore. The user "webserver" only grants read rights by default. Furthermore, connections of the login service "webserver" are no longer privileged. They cannot log in as different user without a password. If you still need this functionality, you can add the configuration option " cap.server.loginServiceWebserverPrivileged=true " to the Content Server configuration to make connections of login service "webserver" privileged again. This option may be removed in the future, so please tell us if you really need it.

Note that for existing repositories, user rights and group memberships are  not updated automatically but must be adapted manually:

Release 1901.1 already restricted the default rights of system users and introduced the new system group "system-write" for CMS-1892. If you don't have that group yet, then you should adapt existing users and groups as follows:

  1. On the Content Management Server :

    1. Create the new group "system-write" and add rules for documents and folders that grant all rights. The new group should have the same flags and rights as it was the case for the existing group "system".

    2. Make the new group "system-write" a member of the existing group "system".

    3. Make system users "workflow" and "publisher" members of the group "system-write" instead of "system"

    4. Create a new user "studio" and make it a member of group "system".

    5. On the Content Management Server and the Master Live Server : Change the rules of the group "system" to grant read rights on documents and folders only.

  2. If you already have the group "system-write" and the changes of CMS-1892 from 1901.1 in your repository, then proceed as follows:

    1. On the Content Management Server: Create a new user "studio" and make it a member of group "system".

    2. On all Content Servers : Make user "webserver" a member of group "system" instead of "system-write"

    3. Only on Master Live Server and Replication Live Servers : The group "system-write" should have no members anymore and can be deleted.

 

(CMS-378)

Search Results

Table Of Contents