ACL Permissions - Adobe recommendations clarifications | Community
Skip to main content
A
ADLSSt196
May 26, 2025

ACL Permissions - Adobe recommendations clarifications

  • May 26, 2025
  • 2 replies
  • 758 views

Hi All,

I’m currently working in AEM as a Cloud Service, and I'm in the process of creating author groups and assigning the appropriate permissions for my sites.

Group A – Read-only access

Group B – Write-only access

Group C – Full access

To achieve this, I am creating groups and assigning permissions as follows: I deny access globally using a rule like /content with deny and rep:glob="/*", then I explicitly grant read access to my specific site using /content/mysite with read permission. That is working fine.

 

However, I'm encountering an issue: when I try to access /content/dam, I'm getting permission errors. 

Unfortunately, I haven't been able to configure it this way successfully. Could you please suggest how to achieve this setup? Specifically, I want to:

Restrict global access to /content/dam

Allow access only to /content/dam/mysite

Is this possible to configure in AEM cloud? Any suggestions would be appreciated.

 

Thanks

This post is no longer active and is closed to new replies. Need help? Start a new post to ask your question.

2 replies

arunpatidar
Community Advisor
arunpatidarCommunity Advisor
Community Advisor
May 26, 2025

Hi @adlsst196 

Please check

https://experienceleaguecommunities.adobe.com/t5/adobe-experience-manager/user-groups-permission/m-p/754536 

https://experienceleaguecommunities.adobe.com/t5/adobe-experience-manager/user-with-two-groups/m-p/754063 

Arun Patidar
    A
    ADLSSt196Author
    May 26, 2025

    hi @arunpatidar 

    As per our discussions from the reference link, we need to create a super/base group, 

    According to Adobe's recommendations, we should globally deny permissions and then explicitly allow the necessary permissions for each group. However, this approach doesn't seem to be working as expected in AEM as a Cloud Service.

    Could you please confirm if this is a known limitation?

    Specifically, I want to:

    Restrict global access to /content/dam

    Allow access only to /content/dam/mysite

    Is it possible to configure this setup in AEM Cloud without creating the base or super group mentioned in the reference link?

     

    Thanks

     

    A
    abinav_98
    Level 2
    May 26, 2025

    Use Deny sparingly. As far as possible use only Allow.

    Using deny can cause unexpected effects if the permissions are applied in a different order than the order expected. If a user is a member of more than one group, the Deny statements from one group may cancel the Allow statement from another group or the opposite way. It is hard to keep an overview when such a thing happens and can easily lead to unforeseen results, whereas Allow assignments do not cause such conflicts.

    Adobe recommends that you work with Allow rather than Deny

    https://experienceleague.adobe.com/en/docs/experience-manager-65/content/security/security#best-practices

    This is likely why you are facing the issue. Why do you need the deny rule?

      SreenivasBr
      SreenivasBr
      Level 4
      May 26, 2025

      To achieve this, you will need to provide read access to just the DAM folder, its properties and then allow read permission to folders below DAM.

       

      Add allow node with rep:glob="", rep:privileges= "jcr:read, jcr:readAccessControl", rep:principalName="group_name" under /content/dam .

      Add allow node with rep:glob="/jcr:*", rep:privileges= "jcr:read, jcr:readAccessControl", rep:principalName="group_name" under /content/dam for that group.

      Add allow node under /content/dam/mysite with rep:privileges="jcr:read, jcr:readAccessControl", rep:principalName="group_name"

        Terms & ConditionsAccessibility statement

        Loading footer...