How to Restrict Access to Specific Pages in AEM Preview for External Users AEMasCS | Community
Skip to main content
G
georhe6
Level 4
April 27, 2026
Question

How to Restrict Access to Specific Pages in AEM Preview for External Users AEMasCS

  • April 27, 2026
  • 3 replies
  • 23 views

We are using Adobe Experience Manager as a Cloud Service and need to share our Preview environment with a limited number of external users (outside our organization)for review before publishing to live dispatcher.

Our production website is completely public (no authentication) and is protected by Imperva WAF on the live domain.

For the Preview environment, our requirements are:

  • Provide access only to a specific set of pages
  • Prevent access to all other pages
  • Ensure the environment is secure for external users

Since Preview behaves similarly to Publish and does not support fine-grained user/group permissions like Author, we are exploring the best approach.

Our questions:

  1. What is the recommended way to restrict access to only specific pages in Preview?
  2. Should this be primarily handled at Dispatcher level, WAF (Imperva), or a combination of both?
  3. Are there any best practices for exposing Preview securely to external users in AEMaaCS?

If anyone has implemented a similar setup, especially with Imperva in front of AEM, any guidance or examples would be greatly appreciated.

3 replies

EstebanBustamante
Community Advisor and Adobe Champion
EstebanBustamanteCommunity Advisor and Adobe Champion
Community Advisor and Adobe Champion
April 27, 2026

Hi, 

 

You can use traditional methods like ACLs and UCG, but the best option is probably to use Basic Authentication via the Adobe CDN. Please check here for more details.: https://experienceleague.adobe.com/en/docs/experience-manager-cloud-service/content/implementing/content-delivery/cdn-credentials-authentication#basic-auth

Hope this helps

Esteban Bustamante
ykliakhin
ykliakhin
Level 1
April 28, 2026

Use CUG for access control, and configure Dispatcher either to not cache protected Preview pages or to use AuthChecker for permission-sensitive caching.

Imperva can still remain in front as the WAF layer for perimeter protection, IP restrictions, bot protection, rate limiting, and similar controls. But the actual page-level access control can be handled by AEM CUG, provided the Dispatcher caching model is configured safely.

This gives a more flexible and AEM-native setup than maintaining only a hardcoded path allowlist, especially if different external users or groups need access to different sets of preview pages.

VeenaVikraman
Community Advisor
VeenaVikramanCommunity Advisor
Community Advisor
April 28, 2026

Hi ​@georhe6 

Are you talking about the preview service in AEM as Cloud ?https://experienceleague.adobe.com/en/docs/experience-manager-cloud-service/content/sites/authoring/sites-console/previewing-content 

Since you’re on AEMaaCS, use Cloud Manager IP allowlists. Even though Preview is not a separate server, Adobe treats it as a separate service tier, and you can apply IP restrictions specifically to it.

Create an IP allowlist in Cloud Manager for your external users and attach it to the Preview service. This ensures the preview domain is not publicly accessible.

Refer https://experienceleague.adobe.com/en/docs/experience-manager-cloud-service/content/implementing/using-cloud-manager/ip-allow-lists/introduction

Page-Level Restriction

IP allowlisting works at domain level, so to restrict access to specific pages, the safest approach is to handle this at the content level. Only publish the specific pages or folders that need to be reviewed using Manage Publication. If the content is not available in Preview, users cannot access it.

I have never tried the Dispatcher restrictions , but some suggestions says it is possible. But I am not sure , as there is no custom runmode available for preview 

Securing via Imperva

Since you already have Imperva, make sure it is also enforced for Preview.

Two things I would strongly recommend:

  • Use Imperva for URI-level restrictions if needed
  • Configure a shared secret header

Imperva should inject a header, and Dispatcher should validate it. Any request without the header should be rejected. This prevents users from bypassing Imperva and directly hitting the AEM origin.

 

Also, one thing to check. If your reviewers are not on static IPs, IP allowlisting can become difficult to manage. In that case, using Basic Authentication at the Imperva or edge layer is usually easier.

Hope this helps!

Thanks

Veena

Terms & ConditionsAccessibility statement

Loading footer...