What is the best way to create a component which will be authored/edited by only one user group? | Community
Skip to main content
donquixote_dofl
donquixote_dofl
Level 2
May 15, 2025
Solved

What is the best way to create a component which will be authored/edited by only one user group?

  • May 15, 2025
  • 6 replies
  • 1003 views

For example you have a component where it should be authored by only admins. The edit access for this component have to be restricted to one particular user group only.

    This post is no longer active and is closed to new replies. Need help? Start a new post to ask your question.
    Best answer by joerghoh

    I understand your question in a way, that only a certain usergroup should be able to add/edit the content of a component on a page (it's not about the access to the component definition itself).

     

    In that case working with access control on the component definition (somewhere below /apps) won't help you at all. Instead you must restrict access to content for which reference this component as resourceType. Technically this is possible to implement using a custom restriction provider on an Oak level. But I doubt that you want to go down that route (it's possible, but there is no good examples around how to do it correctly). 

     

    Another option is move that content out of the regular content tree and embedd it via CF/XF or a different inclusion mechanism; and then work with ACLs to limit write access to this CF/XF.

    6 replies

    K_M_K_Srikanth
    K_M_K_Srikanth
    Level 2
    May 15, 2025

    To ensure only admins or a specific user group (e.g., content-authors-admin) can edit a specific AEM component:

    Steps:

    1. Create User Group

      • Use /useradmin to create a group (e.g., content-authors-admin) and add users.

    2. Set ACL Permissions

      • In /crx/de, navigate to the component path (/apps/yourproject/components/restricted).

      • Deny write access (jcr:write, rep:write) for everyone.

      • Allow write access for content-authors-admin.

    3. Optional: Hide from Authoring UI

      • Use cq:editConfig to limit editing actions.

      • Adjust allowedComponents in template policy to hide the component from unauthorized authors.

    4. Verify Access

      • Test with normal authors (read-only) and admin users (edit access).

    Result:

    Only specified users/groups can edit the component; others can view but not modify it.

     

    Hope this helps.

      V
      VasudevaraoGu
      Level 2
      May 15, 2025

      Hi,

      You can try like this 

      1. Go to CRX/DE Lite (/crx/de)

      2. Navigate to your component path:
        /apps/projectname/components/sample

      3. Set permissions:

        • Deny replicate, modify, and write access to general author groups (like content-authors)

        • Allow full access (read, modify, write) to admin-authors

      Use the User Admin Console (/useradmin) or CRX Access Control Editor to do this

        donquixote_dofl
        donquixote_doflAuthor
        Level 2
        May 15, 2025

        what if content authors have read,modify, delete permissions from useradmin will they conflict from crxde access control?

        AmitVishwakarma
        Community Advisor
        AmitVishwakarmaCommunity Advisor
        Community Advisor
        May 15, 2025

        Hi @donquixote_dofl ,

        Try with below solution:

        1. Create the User Group

        Go to /useradmin:

          - Create a group: admin-authors

          - Add users who should be able to edit the component

         

        2. Set Component Permissions

        Navigate in /crx/de to the component:

        /apps/yourproject/components/securecomponent

        Deny Access to Regular Authors:

          - Right-click the component → Access Control

          - Select group content-authors

                - Deny:

                      - jcr:write

                      - rep:write

                      - jcr:modifyProperties


        Allow Access to Admin Authors:

          - Add admin-authors group

                   - Allow:

                         - jcr:read

                         - jcr:write

                        - jcr:modifyProperties

                        - jcr:nodeTypeManagement (optional, for dialog editing)

         

        Note: In AEM, deny wins over allow. So if a user is in multiple groups (one denied, one allowed), they still get denied.

        Regards,
        Amit

          MukeshYadav_
          Community Advisor
          MukeshYadav_Community Advisor
          Community Advisor
          May 15, 2025

          Hi @donquixote_dofl ,

          One approach can be as follows:-

          1. create a node cq:EditConfig with insert/copy with allowed default property

          2.Add below sly tag to call the sling model

          <sly data-sly-use.disableEdit="com.projectname.core.models.EditToolbarModel"></sly>

          2.Create a sling model to allow if user is part of certain allowed groups

          @Model(adaptables = {
                  SlingHttpServletRequest.class,
                  Resource.class}, defaultInjectionStrategy = DefaultInjectionStrategy.OPTIONAL)
          public class EditToolbarModel {
              Logger logger = LoggerFactory.getLogger(this.getClass());
              @SlingObject
              private SlingHttpServletRequest request;

              
              @PostConstruct
              protected void init() {
                  if (WCMMode.fromRequest(request).equals(WCMMode.EDIT) && isUserAllowed(request)) {
                      ComponentContext componentContext = WCMUtils.getComponentContext(request);
                      if (componentContext != null) {
                          Toolbar toolbar = componentContext.getEditContext().getEditConfig().getToolbar();
                          toolbar.add(EditAction.EDIT);
                          toolbar.add(EditAction.DELETE);
                      }
                  }
              }


              private boolean isUserAllowed(SlingHttpServletRequest request) {
                  List<String> groupList= new ArrayList<>(Arrays.asList("super-author", "group2","otherGroupToBeAllowed"));
                  try {
                      User currentUser = request.getResourceResolver().adaptTo(User.class);
                      if (currentUser != null) {
                          Iterator<Group> currentUserGroups = currentUser.memberOf();
                          while (currentUserGroups.hasNext()) {
                              Group group = currentUserGroups.next();
                              if (groupList.contains(group.getID())) {
                                  return true;
                              }
                          }
                      }
                  } catch (RepositoryException e) {
                      throw new DataException(e);
                  }
                  return false;
              }

          }

          PS:- User will still be able to edit from crxde if has access to crx and part of content author

          Thanks

            donquixote_dofl
            donquixote_doflAuthor
            Level 2
            May 16, 2025

            @mukeshyadav_ Could you please provide more details on Edit Toolbar Service?

            MukeshYadav_
            Community Advisor
            MukeshYadav_Community Advisor
            Community Advisor
            May 16, 2025

            Hi @donquixote_dofl ,

             

            I forgot to remove Inject Edit Toolbar Service, actually isUserAllowed method was part of service so that it can be used in multiple places in project if required.
            For simplicity I have kept isUserAllowed method in model itself in the above comment  so no need to inject that service.

            Thanks

            arunpatidar
            Community Advisor
            arunpatidarCommunity Advisor
            Community Advisor
            May 16, 2025

            Hi @donquixote_dofl 

            Please check https://medium.com/@arunpatidar26/aem-restrict-component-dialog-editing-028534f194e1 

            Arun Patidar
              joerghoh
              Adobe Employee
              joerghohAdobe EmployeeAccepted solution
              Adobe Employee
              May 18, 2025

              I understand your question in a way, that only a certain usergroup should be able to add/edit the content of a component on a page (it's not about the access to the component definition itself).

               

              In that case working with access control on the component definition (somewhere below /apps) won't help you at all. Instead you must restrict access to content for which reference this component as resourceType. Technically this is possible to implement using a custom restriction provider on an Oak level. But I doubt that you want to go down that route (it's possible, but there is no good examples around how to do it correctly). 

               

              Another option is move that content out of the regular content tree and embedd it via CF/XF or a different inclusion mechanism; and then work with ACLs to limit write access to this CF/XF.

                Terms & ConditionsAccessibility statement

                Loading footer...