Why rep:externalId property getting created for usergroups in AEM as cloud | Community
Skip to main content
R
raju_komari
Level 2
November 6, 2025
Solved

Why rep:externalId property getting created for usergroups in AEM as cloud

  • November 6, 2025
  • 2 replies
  • 165 views

Hi All,

We have created user groups through NC ACL tool Yaml files using below entries, rep:externalID property is getting added to usergroup after some time, we are unable to add this group into normal users due to this externalId property.

 

We are creating this groups on AEM as part of pipeline build, no usergroups creation on IMS side.

Is there any configuration in AEM as cloud which is getting added this property while synch is happening from IMS to AEM ?

 

Please share your suggestions/comments if you come across this type of issue in AEM as cloud.

Thank you. 

 

- DEF groupRootPath="/home/groups/healthcare"
- group_config:
 
    - content-authors-global:
      - name: "Content Authors Global QA DEV"
        path: "${groupRootPath}"
        isMemberOf: 
 
- ace_config:
 
    - content-authors-global:
    
        - FOR folder IN ${contentfolders}:           
 
            - path: ${folder.path}
              permission: allow
              actions: read,modify,create,delete,replicate
              
        - FOR folder IN ${conffolders}:           
 
            - path: ${folder.path}
              permission: allow
              actions: read,modify,create,delete,replicate

 

 

 

Best answer by AmitVishwakarma

Hi ​@raju_komari ,
rep:externalId is not coming from your NC ACL YAML – it’s added automatically by Oak when a user/group is treated as external and synced from IMS/IAM.

  • It’s a protected system property that marks “this principal is managed by an external IdP”, so AEM will not let you manage it like a purely local group.
  • Local groups created by NC ACL won’t have rep:externalId unless that same group is also created/synced from IMS.
  • If a group has rep:externalId, treat it as IMS‑managed: manage membership on the IMS/IAM side (product profiles / directory), not directly in AEM.
  • If you need a fully local group you can manage only in AEM, create a group not synced via IMS (different name / not in the sync config), so rep:externalId will never be set.

So, rep:externalId is expected and only appears for IMS‑synced principals; NC ACL itself does not create it.

Thanks,
Amit

2 replies

muskaanchandwani
Adobe Employee
muskaanchandwaniAdobe Employee
Adobe Employee
November 6, 2025

Hello @raju_komari 

rep:externalId is a protected property which is a system-maintained marker that identifies an external user/group, i.e., one that is managed in an external identity provider and which is synched into the content repository for performance and compatibility reasons only.
Its value stores the configured name of the IDP ensuring that it is only modified by it's own provider integration.
An index assures the uniqueness of that property.

see also https://jackrabbit.apache.org/oak/docs/security/authentication/external/defaultusersync.html#defaultsynccontext

    R
    raju_komariAuthor
    Level 2
    February 18, 2026

    Thanks for the update.

    We have re-validated NC ACL tool usergroups creation flow through yaml files in AEM as cloud rde/dev/stag and Prod and observed that rep:externalID is not getting created from this NC ACL tool, it is getting created while doing synch with IAM.

    we are good at this point and concluding that this rep:externalID is not getting created for usergroups until you mentioned explicitly.

    AmitVishwakarma
    Community Advisor
    AmitVishwakarmaCommunity AdvisorAccepted solution
    Community Advisor
    February 19, 2026

    Hi ​@raju_komari ,
    rep:externalId is not coming from your NC ACL YAML – it’s added automatically by Oak when a user/group is treated as external and synced from IMS/IAM.

    • It’s a protected system property that marks “this principal is managed by an external IdP”, so AEM will not let you manage it like a purely local group.
    • Local groups created by NC ACL won’t have rep:externalId unless that same group is also created/synced from IMS.
    • If a group has rep:externalId, treat it as IMS‑managed: manage membership on the IMS/IAM side (product profiles / directory), not directly in AEM.
    • If you need a fully local group you can manage only in AEM, create a group not synced via IMS (different name / not in the sync config), so rep:externalId will never be set.

    So, rep:externalId is expected and only appears for IMS‑synced principals; NC ACL itself does not create it.

    Thanks,
    Amit

    R
    raju_komariAuthor
    Level 2
    February 19, 2026

    Thanks for the update.

      Terms & ConditionsAccessibility statement

      Loading footer...