Expand my Community achievements bar.

Issue with JackrabbitAccessControlManager API: Incorrect AEM Group Permissions Export


Level 2

Hello Adobe Community,

I hope this message finds you well. I am currently facing a challenging issue related to auditing and exporting AEM group permissions using the JackrabbitAccessControlManager API.

Background: As part of an audit requirement, I need to verify and export all AEM group permissions for both L1 and L2 pages of our website. To achieve this, I have been utilizing the JackrabbitAccessControlManager API provided by Adobe. The goal is to ensure that the exported permissions accurately reflect the actual permissions set in the content tree.

Problem: While attempting to accomplish this, I have encountered a discrepancy between the permissions reported by the JackrabbitAccessControlManager API and the actual permissions on the content tree. For example, the "jcr:read" privilege is consistently being reported as an aggregate privilege, even when a specific group does not have read access to a particular page.

Expected Outcome: I expect that the permissions exported using the JackrabbitAccessControlManager API should reflect the precise permissions granted to each group for individual pages within the AEM content tree. This is critical for ensuring compliance with our audit requirements.

Query: I would greatly appreciate any insights that the community could offer regarding this issue. Specifically, I would like to understand why the "jcr:read" privilege is being reported as an aggregate privilege, even when actual access to specific pages is not granted to the corresponding group.
Also some of the other permissions also not coming accurate with the below mentioned code.

Has anyone else encountered a similar situation or identified a workaround to ensure accurate permission exports using the JackrabbitAccessControlManager API? Any advice, recommendations, or potential solutions would be immensely helpful.

Thank you in advance for your time and assistance. 

Fiddle script added for review



package apps.acs_002dtools.components.aemfiddle.fiddle;

import java.io.IOException;
import java.io.PrintWriter;
import java.security.Principal;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Comparator;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import java.util.stream.Collectors;

import javax.jcr.Session;
import javax.jcr.security.AccessControlEntry;
import javax.jcr.security.AccessControlManager;
import javax.jcr.security.Privilege;

import org.apache.commons.lang.RandomStringUtils;
import org.apache.commons.lang.StringUtils;
import org.apache.jackrabbit.api.security.JackrabbitAccessControlList;
import org.apache.jackrabbit.api.security.JackrabbitAccessControlManager;
import org.apache.jackrabbit.api.security.JackrabbitAccessControlPolicy;
import org.apache.jackrabbit.api.security.user.Authorizable;
import org.apache.jackrabbit.api.security.user.UserManager;
import org.apache.sling.api.SlingHttpServletRequest;
import org.apache.sling.api.SlingHttpServletResponse;
import org.apache.sling.api.resource.LoginException;
import org.apache.sling.api.resource.ResourceResolver;
import org.apache.sling.api.servlets.SlingAllMethodsServlet;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

import com.day.cq.wcm.api.Page;
import com.day.cq.wcm.api.PageManager;

public class fiddle extends SlingAllMethodsServlet { 
	private final Logger log = LoggerFactory.getLogger(getClass());

	protected void doGet(SlingHttpServletRequest request, SlingHttpServletResponse response) throws IOException {
		PrintWriter writer = response.getWriter();

	    String[] groups = {"authors-content","approvers-content","audit-group","test-group"  };
		String root = "/content/my-site/us/en/";
		try (ResourceResolver resourceResolver = getResourceResolver(request)) {
			Session session = resourceResolver.adaptTo(Session.class);
			PageManager pageManager = resourceResolver.adaptTo(PageManager.class);
			List<String> pagePaths = getChildPagePaths(root, pageManager);
			JackrabbitAccessControlManager acm = (JackrabbitAccessControlManager) session.getAccessControlManager();
			UserManager userManager = resourceResolver.adaptTo(UserManager.class);

			for (String path : pagePaths) {
				for (String group : groups) {
					Authorizable auth = userManager.getAuthorizable(group);
					if (auth != null) {

						Set<Principal> principals = new HashSet<Principal>();

						Privilege[] privileges = acm.getPrivileges(path, principals);
						StringBuilder csvOutput = new StringBuilder();
						String action;
				        List<String> Plist = Arrays.stream(privileges)
						for (Privilege privilege : privileges) {
							if (Plist.contains("jcr:read") && !privilege.isAggregate()) {
								action = "read";
							} else if (Plist.contains("jcr:addChildNodes")) {
								action = "create";
							} else if (Plist.contains("jcr:modifyProperties")) {
								action = "edit";
							} else if (Plist.contains("jcr:removeNode")
									|| privilege.equals("rep:write")) {
								action = "delete";
							} else if (Plist.contains("crx:replicate")) {
								action = "publish";
							} else if (privilege.getName().equalsIgnoreCase("jcr:all")) {
								action = "read, create, edit, delete, publish";
							} else {
								action = "";
							if (StringUtils.isNotBlank(action)) {


						String permissions = formatPermissions(csvOutput.toString());
						if (StringUtils.isNotEmpty(permissions)) {
							writer.println(path + "," + auth.getID() + "," + permissions + "<br>");


		} catch (Exception e) {

	private static ResourceResolver getResourceResolver(SlingHttpServletRequest request) throws LoginException {
	    ResourceResolver resourceResolver = request.getResourceResolver();
		return resourceResolver;

	private static List<String> getChildPagePaths(String parentPath, PageManager pageManager) {
		List<String> childPagePaths = new ArrayList<>();

		if (pageManager != null) {
			Page parentPage = pageManager.getPage(parentPath);
			if (parentPage != null) {
				Iterator<Page> childPages = parentPage.listChildren();
				while (childPages.hasNext()) {
					Page childPage = (Page) childPages.next();
		return childPagePaths;



1 Reply


Employee Advisor

@Abhilashreddy This is the Audience Manager community forum, you want to post your question to Experience Manager section - please see the https://experienceleaguecommunities.adobe.com/t5/adobe-experience-manager/ct-p/adobe-experience-mana... 

Thank you