Adobe Experience Manager Sites & More

ADLSSt196 · 5/26/25

Hi All,

I’m currently working in AEM as a Cloud Service, and I'm in the process of creating author groups and assigning the appropriate permissions for my sites.

Group A – Read-only access

Group B – Write-only access

Group C – Full access

To achieve this, I am creating groups and assigning permissions as follows: I deny access globally using a rule like /content with deny and rep:glob="/*", then I explicitly grant read access to my specific site using /content/mysite with read permission. That is working fine.

However, I'm encountering an issue: when I try to access /content/dam, I'm getting permission errors.

Unfortunately, I haven't been able to configure it this way successfully. Could you please suggest how to achieve this setup? Specifically, I want to:

Restrict global access to /content/dam

Allow access only to /content/dam/mysite

Is this possible to configure in AEM cloud? Any suggestions would be appreciated.

Thanks

arunpatidar · 5/26/25

Hi @ADLSSt196

Please check

https://experienceleaguecommunities.adobe.com/t5/adobe-experience-manager/user-groups-permission/m-p...

https://experienceleaguecommunities.adobe.com/t5/adobe-experience-manager/user-with-two-groups/m-p/7...

Arun Patidar

ADLSSt196 · 5/26/25

hi @arunpatidar

As per our discussions from the reference link, we need to create a super/base group,

According to Adobe's recommendations, we should globally deny permissions and then explicitly allow the necessary permissions for each group. However, this approach doesn't seem to be working as expected in AEM as a Cloud Service.

Could you please confirm if this is a known limitation?

Specifically, I want to:

Restrict global access to /content/dam

Allow access only to /content/dam/mysite

Is it possible to configure this setup in AEM Cloud without creating the base or super group mentioned in the reference link?

Thanks

abinav_98 · 5/26/25

Use Deny sparingly. As far as possible use only Allow.

Using deny can cause unexpected effects if the permissions are applied in a different order than the order expected. If a user is a member of more than one group, the Deny statements from one group may cancel the Allow statement from another group or the opposite way. It is hard to keep an overview when such a thing happens and can easily lead to unforeseen results, whereas Allow assignments do not cause such conflicts.

Adobe recommends that you work with Allow rather than Deny

https://experienceleague.adobe.com/en/docs/experience-manager-65/content/security/security#best-prac...

This is likely why you are facing the issue. Why do you need the deny rule?

arunpatidar · 5/26/25

Hi @ADLSSt196

Don't go for deny rule.

Only use allow rules.

Arun Patidar

SreenivasBr · 5/26/25

To achieve this, you will need to provide read access to just the DAM folder, its properties and then allow read permission to folders below DAM.

Add allow node with rep:glob="", rep:privileges= "jcr:read, jcr:readAccessControl", rep:principalName="group_name" under /content/dam .

Add allow node with rep:glob="/jcr:*", rep:privileges= "jcr:read, jcr:readAccessControl", rep:principalName="group_name" under /content/dam for that group.

Add allow node under /content/dam/mysite with rep:privileges="jcr:read, jcr:readAccessControl", rep:principalName="group_name"

Adobe Experience Manager Sites & More

ACL Permissions - Adobe recommendations clarifications

Arun Patidar

Arun Patidar

Learn

Documentation

Events

Community

Support

Resources

Adobe account

Adobe