AEM 6.3 Cannot create groups with service user



Hoping someone on here can help me out of a conundrum.

We are trying to remove all Admin sessions from our application, but are stuck with a few due to JCR Access Denied exceptions. Specifically, when we try to create AEM groups or users with a service user we get an Access Denied exception. Here is a piece of code written to isolate the problem:

private void testUserCreation2() {
  String groupName = "TestingGroup1";
  Session session = null;
  ResourceResolver resourceResolver = null;
  String createdGroupName = null;
  try {
      Map<String, Object> param = new HashMap<String, Object>();
      param.put(ResourceResolverFactory.SUBSERVICE, "userManagementService");
      resourceResolver = resourceResolverFactory.getServiceResourceResolver(param);
      session = resourceResolver.adaptTo(Session.class);

      // Create UserManager Object
      final UserManager userManager = AccessControlUtil.getUserManager(session);

      // Create a Group"Attempting to create group: "+groupName+" with user "+session.getUserID());
      if (userManager.getAuthorizable(groupName) == null) {

          Group createdGroup = userManager.createGroup(new Principal() {
            public String getName() {
              return groupName;
          }, "/home/groups/testing");
          createdGroupName = createdGroup.getPath();

"Group successfully created: "+createdGroupName);
      } else {
"Group already exists");
  } catch (Exception e) {
      LOGGER.error("Error while attempting to create group.",e);
  } finally {
      if (session != null && session.isLive()) {
      if (resourceResolver != null)

Notice that I'm using a subservice name titled userManagementService, which maps to a user titled fwi-admin-user. Since fwi-admin-user is a service user, I cannot add it to the administrators group (This seems to be a design limitation on AEM). However, I have confirmed that the user has full permissions to the entire repository via the useradmin UI.

Unfortunately, I still get the following error when I invoke this code:

2020-06-22 17:46:56.017 INFO [] Attempting to create group: TestingGroup1 with user fwi-admin-user 2020-06-22 17:46:56.025 ERROR [] Error while attempting to create group. javax.jcr.AccessDeniedException: OakAccess0000: Access denied at org.apache.jackrabbit.oak.api.CommitFailedException.asRepositoryException( at org.apache.jackrabbit.oak.api.CommitFailedException.asRepositoryException( at org.apache.jackrabbit.oak.jcr.delegate.SessionDelegate.newRepositoryException( at

Is this an AEM bug, or am I doing something wrong here?

Thanks in advance

Accepted Solutions (1)

Accepted Solutions (1)




Your service user should be part of user-administrators group or administrator group to do user management task.

Answers (0)