Hi @s-reznikov!
Yes, there should not be any issue with your requirement.
Please check the available Actions in the context of permissions in AEM. You will find that there are dedicated actions for
- Read
- Modify
- Create
- Delete
- Replicate
and permission management (Read ACL, edit ACL).
So the group that you are outlining would need read and modify permissions but not include create and replicate permissions.
Please keep in mind:
- In general, please only set ACLs on group level and assign users to these groups. It is discouraged (but possible) to set permissions on user level.
- It is recommended to build your authorization concept hierarchical with different groups for different use cases/tenants/markets/etc. and leverage inheritance (one group being member of another) to craft your access controls. In general the top group should have very limited access (potentially deny as much as possible) and subsequent groups in the hierarchy should only have allow ACLs and avoid deny ACLs (as far as possible). Mixing allows and denys on many levels of that hierarchy will make things very complex and debugging very hard.
- I always recommend to leverage the Netcentric ACL tool for group and permission management. This way, you have everything in your SCM and code base and can track changes, deploy them consistently to all your stages and environments and avoid manual errors.
See also the documented Best Practices on permission management in AEM.
You can test your permissions using the impersonation feature of AEM or use the CRX Explorer and it's ACE Editor to prototype and test your permission setups.
Hope that helps!
