Automated assignment of permissions | Community
Skip to main content
M
Mailyn_TMo
Level 2
November 18, 2025
Solved

Automated assignment of permissions

  • November 18, 2025
  • 2 replies
  • 164 views

Hi everyone, I hope you're all doing well.
Context: I'm managing groups and permissions in AEM. Each group has its own access to specific folders in the DAM. The problem I'm currently having is that if a new folder is created, it becomes visible to all users. My question is: is there a way to automate permission assignment? For example, if I create a "promo" folder and it's assigned to specific users, or if I create a folder in a specific location, could I use workflows to specify that the folder is for a specific group?

 

Thanks for your input.

Best answer by VishalKa5

Hi @mailyn_tmo ,

 

When you create a new folder in AEM DAM, it inherits the permissions of its parent folder. If the parent is open to everyone, the new folder will also be visible to all users. AEM does not automatically apply custom permissions when new folders are created, so you need to implement a mechanism to handle this.
The most maintainable way is to use a workflow that triggers whenever a new folder is created under a specific path. For example, if you create a folder under /content/dam/promo, the workflow can apply the correct ACLs (Access Control Lists) and assign permissions to the right group. This is done by adding a Process Step in the workflow that calls a custom service or script to set the permissions. Alternatively, you can use an OSGi event listener that detects when a new folder is added and applies the ACLs programmatically using AEM’s AccessControlManager. Another option is to use folder templates with predefined permissions so that users create folders from these templates instead of manually.
Here’s a simple Java snippet for the event listener approach:

@Component(service = EventHandler.class, immediate = true, property = { EventConstants.EVENT_TOPIC + "=" + "org/apache/sling/api/resource/Resource/ADDED", EventConstants.EVENT_FILTER + "=(path=/content/dam/promo/*)" }) public class FolderPermissionHandler implements EventHandler { @Reference private ResourceResolverFactory resolverFactory; @Override public void handleEvent(Event event) { try (ResourceResolver resolver = resolverFactory.getServiceResourceResolver(null)) { String path = (String) event.getProperty("path"); Session session = resolver.adaptTo(Session.class); AccessControlManager acm = session.getAccessControlManager(); Principal group = session.getPrincipalManager().getPrincipal("promo-group"); Privilege[] privileges = new Privilege[] { acm.privilegeFromName(Privilege.JCR_READ), acm.privilegeFromName(Privilege.JCR_WRITE) }; AccessControlList acl = (AccessControlList) acm.getApplicablePolicies(path).nextAccessControlPolicy(); acl.addAccessControlEntry(group, privileges); acm.setPolicy(path, acl); session.save(); } catch (Exception e) { e.printStackTrace(); } } }

This listener checks for new folders under /content/dam/promo and assigns read/write permissions to a group called promo-group. For workflows, you would do something similar in a custom process step.
Best practice: Use workflows if you want flexibility and easy configuration by authors. Use event listeners if you need real-time automation without manual triggers.

 

Thanks,

Vishal

2 replies

SantoshSai
Community Advisor
SantoshSaiCommunity Advisor
Community Advisor
November 18, 2025

Hi @mailyn_tmo,

AEM does not automatically apply ACLs on newly created DAM folders unless you explicitly set up automation. By default, folders inherit permissions from their parent path, which is why new folders become visible to all users who have access to the parent.

Here are the available options to automate permission assignment:

1. Use a folder creation workflow (DAM Metadata writeback workflow hook)

You can trigger a workflow when a folder is created (node type: sling:OrderedFolder or sling:Folder) and inside that workflow:

  • Add a custom Process Step

  • Use an OSGi service to modify ACLs programmatically

  • Apply the required jcr:read, jcr:write, etc., permissions to the target group

This is the most controlled and scalable approach.

2. Use Sling Post-Processor (OSGi Event Listener)

Implement an Event Listener / SlingPostProcessor that listens to:

event.topics = "org/apache/sling/api/resource/Resource/ADDED"
resourceType = "sling:Folder"

When a folder is created, your code automatically:

  • Checks naming patterns (e.g., folder name contains "promo")

  • Checks parent path

  • Applies ACL rules via AccessControlManager

This is common in enterprise AEM setups.

3. Using workflows alone is not enough

AEM’s out-of-the-box workflows don’t modify ACLs.
You must add a custom process step with code to update permissions.

4. There is NO OOTB setting for “auto-assign permissions on new folder”

AEM currently does not allow you to:

  • Set default ACLs per folder

  • Auto-inherit rules based on folder naming pattern

So custom automation is required.

My reccomendation would be: If you want simple automation:

-> Use a custom workflow or Event Listener to assign ACLs based on folder path or naming.

If your requirement is more complex:

-> Implement a policy-based permission engine (common in multi-tenant AEM setups).

Santosh Sai
    VishalKa5
    VishalKa5Accepted solution
    Level 5
    November 19, 2025

    Hi @mailyn_tmo ,

     

    When you create a new folder in AEM DAM, it inherits the permissions of its parent folder. If the parent is open to everyone, the new folder will also be visible to all users. AEM does not automatically apply custom permissions when new folders are created, so you need to implement a mechanism to handle this.
    The most maintainable way is to use a workflow that triggers whenever a new folder is created under a specific path. For example, if you create a folder under /content/dam/promo, the workflow can apply the correct ACLs (Access Control Lists) and assign permissions to the right group. This is done by adding a Process Step in the workflow that calls a custom service or script to set the permissions. Alternatively, you can use an OSGi event listener that detects when a new folder is added and applies the ACLs programmatically using AEM’s AccessControlManager. Another option is to use folder templates with predefined permissions so that users create folders from these templates instead of manually.
    Here’s a simple Java snippet for the event listener approach:

    @Component(service = EventHandler.class, immediate = true, property = { EventConstants.EVENT_TOPIC + "=" + "org/apache/sling/api/resource/Resource/ADDED", EventConstants.EVENT_FILTER + "=(path=/content/dam/promo/*)" }) public class FolderPermissionHandler implements EventHandler { @Reference private ResourceResolverFactory resolverFactory; @Override public void handleEvent(Event event) { try (ResourceResolver resolver = resolverFactory.getServiceResourceResolver(null)) { String path = (String) event.getProperty("path"); Session session = resolver.adaptTo(Session.class); AccessControlManager acm = session.getAccessControlManager(); Principal group = session.getPrincipalManager().getPrincipal("promo-group"); Privilege[] privileges = new Privilege[] { acm.privilegeFromName(Privilege.JCR_READ), acm.privilegeFromName(Privilege.JCR_WRITE) }; AccessControlList acl = (AccessControlList) acm.getApplicablePolicies(path).nextAccessControlPolicy(); acl.addAccessControlEntry(group, privileges); acm.setPolicy(path, acl); session.save(); } catch (Exception e) { e.printStackTrace(); } } }

    This listener checks for new folders under /content/dam/promo and assigns read/write permissions to a group called promo-group. For workflows, you would do something similar in a custom process step.
    Best practice: Use workflows if you want flexibility and easy configuration by authors. Use event listeners if you need real-time automation without manual triggers.

     

    Thanks,

    Vishal

      Terms & ConditionsAccessibility statement

      Loading footer...