Adobe Experience Manager Sites & More

Mailyn_TMo · 11/18/25

Hi everyone, I hope you're all doing well.
Context: I'm managing groups and permissions in AEM. Each group has its own access to specific folders in the DAM. The problem I'm currently having is that if a new folder is created, it becomes visible to all users. My question is: is there a way to automate permission assignment? For example, if I create a "promo" folder and it's assigned to specific users, or if I create a folder in a specific location, could I use workflows to specify that the folder is for a specific group?

Thanks for your input.

SantoshSai · 11/18/25

Hi @Mailyn_TMo,

AEM does not automatically apply ACLs on newly created DAM folders unless you explicitly set up automation. By default, folders inherit permissions from their parent path, which is why new folders become visible to all users who have access to the parent.

Here are the available options to automate permission assignment:

1. Use a folder creation workflow (DAM Metadata writeback workflow hook)

You can trigger a workflow when a folder is created (node type: sling:OrderedFolder or sling:Folder) and inside that workflow:

Add a custom Process Step
Use an OSGi service to modify ACLs programmatically
Apply the required jcr:read, jcr:write, etc., permissions to the target group

This is the most controlled and scalable approach.

2. Use Sling Post-Processor (OSGi Event Listener)

Implement an Event Listener / SlingPostProcessor that listens to:

event.topics = "org/apache/sling/api/resource/Resource/ADDED"
resourceType = "sling:Folder"

When a folder is created, your code automatically:

Checks naming patterns (e.g., folder name contains "promo")
Checks parent path
Applies ACL rules via AccessControlManager

This is common in enterprise AEM setups.

3. Using workflows alone is not enough

AEM’s out-of-the-box workflows don’t modify ACLs.
You must add a custom process step with code to update permissions.

4. There is NO OOTB setting for “auto-assign permissions on new folder”

AEM currently does not allow you to:

Set default ACLs per folder
Auto-inherit rules based on folder naming pattern

So custom automation is required.

My reccomendation would be: If you want simple automation:

-> Use a custom workflow or Event Listener to assign ACLs based on folder path or naming.

If your requirement is more complex:

-> Implement a policy-based permission engine (common in multi-tenant AEM setups).

Santosh Sai

VishalKa5 · 11/18/25

Hi @Mailyn_TMo ,

When you create a new folder in AEM DAM, it inherits the permissions of its parent folder. If the parent is open to everyone, the new folder will also be visible to all users. AEM does not automatically apply custom permissions when new folders are created, so you need to implement a mechanism to handle this.
The most maintainable way is to use a workflow that triggers whenever a new folder is created under a specific path. For example, if you create a folder under /content/dam/promo, the workflow can apply the correct ACLs (Access Control Lists) and assign permissions to the right group. This is done by adding a Process Step in the workflow that calls a custom service or script to set the permissions. Alternatively, you can use an OSGi event listener that detects when a new folder is added and applies the ACLs programmatically using AEM’s AccessControlManager. Another option is to use folder templates with predefined permissions so that users create folders from these templates instead of manually.
Here’s a simple Java snippet for the event listener approach:

@Component(service = EventHandler.class,
           immediate = true,
           property = {
               EventConstants.EVENT_TOPIC + "=" + "org/apache/sling/api/resource/Resource/ADDED",
               EventConstants.EVENT_FILTER + "=(path=/content/dam/promo/*)"
           })
public class FolderPermissionHandler implements EventHandler {

    @Reference
    private ResourceResolverFactory resolverFactory;

    @Override
    public void handleEvent(Event event) {
        try (ResourceResolver resolver = resolverFactory.getServiceResourceResolver(null)) {
            String path = (String) event.getProperty("path");
            Session session = resolver.adaptTo(Session.class);
            AccessControlManager acm = session.getAccessControlManager();

            Principal group = session.getPrincipalManager().getPrincipal("promo-group");
            Privilege[] privileges = new Privilege[] {
                acm.privilegeFromName(Privilege.JCR_READ),
                acm.privilegeFromName(Privilege.JCR_WRITE)
            };

            AccessControlList acl = (AccessControlList) acm.getApplicablePolicies(path).nextAccessControlPolicy();
            acl.addAccessControlEntry(group, privileges);
            acm.setPolicy(path, acl);
            session.save();
        } catch (Exception e) {
            e.printStackTrace();
        }
    }
}

This listener checks for new folders under /content/dam/promo and assigns read/write permissions to a group called promo-group. For workflows, you would do something similar in a custom process step.
Best practice: Use workflows if you want flexibility and easy configuration by authors. Use event listeners if you need real-time automation without manual triggers.

Thanks,

Vishal

Adobe Experience Manager Sites & More

Automated assignment of permissions

Santosh Sai

Learn

Documentation

Events

Community

Support

Resources

Adobe account

Adobe