Adobe Experience Manager Sites & More

Hi @AnushaAt 

AEM OOTB provides the capability to set permissions on both folders and files.

What seems to be the blocker in this case? The tool or the way use set permissions.

Arun Patidar

Hi @AnushaAt,

If i understood correctly, you want to set ACLs in more granular level.

You shall consider AC tool/Yaml file approach.

for more details:

https://shinesolutions.com/2018/10/02/managing-user-permissions-in-aem/

https://taradevko.com/aem/aem-ac-tool-manage-groups-users/

with this you shall create separate groups for different levels of content access.

Thanks,

Raju.

Hi, 

You can do this out-of-the-box without any additional tools. Keep in mind that using regex with ACLs can help avoid going through each file individually. Please refer to these threads to learn more about ACLs inheritance and evaluation:

https://jackrabbit.apache.org/oak/docs/security/authorization/restriction.html#rep-glob-details-and-... 

https://techrevel.blog/2024/03/04/aem-user-permissions-tips-for-effortless-control/

https://experienceleague.adobe.com/en/docs/experience-manager-65/content/security/security#access-co...

https://danklco.com/posts/2022-12-3-simple-rules-for-success-with-aem-acls/ 

Hope this helps

---

Esteban Bustamante

Hi @AnushaAt 
I believe to address the requirement of setting different permissions for folders and files (sub-pages) in AEM 6.5.19, we need a targeted approach that leverages granular Access Control List (ACL) configurations without compromising performance or maintainability. Here's how you can achieve this:

1. Separate User Groups for Folder and File Permissions

• Create separate security groups for folder and file access.
  • Folder Group: Users who need access to folders only.
  • File Group: Users who need access to files/sub-pages.
• Example:
  • folder-editors: Permissions for folders.
  • file-editors: Permissions for files/sub-pages.

2. Apply Folder-Level Permissions

• Navigate to the folder in AEM.

• In the Permissions tab of the User Admin console (http://<hostname>:4502/useradmin

  • Select the folder-editors group.
  • Grant permissions (Read, Modify, etc.) at the folder level only.
  • Use restrictions (e.g., rep:glob) to exclude sub-pages/files.

  Example:

  • Restriction: rep:glob = /* (only applies to folder-level content).

3. Apply File-Level Permissions

• Navigate to a representative file under the folder.

• For the file-editors group:

  • Grant permissions for all files under the folder.
  • Use rep:glob restrictions to exclude the root folder itself.

  Example:

  • Restriction: rep:glob = /*/* (applies to files only).

4. Use JCR API or ACS Commons Bulk Permission Tool (Optional for Scalability)

If you have many folders and files, manually configuring ACLs may be inefficient. Use programmatic or automated approaches:

• JCR API Example:
  • Create a service or script to set permissions programmatically using the JCR Session API.

  • // Example for setting folder permissions
    session.getAccessControlManager().setPolicy(
        "/content/my-folder",
        accessControlPolicyForFolder
    );
    // Example for setting file permissions
    session.getAccessControlManager().setPolicy(
        "/content/my-folder/my-file",
        accessControlPolicyForFiles
    );
    

  • • ACS Commons Bulk Permissions Tool:
      • Install the ACS Commons package.
      • Use the Bulk Permissions tool to configure folder and file-level ACLs efficiently.

    5. Validate Inheritance and Overrides

    • Ensure that inheritance is disabled for files where permissions differ from the folder.
    • Use the AEM Security Console (http://<hostname>:4502/security) to verify effective permissions.

    6. Test the Permissions

    • Use test accounts to validate that:
      • Folder permissions are applied correctly.
      • File permissions are overridden as expected.
        
        
  By leveraging rep:glob restrictions, permissions can be fine-tuned for folders and files independently
  
  Thanks 
  Please let me know if you face any challenge in this
• Partyush.