Adobe Experience Manager Sites & More

Abbirami · 5/6/25

Hi All,

Currently the audit log report under acs commons can be generated by the admin users, I would like to create a group for non-admin users to generate audit log report.

May I know what are the permissions i need to enable to do so?

SantoshSai · 5/6/25

Hi @Abbirami,

1. Grant Access to Audit Log Nodes

I think Audit logs are stored under:

/var/audit

Permissions needed on /var/audit:

jcr:read – Allows reading audit log entries.

You can assign this via user/group permissions.

2. Grant Access to the Audit Log Report Tool

The tool lives under:

/apps/acs-commons/components/audit-log-report

or if you're using the ACS Commons tools UI:

/apps/acs-commons/components/utility/audit-log-report

Permissions needed:

jcr:read on:
- /apps/acs-commons
- /libs/acs-commons (if applicable)
jcr:read on the nodes where the tool UI is rendered (often under /content, e.g., /content/acs-commons)

3. Access to Query Audit Logs (Optional but Important)

If you're using the ACS Commons Audit Log Report UI that queries audit data, make sure the group has access to the QueryBuilder service or permissions to run queries via /bin/querybuilder.json.

Path:

/bin/querybuilder.json
Permission: read + ability to post queries depending on UI behavior.

4. Allow Execution of Audit Log Report Servlet (if applicable)

Some versions of ACS Commons expose the report via a servlet, like:

/bin/acs-commons/audit-log-report

Permissions:

Grant jcr:read and allow access to /bin/acs-commons or the servlet path.

5. General Permissions Needed for Viewing ACS Tools:

jcr:read on /apps/acs-commons
jcr:read on /etc/acs-commons (some config may be here)
jcr:read on /libs/granite/ui
jcr:read on /libs/cq/core/content/tools (if part of classic UI)

Hope this helps!

Santosh Sai

AmitVishwakarma · 5/6/25

Hi @Abbirami ,

Try below steps:

1. Access to Audit Logs Data

Path:

/var/audit

Permission:

jcr:read

Why:
This is where AEM stores audit logs. Without read access, no data will be returned in the report.

2. Access to ACS Commons Audit Log UI

Paths to grant jcr:read:

/apps/acs-commons/components/utility/audit-log-report
/libs/acs-commons
/apps/acs-commons
/content/acs-commons (if you're rendering the tool under a site)
/libs/granite/ui

Optional (if classic UI or older version is involved):

/libs/cq/core/content/tools

3. Access to QueryBuilder Servlet

Path:

/bin/querybuilder.json

Permission:

Allow POST + GET

Why:
Audit report UI uses QueryBuilder to fetch logs. Without this, UI breaks or returns no results.

How to allow:
You may need to explicitly allow this servlet path in your dispatcher filter rules or AEM ACLs.

4. Access to ACS Commons Report Servlet (if applicable)

Path:

/bin/acs-commons/audit-log-report

Permission:

read + allow execution (depends on your setup)

This may vary by version, but if the UI calls this servlet directly, it must be accessible.

5. General UI Permissions (Safe Defaults)

Also grant jcr:read to:

/etc/acs-commons
/libs/cq/security
/libs/cq/gui

Recommended Steps to Apply

1. Create a group:
- audit-log-report-users

2. Assign the user to that group.

3. Apply above permissions via:

- User Admin UI (/security)

- Or create a permission package (via RepoInit or ACL Packager)

4. Test by logging in as a non-admin user and opening:

http://localhost:4502/etc/acs-commons/audit-log-report.html

Regards,
Amit

aanchal-sikka · 5/11/25

@Abbirami Did you find the suggestions helpful? Please let us know if you require more information. Otherwise, please mark the answer as correct for posterity. If you've discovered a solution yourself, we would appreciate it if you could share it with the community. Thank you!

Aanchal Sikka

Adobe Experience Manager Sites & More

Permission to generate audit log report in ACS commons for non admin users

Santosh Sai

Learn

Documentation

Events

Community

Support

Resources

Adobe account

Adobe