Hello, a pleasure to greet you I have two sites, one is hosted at /content/site1 and the other at /content/site2. I have a role called author_site1 and another called author_site2. The error I'm experiencing is when I assign a user to both the author_site1 group and the author_site2 group, it removes the permission to view both contents.I have tried different ways to manage permissions:Allow everything in /content and, for author_site1, deny everything except /content/site1, and for author_site2, deny everything except /content/site2. When assigning a user to only one group, this works correctly, but when I assign both groups, I can't see anything.Deny everything in /content and only allow content from /content/site1 for author_site1. I do the same for author_site2: deny everything in /content and only allow content in /content/site2. When assigning only one group to the user, it doesn't allow me to see any content.Create an additional group responsible for denying everything, and have author_site1 with permission to allow /content/site1 and author_site2 with permission to allow /content/site2. In this case, the same issue occurs as in point 2; I can't see anything when assigning only one group to the user.As an additional note, I adjust all these permissions with jcr:all. I have also tried modifying permissions in the 'Permissions' tab of each content, and I tried assigning the deny-all group in the 'Details' PopUp to the /content path, but it didn't work either.There is also a group that is always added by default called 'everyone'. I have version 6.5.18 of AEM.

New Member

Solved

User with two groups

Forum|Forum|8 months ago
May 13, 2025
3 replies
1044 views

Hello, a pleasure to greet you

I have two sites, one is hosted at /content/site1 and the other at /content/site2. I have a role called author_site1 and another called author_site2. The error I'm experiencing is when I assign a user to both the author_site1 group and the author_site2 group, it removes the permission to view both contents.

I have tried different ways to manage permissions:

Allow everything in /content and, for author_site1, deny everything except /content/site1, and for author_site2, deny everything except /content/site2. When assigning a user to only one group, this works correctly, but when I assign both groups, I can't see anything.
Deny everything in /content and only allow content from /content/site1 for author_site1. I do the same for author_site2: deny everything in /content and only allow content in /content/site2. When assigning only one group to the user, it doesn't allow me to see any content.
Create an additional group responsible for denying everything, and have author_site1 with permission to allow /content/site1 and author_site2 with permission to allow /content/site2. In this case, the same issue occurs as in point 2; I can't see anything when assigning only one group to the user.

As an additional note, I adjust all these permissions with jcr:all. I have also tried modifying permissions in the 'Permissions' tab of each content, and I tried assigning the deny-all group in the 'Details' PopUp to the /content path, but it didn't work either.

There is also a group that is always added by default called 'everyone'. I have version 6.5.18 of AEM.

Best answer by AmitVishwakarma

Hi @juan_carlosor2 ,

Root Cause:

1. Deny rules take precedence over all allow rules — even if a path is explicitly allowed.
2. If a user is in both author_site1 and author_site2, and each denies /content except their own site, each group ends up denying the other's site, resulting in no access at all.
3. You also need to explicitly allow access to shared folders like /apps, /conf, /etc, etc., for pages to render properly.

Try below solution: (Only Use Allow Rules — No Deny)

Group: author_site1

Allow jcr:read or jcr:all on:

- /content/site1

- /apps/<your-site1-components>

- /conf/<your-site1-conf>

- /etc/clientlibs/<your-site1-libs> (if used)

- /var/workflow (if workflow is needed)

Group: author_site2

Allow jcr:read or jcr:all on:

- /content/site2

- /apps/<your-site2-components>

- /conf/<your-site2-conf>

- /etc/clientlibs/<your-site2-libs> (if used)

- /var/workflow (if workflow is needed)

Shared Read Access Group

Create a group called site-authors-base with read-only access to:

- /apps

- /libs

- /etc

- /conf

- /var

- /content/dam (if shared assets exist)

- /content/experience-fragments (if shared XFs exist)

Then make author_site1 and author_site2 members of site-authors-base.

Regards,
Amit

arunpatidar

Community Advisor

Hi @juan_carlosor2

Don't use deny rule as it has preference, it may conflict with use case.

Only use allow permission e.g. author_site1 group, allow /content/site1

Arun Patidar

J

Juan_CarlosOr2Author

New Member

Yes, I have also tried removing the deny-all and leaving only the allow /content/site1 or /content/site2, but this causes nothing to be visible. I can only see something when I also add /, but this causes all contents to be visible, even those that shouldn't be.

arunpatidar

Community Advisor

Hi @juan_carlosor2

You also need read group which allow read only access to other content which is required to render a page/template /apps, /etc, /var, /conf etc.

Arun Patidar

K_M_K_Srikanth

Hi @juan_carlosor2

This issue you're facing is a common challenge in AEM when dealing with overlapping deny permissions across multiple groups. Here's a clear explanation of what's happening and how to fix it:

AEM permission evaluation is additive but with precedence for deny rules. This means:

Allow permissions from one group can be overridden by deny permissions from another.
When a user belongs to multiple groups, any deny takes precedence over allow — even if the allow is more specific.

In your case:

When you assign both author_site1 and author_site2 to a user, the deny rules from each group cancel out the allow rules of the other, effectively blocking access to both sites.

Here’s how to fix it:

🔧 Option 1: Use Only Allow Rules (No Deny)

Remove all deny rules from author_site1 and author_site2.
For each group:
- Grant only the required permissions to the relevant path.
  - author_site1 → allow on /content/site1
  - author_site2 → allow on /content/site2
Do not add any permissions (allow/deny) to /content itself.
Let the lack of permissions act as implicit denial for other paths.

This way, users will only have access to the paths explicitly allowed.

Example Permissions Setup

Group: author_site1
- Allow (jcr:all) on /content/site1
Group: author_site2
- Allow (jcr:all) on /content/site2
No deny anywhere — especially not on /content or across-site paths

J

Juan_CarlosOr2Author

New Member

"This case causes no content to be visible. If I only add allow /content/site1, I don't see any content, but when I add /, then the contents are visible, including contents that shouldn't be seen."

K_M_K_Srikanth

Please try either of these options or if you can share a screenshot of any reference then it will be useful for further analysis

Approach 1:

for group author_site1

deny jcr:all on /content

allow jcr:all on /content/jcr:content

allow (your permissions) on /content/author_site1

for group author_site2

deny jcr:all on /content

allow jcr:all on /content/jcr:content

allow (your permissions) on /content/author_site2

Approach 2

or create a super group something like

author_default

deny jcr:all on /content

allow jcr:all on /content/jcr:content

add this as a member of everyone

then

for group author_site1

allow (your permissions) on /content/author_site1

add this group as a member of author_default

for group author_site2

allow (your permissions) on /content/author_site2

add this group as a member of author_default

AmitVishwakarma

Accepted solution

Community Advisor

Hi @juan_carlosor2 ,

Root Cause:

1. Deny rules take precedence over all allow rules — even if a path is explicitly allowed.
2. If a user is in both author_site1 and author_site2, and each denies /content except their own site, each group ends up denying the other's site, resulting in no access at all.
3. You also need to explicitly allow access to shared folders like /apps, /conf, /etc, etc., for pages to render properly.

Try below solution: (Only Use Allow Rules — No Deny)

Group: author_site1

Allow jcr:read or jcr:all on:

- /content/site1

- /apps/<your-site1-components>

- /conf/<your-site1-conf>

- /etc/clientlibs/<your-site1-libs> (if used)

- /var/workflow (if workflow is needed)

Group: author_site2

Allow jcr:read or jcr:all on:

- /content/site2

- /apps/<your-site2-components>

- /conf/<your-site2-conf>

- /etc/clientlibs/<your-site2-libs> (if used)

- /var/workflow (if workflow is needed)

Shared Read Access Group

Create a group called site-authors-base with read-only access to:

- /apps

- /libs

- /etc

- /conf

- /var

- /content/dam (if shared assets exist)

- /content/experience-fragments (if shared XFs exist)

Then make author_site1 and author_site2 members of site-authors-base.

Regards,
Amit

J

Juan_CarlosOr2Author

New Member

We have finally taken this approach, it is not the result we initially expected but it works for us. In addition we also gave read permission to the root "/"

The end result is that you can read all the content, but the difference is in the writing and publishing permissions that each group has.

Thank you all

🔧 Option 1: Use Only Allow Rules (No Deny)

Example Permissions Setup

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded