Adobe Experience Manager Sites & More

donquixote_dofl · 5/14/25

For example you have a component where it should be authored by only admins. The edit access for this component have to be restricted to one particular user group only.

Jörg_Hoh · 5/18/25

I understand your question in a way, that only a certain usergroup should be able to add/edit the content of a component on a page (it's not about the access to the component definition itself).

In that case working with access control on the component definition (somewhere below /apps) won't help you at all. Instead you must restrict access to content for which reference this component as resourceType. Technically this is possible to implement using a custom restriction provider on an Oak level. But I doubt that you want to go down that route (it's possible, but there is no good examples around how to do it correctly).

Another option is move that content out of the regular content tree and embedd it via CF/XF or a different inclusion mechanism; and then work with ACLs to limit write access to this CF/XF.

View solution in original post

K_M_K_Srikanth · 5/14/25

To ensure only admins or a specific user group (e.g., content-authors-admin) can edit a specific AEM component:

Steps:

Create User Group
- Use /useradmin to create a group (e.g., content-authors-admin) and add users.
Set ACL Permissions
- In /crx/de, navigate to the component path (/apps/yourproject/components/restricted).
- Deny write access (jcr:write, rep:write) for everyone.
- Allow write access for content-authors-admin.
Optional: Hide from Authoring UI
- Use cq:editConfig to limit editing actions.
- Adjust allowedComponents in template policy to hide the component from unauthorized authors.
Verify Access
- Test with normal authors (read-only) and admin users (edit access).

Result:

Only specified users/groups can edit the component; others can view but not modify it.

Hope this helps.

vasgurug · 5/14/25

Hi,

You can try like this

Go to CRX/DE Lite (/crx/de)
Navigate to your component path:
/apps/projectname/components/sample
Set permissions:
- Deny replicate, modify, and write access to general author groups (like content-authors)
- Allow full access (read, modify, write) to admin-authors

Use the User Admin Console (/useradmin) or CRX Access Control Editor to do this

donquixote_dofl · 5/15/25

what if content authors have read,modify, delete permissions from useradmin will they conflict from crxde access control?

AmitVishwakarma · 5/15/25

Hi @donquixote_dofl ,

Try with below solution:

1. Create the User Group

Go to /useradmin:

- Create a group: admin-authors

- Add users who should be able to edit the component

2. Set Component Permissions

Navigate in /crx/de to the component:

/apps/yourproject/components/securecomponent

Deny Access to Regular Authors:

- Right-click the component → Access Control

- Select group content-authors

- Deny:

- jcr:write

- rep:write

- jcr:modifyProperties

Allow Access to Admin Authors:

- Add admin-authors group

- Allow:

- jcr:read

- jcr:write

- jcr:modifyProperties

- jcr:nodeTypeManagement (optional, for dialog editing)

Note: In AEM, deny wins over allow. So if a user is in multiple groups (one denied, one allowed), they still get denied.

Regards,
Amit

MukeshYadav_ · 5/15/25

Hi @donquixote_dofl ,

One approach can be as follows:-

1. create a node cq:EditConfig with insert/copy with allowed default property

2.Add below sly tag to call the sling model

<sly data-sly-use.disableEdit="com.projectname.core.models.EditToolbarModel"></sly>

2.Create a sling model to allow if user is part of certain allowed groups

@Model(adaptables = {
        SlingHttpServletRequest.class,
        Resource.class}, defaultInjectionStrategy = DefaultInjectionStrategy.OPTIONAL)
public class EditToolbarModel {
    Logger logger = LoggerFactory.getLogger(this.getClass());
    @SlingObject
    private SlingHttpServletRequest request;

    
    @PostConstruct
    protected void init() {
        if (WCMMode.fromRequest(request).equals(WCMMode.EDIT) && isUserAllowed(request)) {
            ComponentContext componentContext = WCMUtils.getComponentContext(request);
            if (componentContext != null) {
                Toolbar toolbar = componentContext.getEditContext().getEditConfig().getToolbar();
                toolbar.add(EditAction.EDIT);
                toolbar.add(EditAction.DELETE);
            }
        }
    }


    private boolean isUserAllowed(SlingHttpServletRequest request) {
        List<String> groupList= new ArrayList<>(Arrays.asList("super-author", "group2","otherGroupToBeAllowed"));
        try {
            User currentUser = request.getResourceResolver().adaptTo(User.class);
            if (currentUser != null) {
                Iterator<Group> currentUserGroups = currentUser.memberOf();
                while (currentUserGroups.hasNext()) {
                    Group group = currentUserGroups.next();
                    if (groupList.contains(group.getID())) {
                        return true;
                    }
                }
            }
        } catch (RepositoryException e) {
            throw new DataException(e);
        }
        return false;
    }

}

PS:- User will still be able to edit from crxde if has access to crx and part of content author

Thanks

donquixote_dofl · 5/15/25

@MukeshYadav_ Could you please provide more details on Edit Toolbar Service?

MukeshYadav_ · 5/15/25

Hi @donquixote_dofl ,

I forgot to remove Inject Edit Toolbar Service, actually isUserAllowed method was part of service so that it can be used in multiple places in project if required.
For simplicity I have kept isUserAllowed method in model itself in the above comment so no need to inject that service.

Thanks

arunpatidar · 5/16/25

Hi @donquixote_dofl

Please check https://medium.com/@arunpatidar26/aem-restrict-component-dialog-editing-028534f194e1

Arun Patidar

Jörg_Hoh · 5/18/25

I understand your question in a way, that only a certain usergroup should be able to add/edit the content of a component on a page (it's not about the access to the component definition itself).

In that case working with access control on the component definition (somewhere below /apps) won't help you at all. Instead you must restrict access to content for which reference this component as resourceType. Technically this is possible to implement using a custom restriction provider on an Oak level. But I doubt that you want to go down that route (it's possible, but there is no good examples around how to do it correctly).

Another option is move that content out of the regular content tree and embedd it via CF/XF or a different inclusion mechanism; and then work with ACLs to limit write access to this CF/XF.

Adobe Experience Manager Sites & More

What is the best way to create a component which will be authored/edited by only one user group?

Steps:

Result:

Arun Patidar

Learn

Documentation

Events

Community

Support

Resources

Adobe account

Adobe