HomeAEM Fundamentals › Users, groups & ACLs

Users, groups & ACLs

Purpose: Understand principals, group-based permissions, and how ACL evaluation works on the content tree.

Who this page is for

AudienceWhy it matters to you
All engineersPermissions underlie most "it works for me" mysteries
Tech leadsGovernance foundation

Model

Permissions attach to paths and are granted to principals (users/groups). Best practice is strictly group-based: users get membership, groups get ACLs.

/content/phi                    everyone: read (on publish via anonymous)
  └── plans/                    phi-plan-authors: read/modify/create
                                phi-plan-reviewers: + replicate

Key permission verbs

VerbGrants
readSee nodes/properties
modifyChange properties
create/deleteNodes below the path
replicatePublish/unpublish
acl_read / acl_editSee/change permissions themselves

Evaluation: an access decision walks up from the target node; the nearest explicit allow/deny for any of the principal's groups wins; deny beats allow at equal proximity. Keep rules coarse and high in the tree — node-level one-off ACLs become unmaintainable.

Standard group pattern (generic)

GroupRights
site-authorsread/modify/create under the site's /content, read /content/dam
site-reviewersauthors + replicate
site-dam-authorsmodify /content/dam/<site>
developers (non-prod)broad read, /apps read; no prod write

Service users

Backend code must not run as admin. Use service users with minimal ACLs, mapped to your bundle via the Service User Mapper — see Least privilege & service users for the full pattern.

Debugging permissions

Quick navigation