Closed User Groups

Last update: March 23, 2025
  • Applies to:
  • Experience Manager 6.4
  • Experience Manager 6.5
  • Experience Manager as a Cloud Service

CREATED FOR:

  • Intermediate
  • Admin

Closed User Groups (CUGs) is a feature used to restrict access to content to a select group of users on a published site. This video shows how Closed User Groups can be used with Adobe Experience Manager Assets to restrict access to a specific folder of assets. Support for Closed User Groups with AEM Assets was first introduced in AEM 6.4.

Transcript

Let’s take a look at closed user groups in AEM Assets. Closed user groups, commonly - referred to as CUGs, is a feature that’s used to limit access to specific areas of a published website. This feature has long been enabled and available within AEM - sites, and it’s allowed authors to configure and restrict - access through the UI. Now with AEM Assets, a - similar UI is available. Let’s look at a quick scenario. If we navigate to our - published WKND magazine page, you’ll notice we have a - special section set up for members only. This section is grayed out, - as it’s only accessible to authenticated users. After successfully authenticating and logging in, we’re able - to view this member area and its exclusive content. Depending on your implementation, images from this page may - be accessible directly through the DAM. If we leave this member - only section and log out, we’re still able to view this image from the members only area - with the direct reference link. Let’s apply the same restrictions to these digital assets that - we have on our sites page. This is done with the - closed user group policies through AEM Assets. Navigating into our AEM Assets folder on our offering instance, we have a folder for members only page. Taking a look inside the folder, we find the images that were - being used on that page. Let’s restrict this - content so only members are able to see these digital assets. The first thing we’ll do is navigate up one level in the folder hierarchy. With AEM Assets, closed - user groups are applied only at the folder level. CUGs do not need to be applied at the individual asset level. Bringing up our folder properties - and selecting permissions, we see a member section for permissions on the AEM Author Instance and a section for closed user groups. To restrict access, we’ll - select the group WKND Members that I’ve created for this demonstration and click add. The default permission level for this new user group is viewer. The last step is to publish - our new folder properties to the publish instance. Now that we’ve added this - permission at the folder level, only authenticated members will - have access to this content, even with a direct link. Note that any user groups - that are created will also need to be published. Returning to our published instance, if we try to access our - image asset from before, we’re greeted with a 404 error, telling us that this - resource cannot be found. While this is an effective - way to restrict content, it’s not the best - experience for the customer. Ideally, we’d want to redirect the customer to a login prompt. Returning to AEM Assets and reviewing our folders properties, we have an option to enable - authentication requirements. Now we can specify a login - page to redirect users to who have not been authenticated. Again, any changes made on AEM Author must be published to take effect.

Now, if we try to access - the same image directly through the DAM, without - being authenticated we’re redirected to a login page.

After authenticating, we’re - able to view the content.

An important note when using closed user - groups is to make sure that you’re not using an - asset that has restrictions on a page that might be - hit by an anonymous user. Let’s switch out this background image from one from our restricted - folder and publish the update.

Moving back to the published page, we’re able to see our new image because we’re still authenticated. If we log out and browse this - page as an anonymous user, we can no longer see that image. Instead, we see a blank space - where the image should be. Other best practices for closed user groups continue to apply, whether you’re using them - for AEM Sites or AEM Assets. There are some additional - settings that should be configured at the dispatcher level to - prevent any accidental caching of restricted content. Links can be found below this video for further reading on how close - user groups are implemented and advanced configurations. - -

Closed User Group (CUG) with AEM Assets

  • Designed to restrict access to assets on an AEM Publish instance.
  • Grants read access to a set of users/groups.
  • CUG can only be configured at a folder level. CUG cannot be set on individual assets.
  • CUG policies are automatically inherited by any sub-folders and applied assets.
  • CUG policies can be overridden by sub-folders by setting a new CUG policy. This should be used sparingly and is not considered a best practice.

Closed User Groups vs. Access Control Lists

Both Closed User Groups (CUG) and Access Control Lists (ACL) are used to control access to content in AEM and based on AEM Security users and groups. However the application and implementation of these features is very different. The following table summarizes the distinctions between the two features.

ACLCUG
Intended UseConfigure and apply permissions for content on the current AEM instance.Configure CUG policies for content on AEM author instance. Apply CUG policies for content on AEM publish instance(s).
Permission LevelsDefines granted/denied permissions for users/groups for all levels: Read, Modify, Create, Delete, Read ACL, Edit ACL, Replicate.Grants read access to a set of users/groups. Denies read access to all other users/groups.
PublicationACLs are not published with content.CUG policies are published with content.
Previous pageExtract archive
Next pageMetadata-driven permissions

Experience Manager