Setting up ACLs

The following section explains how to segregate projects using ACLs so that each individual or team handles their own project.

As an AEM administrator, you want ensure that team members of a project do not interfere with other projects and each of the users are assigned specific roles as per project requirements.

Setting up Permissions

The following steps summarize the procedure for setting up ACLs for a project:

  1. Login to AEM and navigate to Tools > Security.


  2. Click Groups and enter an ID (for example, Acme).

    Alternatively, use this link, http://localhost:4502/libs/granite/security/content/groupadmin.html.

    Subsequently, click Save.


  3. Select Contributors from the list and double click it.


  4. Add the Acme (project you created) to Add Members to Group. Click Save.



    If you want project team members to register players (which involves creating a user for every player) find the group user-administrators and add the ACME group to user-administrators

  5. Add all the users who will be working on the Acme Project to the Acme group.


  6. Setup the permissions for the group Acme using this (http://localhost:4502/useradmin).

    Select the group Acme and click the permissions.



The following table summarizes the path with the permissions at the project level:

Path Permission Description
/apps/<project> READ Provides access to project files (if applicable)
/content/dam/<project> ALL Provides access to store the projects assets such as images or video in DAM
/content/screens/<project> ALL Removes access to all other projects under /content/screens
/content/screens/svc READ Provides access to the registration service
/libs/screens READ Provides access to DCC
/var/contentsync/content/screens/ ALL Allows to update offline content for the project

In some cases, you can separate author functions (such as managing assets and creating channels) from admin functions (such as registering players). In such a scenario, create two groups and add the authors group to contributors and the admin group to both contributors and user-administrators.

Creating Groups

Creating a new project should also create default user groups with a basic set of permissions assigned. You should extend the permissions to the typical roles we have for AEM Screens.

For example, you can create the following project specific groups:

  • Screens Project Administrators
  • Screens Project Operators (register players, and manage locations and devices)
  • Screens Project Users (work with channels, schedules and channel assignments)

The following table summarizes the groups with description and permissions for an AEM Screens project:

Group name Description Permissions
Screens Admins
Admin level access for AEM Screens capabilities
  • Member Of Contributors
  • Member OF user-administrators
  • ALL /content/screens
  • ALL /content/dam
  • ALL /content/experience-fragments
  • ALL /etc/design/screens
Screens Users
Create and update channels and schedules and assign to location in AEM Screens
  • Member Of Contributors
  • <project> /content/screens
  • <project> /content/dam
  • <project> /content/experience-fragments
Screens Operators
Create and update location structure and register players in AEM Screens
  • Member Of Contributors
  • jcr:all /home/users/screens
  • jcr:all /home/groups/screens
  • <project> /content/screens
Screens Players
Groups all players and all players/devices are member of the contributors automatically.

Member of Contributors

On this page