Documentation

Unlocking a locked page in AEM by any user

Last update: Thu May 14 2026 00:00:00 GMT+0000 (Coordinated Universal Time)

In Adobe Experience Manager (AEM), pages that are locked by another user cannot always be unlocked by administrators. Page locks in AEM determine who can modify or release access to content, and which users or groups are permitted to break those locks in AEM as a Cloud Service (AEMaaCS).

Historically, a locked page in AEM could be unlocked only by:

  • The user who locked the page, or
  • The default master admin account.
  • Members of the administrators group could not unlock it. This limitation has been addressed in AEM as a Cloud Service 2024.10 by leveraging new features in Apache Jackrabbit Oak, enabling additional users or groups to unlock pages while preserving out-of-the-box (OOTB) administrative behavior.

Description description

Environment

Adobe Experience Manager as a Cloud Service (AEMaaCS)

Issue / Symptoms

A page, locked either manually or programmatically, can be unlocked only by:

  • The user that put the lock on the page, or
  • The default master admin user.

Question: Is there a way to break the lock if the original locking user or the admin user is unavailable?

Resolution resolution

Following the implementation of the new features of Apache Jackrabbit OAK in AEMaaCS 2024.10, any user who is specified OR is a member of a group that is specified as administrativePrincipals in the following OSGi configuration can unlock a page in AEMaaCS:

Apache Jackrabbit Oak AuthorizationConfiguration
(org.apache.jackrabbit.oak.security.authorization.AuthorizationConfigurationImpl)

In AEMaaCS, the default configuration includes an environment-based value:

{  "administrativePrincipals": [     "administrators",    "$[ env:aemCloudAdministrators;default=administrators] "  ] }

Important: Do not remove or replace this default value. Your changes must be additive (add extra entries), otherwise the out-of-the-box administrative access can break.

You can add other users or groups in AuthorizationConfiguration using the administrativePrincipals property. For instance, the example below includes an additional group unlockers while keeping the default entry:

{
  "administrativePrincipals": [
    "administrators",
    "$[ env:aemCloudAdministrators;default=administrators] ",
    "unlockers"
  ]
}

Caution: administrativePrincipals are granted full permissions on the complete repository content.

There are several ways to set OSGi configs in AEMaaCS. For full details, refer to Configuring OSGi for Adobe Experience Manager as a Cloud Service.

Allowing users to impersonate other users in AEM as a Cloud Service

recommendation-more-help
3d58f420-19b5-47a0-a122-5c9dab55ec7f