Documentation

Users automatically added to Contributors group in AEM as a Cloud Service

Last update: Thu Feb 12 2026 00:00:00 GMT+0000 (Coordinated Universal Time)

In AEM as a Cloud Service, users who authenticate through Adobe IMS are automatically added to the Contributors group, even if DefaultSyncHandler configurations are set to prevent automatic group membership. This behavior can grant unintended permissions to Sites and Assets. To fix this, you need to understand why this occurs and apply supported strategies to manage access.

Description description

Environment

  • AEM as a Cloud Service
  • Adobe IMS authentication
  • DefaultSyncHandler configuration modified to disable automatic group membership

Issue/Symptoms

  • Users created or synced through IMS continue to be placed in the Contributors group.
  • Users receive access permissions that don’t align with the organization’s access-control model.
  • DefaultSyncHandler settings don’t override IMS-driven group assignments.

Cause

  • IMS authentication automatically assigns all users to the Contributors group.
  • DefaultSyncHandler settings don’t control IMS-driven group assignments.
  • This configuration is standardized across AEM as a Cloud Service for consistency and stable identity synchronization.
  • Engineering has confirmed that disabling or customizing this automatic group assignment isn’t supported.

Resolution resolution

Notes:

  • It isn’t possible to prevent IMS-authenticated users from being automatically added to the Contributors group. The recommended and supported approach is to keep the default configuration in place.
  • The automatic addition to Contributors occurs only when authentication relies on IMS or IMS tokens.
  • Environments that do not use IMS authentication will not experience this behavior.

If you need to restrict access, apply deny rules in a controlled manner.

  • Keep the default configuration for IMS authentication and Contributors group membership.
  • Identify areas or actions that require restricted access.
  • Apply deny rules to the Contributors group for those areas or actions.
  • Avoid using deny rules as the primary authorization strategy; use them only for specific scenarios.
recommendation-more-help
3d58f420-19b5-47a0-a122-5c9dab55ec7f