Principal View for Permissions Management principal-view-for-permissions-management

Overview overview

AEM 6.5 introduces Permissions Management for Users and Groups. The main functionality remains the same as the classic UI, but is more user-friendly and efficient.

How to Use how-to-use

Accessing the UI accessing-the-ui

The new UI-based permissions management is accessed through the Permissions card under Security as shown below:

Permissions Management UI

The new view makes it easier to look at the whole set of privileges and restrictions for a given principal at all paths where Permissions have been granted explicitly. This removes the need to go to

CRXDE to manage advanced privileges and restrictions. It has been consolidated in the same view. The view defaults to the Group “everyone”.

View of "everyone" group

There is a filter that allows the user to select the type of principals to look at Users, Groups, or All and search for any principal.

Search for types of Principals

Viewing Permissions for a Principal viewing-permissions-for-a-principal

The frame on the left allows users to scroll down to find any principal or search for a Group or a User based on the selected filter, as shown below:

View Permissions for a Principal

Clicking the name shows the assigned permissions on the right. The permissions pane shows the list of Access Control Entries on specific paths along with configured restrictions.

View ACL List

Adding new Access Control Entry for a Principal adding-new-access-control-entry-for-a-principal

New permissions can be added by adding an Access Controlling Entry. Simply click the Add ACE button.

Add new ACL for a Principal

This brings up the window shown below, the next step is to choose a path where the permission must be configured.

Configure permissions path

Here, a path is selected where you can configure a permission for dam-users:

Example configuration for dam-users

After the path is selected, the workflow goes back to this screen, where the user can then select one or more of the privileges from the available namespaces (like jcr, rep or crx) as shown i below.

Privileges can be added by searching using the text field and then selecting from the list.

For a complete list of privileges and descriptions, see this page.

Search permission for a given path. Add New Entry for 'dam-users' as shown by a path selected in vertical columns.

After the list of privileges has been selected, the user can choose the Permission Type : Deny or Allow, as shown below.

Select permission Select permission

Using Restrictions using-restrictions

In addition to the list of privileges and the Permission Type on a given path, this screen also lets you add restrictions for fine grained access control as shown below:

Add restrictions

For more information on what each restriction means, see the Jackrabbit Oak Documentation.

Restrictions can be added as shown below by choosing the restriction type, entering the value and hitting the + icon.

Add the restriction type Add the restriction type

The new ACE is reflected in the Access Control List as shown below. Note that jcr:write is an aggregate privilege that includes jcr:removeNode that was added above, but is not shown below as its covered under jcr:write.

Editing ACEs editing-aces

Access Control Entries can be edited by selecting a principal and choosing the ACE that you want to edit.

For example, here you can edit the below entry for dam-users by clicking the pencil icon on the right:

Add restriction

The edit screen is shown with configured ACEs preselected, these can be deleted by clicking the cross icon next to them or new privileges can be added for the given path, as shown below.

Edit entry

Here the addChildNodes privilege is added for dam-users on the given path.

Add privilege

Changes can be saved by clicking the Save button on top right, and the changes are reflected in the new permissions for dam-users as shown below:

Save changes

Deleting ACEs deleting-aces

Access Control Entries can be deleted to remove all permissions given to a principal on a specific path. The X icon on next to ACE can be used to delete it as shown below:

Delete ACEs Delete ACEs

Classic UI Privilege Combinations classic-ui-privilege-combinations

The new permissions UI explicitly uses the basic set of privileges instead of predefined combinations that do not truly reflect the exact underlying privileges that were granted.

It caused confusion as to what exactly is being configured. The following table lists the mapping between the privilege combinations from the Classic UI to the actual privileges that constitute them:

Classic UI Privilege Combinations
Permissions UI Privilege










Read ACL
Edit ACL