DocumentationAEMAEM TutorialsAEM as a Cloud Service Tutorials

Product Profile and Services user group permission management

Last update: Sun Mar 23 2025 00:00:00 GMT+0000 (Coordinated Universal Time)
  • Topics:
  • Developing

CREATED FOR:

  • Beginner
  • Developer
  • Leader

Lean how to manage permissions for the Product Profile and Services user groups in AEM as a Cloud Service.

In this tutorial, you learn:

  • Product Profile and its association with Services.
  • Updating the Services user group’s permissions.

Background

When you use an AEM API, you need to assign the Product Profile to the Credentials in the Adobe Developer Console (or ADC) project. The Product Profile (and associated Service) provides the permissions or authorization to the credentials to access the AEM resources. In the following screenshot, you can see the Credentials and Product Profile for an AEM Assets Author API:

Credentials and Product Profile

A Product Profile is associated with one or more Services. In AEM as a Cloud Service, a Service represent user groups with predefined Access Control Lists (ACLs) for repository nodes, allowing granular permission management.

Technical Account User Product Profile

Upon successful API invocation, a user representing the ADC project’s credential is created in the AEM Author service, along with the user groups that match the Product Profile and Services configuration.

Technical Account User Membership

In above scenario, the user 1323d2... is created in the AEM Author service, and is a member of the user groups AEM Assets Collaborator Users - Service and AEM Assets Collaborator Users - author - Program XXX - Environment XXX.

Update Services user group permissions

Most of the Services provide the READ permission to the AEM resources, via the user groups in AEM instance that have the same name as the Service.

There are times when the credentials (aka technical account user) need additional permissions like Create, Update, Delete (CUD) of AEM resources. In such cases, you can update the permissions of the Services user groups in the AEM instance.

For example, when AEM Assets Author API invocation receives a 403 error for non-GET requests, you can update the permissions of the AEM Assets Collaborator Users - Service user group in the AEM instance.

Using the permissions user interface or Sling Repository Initialization script, you can update the permissions of the out-of-the-box user groups in the AEM instance.

Update permissions using the permissions user interface

To update the permissions of the services user group (for example AEM Assets Collaborator Users - Service) using the permissions user interface, follow these steps:

  • Navigate to the Tools > Security > Permissions in the AEM instance.

  • Search for the services user group (for example AEM Assets Collaborator Users - Service).

    Search user group

  • Click Add ACE to add a new Access Control Entry (ACE) for the user group.

    Add ACE

Update permissions using the repository Initialization script

To update the permissions of the services user group (for example AEM Assets Collaborator Users - Service) using the repository initialization script, follow these steps:

  • Open the AEM project in your favorite IDE.

  • Navigate to the ui.config module

  • Create a file in ui.config/src/main/content/jcr_root/apps/<PROJECT-NAME>/osgiconfig/config.author named org.apache.sling.jcr.repoinit.RepositoryInitializer-services-group-acl-update.cfg.json, with the following content:

    {
    "scripts": [
        "set ACL for \"AEM Assets Collaborator Users - Service\" (ACLOptions=ignoreMissingPrincipal)",
        "    allow jcr:read,jcr:versionManagement,crx:replicate,rep:write on /content/dam",
        "end"
    ]
}

  • Commit and push the changes to the repository.

  • Deploy the changes to the AEM instance using the Cloud Manager full-stack pipeline.

  • You can also verify the permissions of the user group using the Permissions view. Navigate to the Tools > Security > Permissions in the AEM instance.

    Permissions view

Verify the permissions

After updating the permissions using any of the above methods, the PATCH request to update the asset metadata should now work without any issues.

PATCH Request

Summary

You learned how to manage permissions for the Product Profile and Services user groups in AEM as a Cloud Service. You can update the permissions of the services user groups in the AEM instance using the permissions user interface or repository initialization script.

recommendation-more-help
4859a77c-7971-4ac9-8f5c-4260823c6f69