Setting up Access Control Lists (ACLs)

Last update: September 5, 2024

CREATED FOR:

  • Intermediate
  • Admin

The following section explains how to segregate projects using Access Control Lists (ACLs) so that each individual or team handles their own project.

As an AEM administrator, you want to ensure that team members of a project do not interfere with other projects. Each user is assigned specific roles as per project requirements.

Setting up Permissions

The following steps summarize the procedure for setting up ACLs for a project:

  1. Login to AEM and navigate to Tools > Security.

    screen_shot_2018-02-16at10156pm

  2. Click Groups and enter an ID (for example, Acme).

    Alternatively, use this link, http://localhost:4502/libs/granite/security/content/groupadmin.html.

    Next, click Save.

    screen_shot_2018-02-16at12648pm

  3. Click Contributors from the list and double-click it.

    screen_shot_2018-02-18at33938pm

  4. Add the Acme (project that you created) to Add Members to the Group. Click Save.

    screen_shot_2018-02-18at35630pm

    NOTE
    If you want project team members to register players (which involves creating a user for every player) find the group user-administrators and add the ACME group to user-administrators

  5. Add all the users who are working on the Acme Project to the Acme group.

    screen_shot_2018-02-18at41320pm

  6. Set up the permissions for the group Acme using this (http://localhost:4502/useradmin).

    Click the group Acme and click the permissions.

    screen_shot_2018-02-18at41534pm

Permissions

The following table summarizes the path with the permissions at the project level:

PathPermissionDescription
/apps/<project>READProvide access to project files, if applicable.
/content/dam/<project>ALLProvide access to store the project assets such as images or video in DAM.
/content/screens/<project>ALLRemoves access to all other projects under /content/screens.
/content/screens/svcREADProvide access to the registration service.
/libs/screensREADProvide access to DCC.
/var/contentsync/content/screens/ALLHelp you update offline content for the project.
NOTE
Sometimes, you can separate author functions (such as managing assets and creating channels) from admin functions (such as registering players). In such a scenario, create two groups and add the authors group to contributors and the admin group to both contributors and user-administrators.

Creating Groups

Creating a project should also create default user groups with a basic set of permissions assigned. Extend the permissions to the typical roles defined in AEM Screens.

For example, you can create the following project-specific groups:

  • Screens Project Administrators
  • Screens Project Operators (register players, and manage locations and devices)
  • Screens Project Users (work with channels, schedules, and channel assignments)

The following table summarizes the groups with description and permissions for an AEM Screens project:

Group nameDescriptionPermissions
Screens Admins
screens-admins		Admin level access for AEM Screens capabilities
  • Member Of Contributors
  • Member OF user-administrators
  • ALL /content/screens
  • ALL /content/dam
  • ALL /content/experience-fragments
  • ALL /etc/design/screens
Screens Users
screens-users		Create and update channels and schedules and assign to locations in AEM Screens
  • Member Of Contributors
  • <project> /content/screens
  • <project> /content/dam
  • <project> /content/experience-fragments
Screens Operators
screens-operators		Create and update location structure and register players in AEM Screens
  • Member Of Contributors
  • jcr:all /home/users/screens
  • jcr:all /home/groups/screens
  • <project> /content/screens
Screens Players
screens-<project>-devices		All players and all players/devices are members of the contributors automatically.Member of Contributors

Experience Manager


The Perfect Blend: A New Era of Collaboration with AEM and Workfront

Adobe Customer Success Webinars

Wednesday, Apr 2, 5:00 PM UTC

Explore how Adobe Experience Manager and Workfront integrate to help teams move from ideation to delivery without the usual bottlenecks, ensuring content is organized, on-brand, and ready to go live faster.

Register

Elevate and Empower Teams with Agentic AI for Exceptional Experiences

Online | Strategy Keynote | General Audience

Elevate and empower your CX teams with AI that transforms creativity, personalization, and productivity. Discover how Adobe is...

Tue, Mar 18, 1:00 PM PDT (8:00 PM UTC)

Register

3 Pillars of Purpose-driven Experiences: Trust, Data, and GenAI

In-person | Session | General Audience

Learn how leading B2B and B2C brands like AT&T and IBM are intersecting data, GenAI and trust to build “purpose-driven” experiences that...

Wed, Mar 19, 1:00 PM PDT (8:00 PM UTC)

Register

Connect with Experience League at Summit!

Get front-row access to top sessions, hands-on activities, and networking—wherever you are!

Learn more

Register now