This article emphasizes the critical role of group-based permissions in AEM Assets for securing digital asset folders, streamlining administration, and ensuring brand consistency, regulatory compliance, and operational control. It outlines best practices for configuring and maintaining user groups and permissions to uphold data security and system stability.
Getting started with user groups and permissions
Now that you have learned about Best practices and tips for getting started with AEM Assets and folder structure & naming, this article builds on those best practices and focuses on users and permissions.
Securing your digital asset folders with permissions is essential in any organization where you need to manage different groups of users who need to have different access to different assets.
In AEM Assets, users are individual accounts that log into the AEM Assets instance, whereas groups are logical collections of users, or groups, or both.
Groups tend to remain stable, whereas users come and go more frequently.
Why Use User Groups and Permissions
Permissions control who can view, edit, or manage assets.
Group-based permissions simplify administration and ensure secure access.
Groups simplify the management of permissions and access, as a change made to a group is applied to all members of the group. Groups often reflect:
- A role within the application - such as someone who is allowed to view content, or someone who is allowed to contribute content.
- Your organization’s content access control needs - allowing you to differentiate between contributors from different departments and what each can access and do.
User Groups and Permissions provide or allow for:
- Data security - safeguarding sensitive and confidential assets.
- Brand consistency - ensuring only approved users access and publish assets.
- Regulatory compliance - supporting copyrights, licensing, digital rights management, and privacy laws (for example, GDPR)
- Operational control - preventing unauthorized access, changes or deletions.
Within each group, specific privileges or permissions are configured which define who can access, read, and modify content within AEM Assets. Permissions are configured in AEM using access control lists (ACL), which are:
- Rules which are applied to a folder, asset or node.
- Configured for each group to allow or deny users in that group access to different capabilities.
- Sequenced in a way to put the highest priority items first.
“AEM Assets leverages hierarchical folder structures, and permissions applied to a parent folder automatically cascade to its child folders and contained assets. This built-in inheritance streamlines access management and reduces administrative overhead, ensuring consistent permission enforcement across large content trees.”
- Deepak Khetawat, Principal Engineer Software at Palo Alto Networks and AEM Champion
Best practices for configuring groups and permissions
-
Create user groups based on roles - for example, authors, marketers, creatives, agencies.
-
Always assign permissions to groups, not individuals - to improve scalability and simplify auditing.
-
Avoid over-engineering - a clean, allow-based structure is easier to maintain and troubleshoot.
-
Use system or default groups - such as authors and dam-users which are pre-built into AEM; as needed, define custom groups (for example, Marketing Approvers, Legal Reviewers) for role-based access.
-
Grant least privileges - grant users/groups only the permissions necessary for their role - nothing more.
-
Strive for an “allow-centric” model - for example... can edit, can view. Only use “Deny” when absolutely necessary to override an “Allow” from a higher level or a group membership, and ensure such “Deny” statements are as specific as possible.
-
Define permissions top down in Access Control Lists (ACLs) - Always consider the order of items in the list. The first explicit ACL match in the evaluation order is applied.
“Permissions in AEM Assets should always be assigned at the group level rather than directly to individual users. This group-based approach enhances scalability, simplifies permission audits, and aligns with best practices for enterprise access management. Even if a group initially contains only one user, assigning permissions to the group ensures easier maintenance when users join, leave, or change roles - simply reassign the user to the existing group without needing to modify permissions.”
- Deepak Khetawat, Principal Engineer Software at Palo Alto Networks and AEM Champion
Operational best practices for maintaining groups and permissions
Setting up user groups and permissions is not a one-time endeavor. As your organization changes, you will routinely change and audit your user groups and permissions. Establish a cadence for maintenance and governance.
- Audit regularly - Periodically review permissions, especially for sensitive folders to ensure compliance.
- Retain environment parity - Mirror permission structures across dev, stage, and prod to prevent surprises at deployment.
- Maintain a permission matrix - Document group roles and access levels for transparency, onboarding, and compliance and for sharing the permissions as needed with stakeholders outside of AEM Assets users.
- Consider replication impact - Ensure that permission changes propagate to publish instances if asset access impacts public-facing sites.
Try it
Now that you are equipped with best practices for setting up user groups and Permissions, try out groups and permissions in AEM.
- Create or Maintain Groups - Navigate to Assets → Tools → Security → Users & Groups. Use this interface to manage users and assign them to relevant groups based on roles.
- Set Folder-Level Permissions - Navigate to the desired DAM folder in AEM Assets, open Properties → Permissions tab.
- Leverage reports - Capture the last login activity of users. Support and run audits not only to review access rights, but also remove users who have not logged in for some established period of time or no longer need access.
Additional Learning Resources
Watch the Adobe Experience Makers: The Skill Exchange session titled AEM Masterclass: Asset Workflows, Permissions & Integration for more insights. In addition, the resources below are helpful in establishing user groups and permissions in AEM Assets.
- Users & Permissions (AEM as a Cloud Service documentation)
- User Administration and Security (AEM 6.5 documentation)
- User, Group, and Access rights Administration (AEM 6.5 documentation)
- Generate User Reports (community post)
What's next?
This article on best practices for access controls via user groups and permissions is part of a serious of articles including foundational guidance, best practices and Adobe Champion tips for getting started with Adobe Experience Manager Assets. To continue in the series, we will focus next on metadata.
To explore all articles in this AEM Assets foundational series, see: