Skip to content

AEM Authoring Permissions

Key to successful implementation of a decentralized publishing model.

Many of our corporate clients use a decentralized publishing model that empowers their employees to update and publish content in their Content Management System (CMS) on the parts of their website that are relevant to them. This model is at the heart of AEM and allows everyone in a company a sense of responsibility and ownership over their own departments. 

With a decentralized model, it’s important to set the permissions correctly. You want to ensure that your users are only able to update or modify the parts of the site that they own. You don’t want or need to give the HR team access to the homepage if all they need to do is update the careers section. Likewise, you don’t need to give developers access to the careers section if they are in charge of API status.

Editing permissions are based on whether someone is an admin, an author, an editor, or a publisher. Permissions can also be set based on your privacy requirements. You can even determine specific pages that can or can’t be seen, who accessed them, and whether they made any changes to them.

With a decentralized authoring model, permissions are the key to a successful implementation. In AEM, you have the power to define permissions on any path within the repository. Permissions are evaluated from closest to furthest in a bottom-to-top order.

AEM traverses the hierarchy backwards to find the first applicable permission. In this example, the order would be:

  1. /content/digital-on-six/en-ca/blogs/aem-authoring-permissions
  2. /content/digital-on-six/en-ca/blogs
  3. /content/digital-on-six/en-ca
  4. /content/digital-on-six
  5. /content
  6. /

So if AEM was trying to determine if a user had “write access”, it would traverse in that order to evaluate permissions. It would then use the first valid permission. For example, I may not have permission to modify: 

  1. /content/digital-on-six/en-ca

But if I set the write permissions to: 

  1. /content/digital-on-six/en-ca/blogs

Then I would have full access to add, edit, or remove any blog post.

Permissions Order

Within each node, the permissions are evaluated from the bottom up to find the first matching entry. As someone who contributes to the blog, I might have 3 entries on this blogs node:  

/content/digital-on-six/en-ca/blogs:

  1. DENY Write *
  2. ALLOW Write jcr:content
  3. ALLOW WRITE aem-authoring-permissions

Subscribe to our newsletter!

Get notified anytime we publish something interesting!

See more like this