Keeping control over who has access to what in your AEM environment is crucial for security and efficient content management. Managing Access Control Lists (ACLs) as a manual process, can be tedious, error-prone, and time-consuming. Fortunately, several tools can help you streamline and simplify ACL management, both for setting up new permissions and migrating existing ones.
Lets first start with the summarized view of available Tools.
| Aspect | AEM 6.5 | AEM as a Cloud Service |
|---|---|---|
| Permission set-up | • Netcentric ACL Tool • Repo-init | • Netcentric ACL Tool • Repo-init |
| Troubleshooting ACLs | • Useradmin • Access Control Editor • CRXDE | • Permissions UI |
| Reordering ACL | • Access Control Editor | •Not available |
| ACL Migration between AEM environments | • ACL Package manager | • ACL Package manager (mutable areas) • Repo-init scripts • Netcentric ACL tool (if its already being used) |
| ACL Migration from On-premise to Cloud | • Content Transfer Tool (CTT) • Netcentric ACL tool (if its already being used) |
Links to various tools compared on the blog:
- Netcentric ACL Tool
- Blog on deploying ACL tool: Deploying ACLs with Netcentric accesscontroltool in AEM
- AEM Permissions UI
- Global Navigation > Tools > Security > Permissions
- Details: https://experienceleague.adobe.com/docs/experience-manager-65/content/security/touch-ui-principal-view.html?lang=en
- Repo-init scripts
- CRXDE Acccess Control Tab
- Access Control Editor
- CRX Explorer >
<Select_a_node_you_want_to_debug>> Security > Access Control Editor
- CRX Explorer >
Tools that I prefer using:
| Aspect | AEM 6.5 | AEM as a Cloud Service | AEM SDK |
|---|---|---|---|
| Permission set-up (Mutable Areas) | Netcentric ACL Tool | Netcentric ACL Tool | Netcentric ACL Tool |
| Permission set-up (Immutable Areas) | Netcentric ACL Tool | Repo-init | Repo-init |
| Troubleshooting ACLs | Useradmin + Access Control Editor | Permissions UI | Useradmin + Access Control Editor |
| Granular permission set-up | – Permissions UI for exploring – Access Control Editor for ACL reordering* – Netcentric ACL Tool for permission set-up **Avoid reordering by using “Allow-based” set-up | – Permissions UI for exploring – Netcentric ACL Tool for permission set-up | – Permissions UI for exploring – Access Control Editor for ACL reordering* – Netcentric ACL Tool for permission set-up **Avoid reordering by using “Allow-based” set-up |
| ACL Migration | – ACL Package manager – Netcentric ACL tool, if already in use | – Content Transfer Tool (CTT) – Netcentric ACL tool, if already in use |
Detailed comparison between various Tools
| Aspect | NetCentric ACL Tool | Repo-init Scripts | ACS Commons Package Manager | Content Transfer Tool |
|---|---|---|---|---|
| Permission Setup (Mutable Area) | ✅ Configs via YAML files can be used for setting up permissions in mutable areas. Best suited for large ACL set-ups, like MSM | ✅ Permissions can be set via scripts | ❌Cannot be used for permission set-up. | ❌Cannot be used for permission set-up. |
| Permission Setup (Immutable Area) | ✅ Configs via YAML files can be used for setting up permissions in immutable areas. Best suited for large ACL set-ups, like MSM | ✅ Permissions can be set via scripts | ❌Cannot be used for permission set-up.. | ❌Cannot be used for permission set-up. |
| Granular Permission Setup | ✅ Configs via YAML files can be used for set-up granular permissions via glob. | ✅ Offers options for fine-grained permission management via glob. | ✅ Supports granular permission setup via packages | ✅ Granular permissions can be migrated from On-premise to Cloud. |
| ACL Ordering | ✅ order of ACEs is ensured | ❌ACLs can’t be reordered after set-up | 🔶ACLs are migrated, but can’t be reorderd | 🔶ACLs are migrated, but can’t be reorderd |
| Available OOTB | 🔶Additional package | ✅ OOTB | 🔶Additional package | ✅ OOTB |
| Old Entries Can be Deleted | ✅ Provides functionality for deleting old entries, ensuring efficient maintenance of ACL configurations. | ❌Not meant for deleting ACLs | ❌Not meant for deleting ACLs | |
| Best suited for | Permission Set-up | Permission Set-up | ACL Migration between AEM instances. On AEMaaCS, only mutable area might be supported | ACL Migration from on-premise to Cloud |
Detailed comparison between various UI:
| Aspect | AEM Permissions UI | AEM CRXDE (Access Control Tab) | Useradmin | Access Control Editor |
|---|---|---|---|---|
| Permission Setup (Mutable Area) | ✅ Offers a user-friendly interface for managing permissions. | 🔶Offers technical interface for managing permissions on 6.5 and AEM SDK ❌Not available on Cloud | 🔶Enables setting permissions in mutable areas on 6.5 and AEM SDK. ❌Not available on Cloud | 🔶 Offers technical interface for managing permissions on 6.5 and AEM SDK ❌Not available on Cloud |
| Permission Setup (Immutable Area) | 🔶 Offers a user-friendly interface for managing permissions. ❌Cannot be used on cloud to set permissions in immutable areas | 🔶Offers technical interface for managing permissions on 6.5 and AEM SDK ❌Not available on Cloud | 🔶Enables setting permissions in immutable areas on 6.5 and AEM SDK. ❌Not available on Cloud | 🔶 Offers technical interface for managing permissions on 6.5 and AEM SDK ❌Not available on Cloud |
| Granular Permission Setup | ✅ Offers options for fine-grained permission management via glob. | ✅ Offers options for fine-grained permission management via glob. | ❌Granular permissions cannot be applied | ✅ Offers options for fine-grained permission management via glob. |
| ACL Ordering | ❌ACLs can’t be reordered | ❌ACLs can’t be reordered | ❌ACLs can’t be reordered | ✅ ACLs can be reordered. |
| Troubleshooting | 🔶 UI not intuitive enough to understand Effective & ineffective ACLs | 🔶 UI not intuitive enough to understand Effective & ineffective ACLs | ✅ Provides options for troubleshooting ACL issues via Effective & ineffective ACLs | ✅ Can be used along with Useradmin to reorder ACLs and validate effective ACLs |
| Resource/Principal View | 🔶 Principal-centric view limits visibility of effective permissions on resource | 🔶Principal-centric view limits visibility of effective permissions on resource | ✅ Resource-centric view. Best available UI to understand effective v/s ineffective permissions | 🔶 Resource Centric View with all ACLs. Doesn’t display effective ACLs directly. |
| Available OOTB | ✅ OOTB | 🔶Available only on 6.5 & AEM SDK | 🔶Available only on 6.5 & AEM SDK | 🔶Available only on 6.5 & AEM SDK |
| Old Entries Can be Deleted | 🔶 For Cloud, enteries can only be deleted from Mutable areas. | 🔶Old enteries can be deleted on 6.5 and AEM SDK ❌Not available on Cloud | 🔶Old enteries can be removed on 6.5 and AEM SDK ❌Not available on Cloud | 🔶Old enteries can be deleted on 6.5 and AEM SDK ❌Not available on Cloud |
| Best suited for | Urgent permission Set-up via admins. | Urgent permission Set-up via admins. | Troubleshooting | Troubleshooting & ACL reordering |
Additional Resources
For tips on how to Effectively manage ACLs, visit AEM User Permissions: Tips for Effortless Control
Adobe Experience Cloud Blog 
3 thoughts on “From Setup to Migration: Tools for ACL Management in AEM”