Build Status Maven Central License

Access Control Tool for Adobe Experience Manager

The Access Control Tool for Adobe Experience Manager (AC Tool) simplifies the specification and deployment of complex Access Control Lists in AEM. Instead of existing solutions that build e.g. a content package with actual ACL nodes you can write simple configuration files and deploy them with your content packages. See Comparison to other approches for a comprehensive overview.


  • easy-to-read Yaml configuration file format
  • run mode support
  • automatic installation with install hook
  • cleans obsolete ACL entries when configuration is changed
  • ACLs can be exported
  • stores history of changes
  • ensured order of ACLs
  • built-in expression language to reduce rule duplication

See also our talk at AdaptTo 2016


The AC Tool requires Java 7 and AEM 6.1 (SP1) or above (use v1.x for older versions) for on-premise installations. Since v2.5.0 AEM as a Cloud Service is supported, see Startup Hook for details.

It is also possible to run the AC Tool on Apache Sling 11 or above (ensure system user actool-service has jcr:all permissions on root). When using the AC Tool with Sling, actions in ACE definitions and encrypted passwords cannot be used. To use the externalId attribute, ensure bundle oak-auth-external installed (not part of default Sling distribution).


The package is available from the Maven Central repository. Install it e.g. via CRX package manager.


Oak Index for rep:ACL

To retrieve all ACLs in the system, an oak index for node type rep:ACL is

  • required for versions < 2.4.0 (otherwise the performance degrades significantly)
  • beneficial for large installations for versions >= 2.4.0 (see #386, most installations will be fine without index)

You can get the ZIP file via Maven. Install it e.g. via CRX package manager.


Migration to AC Tool

You can easily migrate to AC Tool following four simple steps.

Configuration of ACL entries

You need to setup Yaml configuration files to specify your users, groups and ACL entries. See also the best practices for hints on structuring.

There are also some advanced configuration options supported such as loops, conditional statements and permissions for anonymous.

Applying the ACL entries

There are multiple options to apply the ACL entries (e.g. install hook, JMX and upload listener) to your target system.

JMX interface

The JMX interface provides utility functions such as installing and dumping ACLs or showing the history.

History service

A history object collects messages, warnings, and also an exception in case something goes wrong. This history gets saved in CRX under /var/statistics/achistory. The number of histories to be saved can be configured in the history service.

Building the packages from source

If needed you can build the AC Tool yourself.


The AC Tool is licensed under the Eclipse Public License - v 1.0.


Rights and roles management for AEM made easy

Accesscontroltool Info

⭐ Stars 104
🔗 Source Code
🕒 Last Update 9 months ago
🕒 Created 7 years ago
🐞 Open Issues 42
➗ Star-Issue Ratio 2
😎 Author Netcentric