Skip to content
Switch branches/tags

Maven Central License Build Status SonarCloud Status SonarCloud Coverage

Access Control Tool for Adobe Experience Manager

The Access Control Tool for Adobe Experience Manager (AC Tool) simplifies the specification and deployment of complex Access Control Lists in AEM. Instead of existing solutions that build e.g. a content package with actual ACL nodes you can write simple configuration files and deploy them with your content packages. See Comparison to other approches for a comprehensive overview.


  • easy-to-read Yaml configuration file format
  • run mode support
  • automatic installation with install hook
  • cleans obsolete ACL entries when configuration is changed
  • ACLs can be exported
  • stores history of changes
  • ensured order of ACLs
  • built-in expression language to reduce rule duplication

See also our talk at AdaptTo 2016


The AC Tool requires Java 8 and AEM 6.4 or above (use v2.x for older AEM versions which runs on Java 7 and AEM 6.1 SP1 or above) for on-premise installations. Since v2.5.0 AEM as a Cloud Service is supported, see Startup Hook for details.

It is also possible to run the AC Tool on Apache Sling 11 or above (ensure system user actool-service has jcr:all permissions on root). When using the AC Tool with Sling, actions in ACE definitions and encrypted passwords cannot be used. To use the externalId attribute, ensure bundle oak-auth-external installed (not part of default Sling distribution).


The content package is available from the Maven Central repository with the coordinates


(for AEM Classic/On Premise) or


(for AEM as a Cloud Service)

Install it afterwards e.g. via AEM's package manager.

Oak Index for rep:ACL

To retrieve all ACLs in the system, an Apache Oak index for node type rep:ACL is

  • required for versions < 2.4.0 (otherwise the performance degrades significantly)
  • beneficial for large installations for versions >= 2.4.0 (see #386, most installations will be fine without index)

You can get the content package containing the index definition via Maven Central with the coordinates


(for AEM Classic/On Premise) or


(for AEM as a Cloud Service)

Install it afterwards e.g. via AEM's package manager.

Migration to AC Tool

You can easily migrate to AC Tool following four simple steps.

Configuration of ACL entries

You need to setup Yaml configuration files to specify your users, groups and ACL entries. See also the best practices for hints on structuring.

There are also some advanced configuration options supported such as loops, conditional statements and permissions for anonymous.

Applying the ACL entries

There are multiple options to apply the ACL entries (e.g. install hook, JMX and upload listener) to your target system.

JMX interface

The JMX interface provides utility functions such as installing and dumping ACLs or showing the history.

History service

A history object collects messages, warnings, and also an exception in case something goes wrong. This history gets saved in CRX under /var/statistics/achistory. The number of histories to be saved can be configured in the history service.


If you have any questions which are still answered after reading the documentation feel free to raise them in the discussion forum.


Contributions are highly welcome in the form of issue reports, pull request or providing help in our discussion forum.

Building the packages from source

If needed you can build the AC Tool yourself.


The AC Tool is licensed under the Eclipse Public License - v 1.0.