Skip to content


Repository files navigation

Maven Central License Build Status SonarCloud Status SonarCloud Coverage

Access Control Tool for Adobe Experience Manager

The Access Control Tool for Adobe Experience Manager (AC Tool) simplifies the specification and deployment of complex Access Control Lists in AEM as well as users and groups. Instead of existing solutions that build e.g. a content package with actual ACL nodes you can write simple configuration files and deploy them with your content packages. See comparison to other approaches for a comprehensive overview.


  • easy-to-read Yaml configuration file format
  • run mode support
  • automatic installation with install hook
  • cleans obsolete ACL entries when configuration is changed
  • ACLs can be exported
  • management of user's key stores and the global trust store
  • stores history of changes
  • ensured order of ACLs
  • built-in expression language to reduce rule duplication

See also our talk at adaptTo() 2016


The AC Tool requires Java 8 and AEM 6.4 or above (use v2.x for older AEM versions which runs on Java 7 and AEM 6.1 SP1 or above) for on-premise installations. Since v2.5.0 AEM as a Cloud Service is supported, see Startup Hook for details.

It is also possible to run the AC Tool on Apache Sling 11 or above (ensure system user actool-service has jcr:all permissions on root). When using the AC Tool with Sling, actions in ACE definitions and encrypted passwords cannot be used. To use the externalId attribute, ensure bundle oak-auth-external installed (not part of default Sling distribution).


The content package is available from the Maven Central repository

For quick ad hoc testing and getting to know the AC Tool, the easiest is to

  • Install the latest version via AEM's package manager
  • Create a sample YAML file in CRXDE (e.g. /apps/actool-test/test.yaml)
  • Apply this config using the UI (see User Interface below)

For properly integrating the AC Tool in your own deployment package see Installation.

Configuration of the AC Tool

You need to setup Yaml configuration files to specify your users, groups and ACL entries. See also the best practices for hints on structuring.

There are also some advanced configuration options supported such as loops, conditional statements and permissions for anonymous.

User Interface

There is a Felix Web Console plugin (at /system/console/actool) as well as a Touch UI console (at /mnt/overlay/netcentric/actool/content/overview.html) to apply configurations and to inspect previous executions of the tool. Additionally there is a JMX interface for some advanced use cases.

Applying AC Tool Configurations

Best practice is to apply AC Tool Configurations using the install hook (or startup hook for Cloud Service) during your project's software package installation. See applying the ACL entries for a full list of options.

Migration to AC Tool

You can easily migrate to AC Tool following four simple steps.


If you have any questions which are still answered after reading the documentation feel free to raise them in the discussion forum.


Contributions are highly welcome in the form of issue reports, pull request or providing help in our discussion forum.

Building the packages from source

If needed you can build the AC Tool yourself.


The AC Tool is licensed under the Eclipse Public License - v 1.0.