Ensure Authorizable (FKA Ensure Service User)
Available since version 3.8.0
Since AEM 6.2, service users are used to access the JCR instead of using the administrative resource resolver. Service users require ACLs applied to provide only enough access for the service user to perform its function.
Because of this, projects often require the definition of many service users and ACLs, which traditionally are managed in manually in a discrete permissions package. The management of the service users can be confusing and error-prone.
The Ensure Service User facilitates defining service users and their ACLs in OSGi configurations, and will intelligently ensure they exist on the target AEM instances.
Ensure Group builds on top of ensure service user to allow easily creating and maintaining group hierarchies across many AEM environments.
Create an OSGi configuration for each service user or group with the corresponding PID and unique identifier, eg.:
For Ensure Group, the PID is com.adobe.acs.commons.users.impl.EnsureGroup, with the only additional property being member-of.
OSGi Config Properties
Ensure Service User
- The service user or group name
- Can be just the principal name, a relative path, or the absolute path where the user should be stored in the JCR. Remember, service users may ONLY exist under
- Note: If a system user exists with the same principal name at a DIFFERENT location, this tool assumes that service user is correct and not attempt to move it to the specified location in this configuration.
Note: If a principal name is specified for an AEM or ACS AEM Commons provided system user, the ensure user process will fail. This list may not always be exhaustive and up to date, and meant to help protect against collisions.
addensures the existence of the service user and ACLs
removeensures that the service user and any ACLs are removed
- Defaults to
- When set to true, the ensurance is performed whenever this bundle is loaded.
- Defaults to true
- Array of ACE definitions to ensure for the principal
type: allow OR deny
privileges: comma delimited list of valid JCR privileges
path: absolute content path which the ACE will be applied
rep:prefixes=<comma-delimited list of prefixes>
- List of namespace prefixes
rep:ntNames=<comma-delimited list of ntNames>
rep:itemNames=<comma-delimited list of itemNames>
- List of namespace prefixes
For more information on
- Applies only to Ensure Group
- An Array of groups that the group must belong to
A JMX MBean is also provided that allows for the ensurance of Service Users and Groups.
This can be invoked on a per-authorizable basis or on all service users and groups.
When invoking on a per-authorizable basis, ONLY the principal name is to be provided; for example, if
principalName = my-company/my-servicer-user the parameter to the JMX Mbean method would be
This is most commonly leveraged when
ensure-immediately is set to
false, and the service user or group is ensured manually at a specific point in time.