Managing AEM Author Access

Access to sites in AEM Author will be controlled via SFU Groups starting on December 11, 2024. Site owners are required to populate their groups by December 10, 2024 to ensure no access disruption.

Each AEM site has two default groups: admins and authors. Members of the admins group are responsible for managing all access groups for their site.

Please see the sections below for further information.

Site Groups

Group types & functions

There are three main types of groups:

  1. admins, e.g.,resource:app:AEM:sites:<site-path>:admins 
  2. authors, e.g., resource:app:AEM:sites:<site-path>:authors 
  3. readonly, e.g., resource:app:AEM:sites:<site-path>:readonly

The three groups serve different purposes and function by enabling specific user permissions.

When a new AEM site is provisioned, an admins and authors groups are created and associated with it. However readonly groups are only created on demand. If you need a readonly group, contact CMS help.

For example a website www.sfu.ca/example-site would have the following two default groups:

  1. resource:app:AEM:sites:example-site:admins 
  2. resource:app:AEM:sites:example-site:authors 

Admins group

The members of the admins group are the designated site admins who have editing permissions to all groups, including its own, allowing them to add new or delete users. These members are also added automatically to the authors group.

Authors group

The authors group provides access to the AEM authoring environment (author.sfu.ca), allowing users to create, edit, delete, and publish pages/tags/assets. By default, authors can also approve activation requests (see content approval).

Separate access can be applied for an area of your site (e.g., a sub-site), upon request. A separate group will be created for this purpose. Admins can contact CMS help for assistance. Do not attempt to create your own group for access control.

Readonly group

The readonly group provides view only access to a AEM site, allowing users to view a site, but with no authoring capabilities. An example of using the readonly maillist would be to allow non-authors to preview a AEM site before its launch (e.g., a Chair/Dean or a department). If you require a readonly maillist, contact CMS help and request one.

Site admins as group owners

Members of the admins group are considered to be site admins and are responsible for managing all groups associated with their site.

Members of the admins group can:

  • add members
  • remove members

During site creation, one site admin is added to the admins and authors group. The admin is responsible for populating the membership of their site's groups to provide the appropriate user permissions and access.

Groups can be accessed and managed in groups.sfu.ca.

Access to AEM Author

Only members of groups will be able to access pages in AEM. One site admin is automatically added as a member of the admins and authors group, but will need to add users to the relevant group to provide site access. Members can be added temporarily to groups and removed, i.e. short-term projects, contracts.

Providing access

To add new users to an AEM site:

  1. Go to groups.sfu.ca.
  2. Navigate to Manage Your Groups > Security Groups.
  3. Find the relevant group associated with your site. The group naming uses the following pattern:
    resource:app:AEM:sites:<site-path>:admins 
    resource:app:AEM:sites:<site-path>:authors 
    resource:app:AEM:sites:<site-path>:readonly
  4. Click the group name.
  5. Click "Add members" button.
    We recommend that you add reference groups as members (eg. ref:dept:its:dto:my-site-group), rather than individuals.
    Please reach out to Grouper Admins in your unit (typically local IT support) for a reference group.
  6. In the "New members" field, enter the group name, then click "Submit".

Newly added group members will be able to access the AEM site within 30 minutes of being added.

Removing access

To remove access from a AEM site:

  1. Go to groups.sfu.ca.
  2. Navigate to Manage Your Groups > Security Groups.
  3. Find the relevant group associated with your site. The group naming uses the following pattern:
    resource:app:AEM:sites:<site-path>:admins 
    resource:app:AEM:sites:<site-path>:authors 
    resource:app:AEM:sites:<site-path>:readonly
  4. Click the group name.
  5. Click on the trash can icon to the right of the member's name to remove.

Group Management

CMS email updates

Members of all admins groups will receive email system updates from cms_info@sfu.ca.

Designating site admins

We recommend that each admins group has at least two members to help administer the site content and access.