Configure CQ Permission

User Administration And Security

Configure CQ Permission

In this section we will cover how to configure CQ User / Group permission and Privileges.

In CQ a user or Group can have different permission (Allow Or Deny) to perform different Actions (Read, Write, Create, Modify, Read or Write ACL). In addition to this user or group can have privilege to perform action like replication or impersonation.

CQ Uses ACL evaluation to decide whether user should have access to particular resource.

There are some best practice needs to followed for assigning user / Group and permission (Source)

Best Practice:

Also you should know what different action and symbol mean in assigning permissions (Source)


Allow (Check mark)

Deny (No checkmark)


AEM WCM allows the user to perform the action on this page or on any child pages.

AEM WCM does not allow the user to perform the action on this page nor on any child pages.

* (asterisk)

! (exclamation mark)

There is at least one local entry (either effective or ineffective). These wildcard ACLs are defined in CRX.

There is at least one entry that currently has no effect.

Assign permission:

  • To Assign Permission double click on users / Group (Group recommended)
  • Click on Permission Tab
  • Navigate to path you want group / user to have access
  • Select permission and click on save
CQ Assign Initial Permission
  • Note that in order to have access to child resource group should have access to parent resource first
CQ Permission after save
  • You have to explicitly deny permission for resources you don't want user / group to access
CQ Permission After Deny

Assign Replication Privilege:

Replication is a process of making authored content available to publish instance. We will cover how to configure replication in next Lesson.

Some time you want to restrict Author for creating content but restrict them to make those content live on publish. You can do this by assigning replication privileges to users or groups.

  • Go to User console
  • Double Click on User or group
  • Click on Replication privilege for path.
  • Note that in order a user to have replication privilege they should have read and write access to /etc/replication, /bin, /tmp, /var/eventing and read access to /apps and /libs

User Impersonation:

Last topic we will cover in User permission is user impersonation. Some time you want to impersonate as different user to see how site look like to them. For this you can use impersonation feature provided by CQ. If User-A is impersonating as User-B that mean User-A is acting on "Behalf Of" User-B by getting all it's access rights.

When User-A is accessing resource by Impersonating User-B, In access log you will see entry as User-B and Not as User-A.

To assign impersonation privilege you can do following,

  • Go to User Console
  • Double click on user
  • Go to Impersonators tab
  • Drag and Drop Users that can impersonate selected user
Assign CQ Impersonation
  • Once CQ Impersonation is assigned. Impersonated user can act "On Behalf" of actual user.
After CQ Impersonation is Assigned