Closed User Group (CUG) with AEM Assets:
- Designed to restrict access to assets on an AEM Publish instance.
- Grants read access to a set of users/groups.
- CUG can only be configured at a folder level. CUG cannot be set on individual assets.
- CUG policies are automatically inherited by any sub-folders and applied assets.
- CUG policies can be overridden by sub-folders by setting a new CUG policy. This should be used sparingly and is not considered a best practice.
A mixin of rep:CugMixin is applied to /content/dam/we-retail/en/beta-products folder. A node of rep:cugPolicy is added beneath the folder and we-retail-members is specified as a principal. Another mixin of granite:AuthenticationRequired is applied to the beta-products folder and the property granite:loginPath specifies the Login Page to be used if a user is not authenticated and attempts to request an asset beneath the beta-products folder.
JCR description below:
/beta-products - jcr:primaryType = sling:Folder - jcr:mixinTypes = rep:CugMixin, granite:AuthenticationRequired - granite:loginPath = /content/we-retail/us/en/community/signin + rep:cugPolicy - jcr:primaryType = rep:CugPolicy - rep:principalNames = we-retail-members
Both Closed User Groups (CUG) and Access Control Lists (ACL) are used to control access to content in AEM and based on AEM Security users and groups. However the application and implementation of these features is very different. The following table summarizes the distinctions between the two features.
|Intended Use||Configure and apply permissions for content on the current AEM instance.||Configure CUG policies for content on AEM author instance. Apply CUG policies for content on AEM publish instance(s).|
|Permission Levels||Defines granted/denied permissions for users/groups for all levels: Read, Modify, Create, Delete, Read ACL, Edit ACL, Replicate.||Grants read access to a set of users/groups. Denies read access to all other users/groups.|
|Replication||ACLs are not replicated with content.||CUG policies are replicated with content.|