Implement CUG in AEM

The aim of this tutorial is to learn how to implement CUG in AEM. Some time we come across the requirement for restricting set of pages behind the login or only for registered users on publish instance, to cater this requirement AEM provides closed user group CUG. Using CUG you can restrict specific pages or child pages of parent page on publish instance.

Once you implement CUG on any page you would need to login first to access it, if you are a registered user and part of cug then you can see respective landing page else for anonymous or non cug user you would be redirected back to login page.In this tutorial I am going to use Touch UI console as from aem 6.3 Adobe has announced that they are going to deprecate classic ui going forward.

Create  Closed User Group (CUG) in aem:-

To create closed user group follow below steps:-

  • Navigate to Security console. (Click on AEM rail ->Tools-> Security)
  • Click on Groups and create a new group for CUG users like cug_access.
  • Assign users to this group, whom you want to provide restricted access.
  • Activate any users that you have assigned to your CUG. (For first time, all members of cug_access).
  • Activate the closed user group cug_access so that it is available in the publish environment. (See Activate button on Top left corner)
  • Click Save.

You have successfully created closed user group. now let’s see how to Configure CUG on specific pages.

Configure Closed User Group ( CUG ) on pages:-

You can use out of the box login component that we retail is using (http://localhost:4502/editor.html/content/we-retail/login.html) 

I have used we retail site for this tutorial. Create pages as per below site structure. Login page is created using login component that we have created in previous tutorial. For using 6.2 login component in aem 6.3 change the proxy setting of content page template and add our custom login component to allowed component.


For configuring CUG on a page follow below steps:-

  • Navigate to the root page which you want to restrict (and any child pages)  and assign CUG.(In our example Home Page)
  • Select the root page and open the Page Properties.
  • Go to the Advanced tab.
    • Select Enable checkbox.
      Note:- Select checkbox to define that this page (and any child pages) belong to a CUG. This is a mandatory field to enable CUG, if this is not checked all other field will not have any effect.
    • From path browser select the login page. For Example- /content/we-retail/login.html
      • If you are using oob login component enter (/content/we-retail/us/en/community/signin.html) as login path.
        Note:- Login Page where you want anonymous user to redirect to after they access page. Login Page should have logic to authenticate user. If this is not specified then standard login page is used. Standard login page is configured under felix console with configuration called “Adobe Granite Login Selector Authentication Handler”. This is optional, if you want to use standard login handler.
  • Go to Permissions Tab.
  • Click on Edit Closed User Group and enter cug group name (For Example- CUG Access) and click on Add.
  • You can also assign extra permission to specific user or your cug group by clicking on add permissions (For Example- CUG Access) and click on Add.
  •  Click on Save & Close button from Top Right corner to save the changes.

That’s it you have successfully configured closed user group (CUG) on the page.

If you are using dispatcher between your author and publish instance the n you need to configure below settings also.

Configure Closed User Group ( CUG ) on Dispatcher:-

If you are using a dispatcher, then you have to update your dispatcher farm file with below properties:-

  • \virtualhosts: Entire the path of the pages on which you want to apply CUG.
    Note:- Remember to create two farm for same site. One is for secure (logged in state) and another for normal state in separate farm files. If you want to cache both type of pages.
    For Example:- 

    # List of URLs for this Web site
  • \cache: A cache directory that is dedicated to the files that the CUG applies to.
    For Example:-
  • /cache
    <strong> /docroot "/opt/dispatcher/cache"</strong>
    /statfile "/tmp/dispatcher-website.stat"
    <strong> /allowAuthorized "0"</strong>
    # List of files that are cached
    # List of files that are auto-invalidated


    • Set allowAuthorized to 0 under cache section as shown above.
    • Define a directory for session management:-
      <strong>/directory "/usr/local/apache/.sessions"</strong>
      /encode "md5"
      /header "HTTP:authorization"
      /timeout "800"

Click here For more details about Dispatcher configuration in aem.

Congratulations your dispatcher is set now to handle CUG pages.

Test Closed User Group(CUG) on publish instance:-

Closed User Group(CUG) works only on publish instance. Follow below steps to test Closed user group on publish instances:-

  • Make sure your replication agents are properly configured (http://localhost:4502/etc/replication/
  • Activate/Publish All pages and sub-pages that you have created from http://localhost:4502/sites.html/content.
  • Go to Group Admin (http://localhost:4502/libs/granite/security/content/groupadmin.html) and activate your group. For Example:- cug-access in our case.
  • If you don’t find option to activate users form touch ui, go to user admin in classic ui (http://localhost:4502/useradmin.html) and activate all the users that you have created.
  • Make sure your replication agents are properly configured.

Note:- If it is not working as expected check for permission on publish instance of user that has been replicated/activated.


Spread the love

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.