Service User FeatureImage

Access to ResourceResolver in OSGi Services : AEM 6.1


We all know that from AEM 6.0, usage of Admin Session to access the ResourceResolver is deprecated which means we cannot use session = repository.loginAdministrative(null);  anymore !

Instead, AEM comes with the concept of Service based authentication to get the access to ResourceResolver.

Let us see how to create the Service Users and Use the same to get the access to ResourceResolver in the OSGi service

Step1: Creating Service User Mapping

Goto http://<host>:<port>/system/console/configMgr

Search for ‘Apache Sling Service User Mapper Service’ and click on edit

Add an entry by clicking ‘+’

<bundleId>:<subServiceName> = <systemUserName>

Ex: org.test.core:readService=testreaduser

User Mapping Service
User Mapping Service

Step 2: Create a User Mapper Service Amendment

Add a new Amendment as shown below

User Mapping Service Amendment
User Mapping Service Amendment

If you are using multiple User Mapping for a same service, then the highest Ranking User will be used to authenticate the access for the ResourceResolver.

Step 3: Create the System User

In AEM 6.0, even the normal user could be used in mapping the service but from AEM 6.1 it is mandatory to use only the ‘System User’ in the Mapping.

Goto  http://<host>:<port>/crx/explorer/index.jsp

Click on ‘User Administration’

CRX Explorer
CRX Explorer

Click on ‘Create System User’

User Adminsitration
User Adminsitration

Add a userId ‘testreaduser’  and click the tick mark

Create System User
Create System User


Step 4: Permissions to the System User

Once you have created the system User, goto /useradmin

Select the user you created and click on ‘Permission’ tab

Enable the ACLs accordingly and ‘Save’.

User Permission
User Permission

Step 5: OSGi Service

Now you have successfully created the service users which can be used in your services to get the access for ResourceResolver. Below is an example which shows how to use the service user to get the access.

Create an Interface


Create in Impl class


Once you install the bundle, you should be able to see the mentioned logs in your <project>.log file

This is slightly different from AEM 6.0 where in just having the UserMapping and the User would be sufficient to get the access in ResourceResolver. In 6.1 its changed a bit with Amendments and the compulsory of creating System User only to work.


23 thoughts on “Access to ResourceResolver in OSGi Services : AEM 6.1

  1. Hi lokesh,

    Do we have to create this system user on all the instances or is there a way by which we can install it along with the package ?


  2. Hi Lokesh,

    Nice article about the service users in AEM6.1. Thanks for the write up and sharing the article.

    In AEM6.1 – There is a module called projects, in which we can create different projects like Media Project, Translation Project etc… using touch UI. I would like to check with you if you have any details about the Projects backend/front end API to create the projects programmatically.

    It would be really great if you can share Projects API, Maven dependencies and as well some examples.

    Here is my email id


  3. Hi. Thank you for the article. Could you explain why you used service user mapping AND service user mapping amendement and what is the difference between the both?

  4. What exactly do you do if you use one service user for a complete bundle?
    The ResourceResolverFactory.SUBSERVICE, “readService” map works great, but we have bundles where a further user differentiation is simply not helpful.
    Any hints on that would be appreciated

  5. Hi Lokesh,

    Thanks for this nice article.

    Even in our application we are dealing with Apache sling Service User Mapper Service Amendment only.


    1. Hi Sunil,
      Why do you have to automate it ? Ideally you would create 2 or 3 system users and automating it would be of no value !

      1. In my case, this will be created as a bundle with its own custom features. This will then be consumed/installed by other teams in their own AEM instances. So instead of providing the steps for each team to setup the user and ACLs in their instances for the functionality to work, I wanted to see if that can be programmatically handled in my bundle itself so others don’t have to do the setup to get it working.

      2. It can even be a separate script that folks can run which will set things up for them. Need not be in the bundle itself.

          1. Nice! Appreciate the link. Any API to set the ACLs too on the system user created using the jackrabbit API? Appreciate the follow up.

  6. what is the difference between resource resolver and resource, and when to use it, plz explain as googling is not helping me.

    1. Hi Kapil,

      Any node in JCR is termed as a resource and the resource can be of any type like Page, Asset, Properties etc…
      where as resourceResolver helps you to identify or find a given path to a resource within the JCR.
      Hope it helps !

  7. Hi Lokesh,

    Is it possible to create system user without using admin account? What priviledge is required?


    1. Hi Debal,

      Any user/group who has complete access to /home/users/system should be able to create the system user. However, usually only the administrators should have that access !

  8. Hi Lokesh,

    I have been using different service resolvers based on different accesses. For example ServiceResolver1 has access under /home and ServiceResolver2 has access under /etc/project.
    I am using a method that needs a ResourceResolver object that does some action under /home and /etc/project both.

    Earlier I was using adminResolver to do both actions. Now since we are using service resolvers based on what access they should have, how could I tackle this? Pass two ResourceResolver objects to the method? Pass a map with required RRs?

    If there is an related example, thats appreciated 🙂

    Thanks for the article

  9. Hi Lokesh
    This Article is very good and informative.
    We are facing a issue where we see our system user as the created user in the content pages.
    I would like to know if system user can upload or make changes in the pages ,as system user doesn’t have any password so how can he login. Or can any user impersonate the system user and make changes in the content.

    1. Hi Reshma,
      System Users are not login users. These users are created only to perform system operations on JCR via services


Leave a Reply

Your email address will not be published. Required fields are marked *