Overview
This guide explains how to configure a Technical Account in AEM as a Cloud Service for Gradial integration. By generating Service Credentials and adding the Technical Account to your author group(s), you enable Gradial to interact with AEM for creating Launches, managing content, and other operations. Basic integration steps include:- Creating a Technical Account and downloading credentials
- Providing the credentials to Gradial
- Assigning appropriate permissions to the Technical Account in AEM
AEM Cloud Service Authentication
AEM as a Cloud Service uses Adobe’s Identity Management System (IMS) for authentication:Technical Account
Machine-to-machine communication using service credentials and JWT tokens for authentication. No user intervention required.
Permission-based Access
Access is governed by AEM group memberships that control what operations the Technical Account can perform.
Prerequisites
Before creating a Technical Account, ensure you have the proper access and team coordination:Required Access Roles
- Adobe IMS Org System Administrator - Required to create Technical Accounts
- AEM Administrators IMS Product Profile member - Required for to assign permissions
Team Coordination
Typically, the following teams are involved:- IT/DevOps Team - Usually holds System Administrator privileges for Cloud Manager
- AEM Development Team - Configures user permissions and group memberships
- Security Team - Reviews and approves service account access
Coordinate with your IT and security teams before proceeding. System Administrator access is typically restricted and may require approval workflows.
Integration Steps
1
Create a Technical Account & Download Credentials
Who performs this step: Adobe IMS Org System Administrator (typically IT/DevOps team)
- Log in to Adobe Cloud Manager as a System Administrator for your IMS Org
- Select the Program containing your target AEM environment
- Find the AEM environment, click the ellipsis (…), then select Developer Console
- In the Developer Console, navigate to the Integrations tab
- Select the Technical Accounts tab
- Click Create new technical account
- Once created, expand the Technical Account entry
- Click View to download the service credentials JSON file (often named
service token.json)
CRITICAL: Do not modify the downloaded JSON file in any way. Use the file exactly as provided by Adobe. Any modifications will cause authentication failures.
Keep this file secure and never commit it to source control. Store it according to your organization’s security policies for sensitive credentials.
Limits: Each AEM environment can have up to 10 technical accounts. Service credentials expire every 365 days and will need to be regenerated.
2
Provide Credentials to Gradial
Gradial will:
- Use the
service token.jsonto generate and sign a JWT - Exchange that JWT with Adobe IMS for short-lived access tokens
- Add a Bearer token header to AEM API calls
Share the service token JSON file securely with your Gradial representative.
3
Configure AEM Permissions
Who performs this step: AEM AdministratorOnce the Gradial Technical Account authenticates for the first time, it will appear in AEM as a user (format:
[email protected]). You’ll then assign it to the right groups so it can create Launches, edit content, and upload assets.For background on how permissions work in AEM as a Cloud Service, see Adobe’s Users, Groups and Permissions guide.Step 1: Find the Technical Account User
- In AEM Author, go to Tools → Security → Users
- Search for the account ending in
@techacct.adobe.com - If you don’t see it, ask Gradial to trigger an authentication so the account is registered
Step 2: Assign Group Memberships
There are two common approaches:Option A: Add to Existing Author Groups (Quick Start)
- Add the Technical Account to your standard author/editor group(s)
- This gives it the same capabilities your authors use: creating pages, editing content, uploading assets, and working with Launches
- Recommended if you want to get started quickly, but you will still need to ensure that the base permissions are available.
Option B: Create a Dedicated Service Group (Best Practice)
- Create a new group just for Gradial’s service accounts
- Grant that group the minimum required permissions
- Add additional rights only if needed (e.g., replication or workflows)
For enhanced security, Option 2 is recommended to follow the principle of least privilege.
4
Validate Permissions
| Area | Path | JCR Privileges | Why It’s Needed | How to Assign in AEM |
|---|---|---|---|---|
| Core (Author-level) | /libs | jcr:read | Foundations | Covered by most Author groups |
/apps | jcr:read | Access components | Covered by Contributors | |
/conf | jcr:read | Access CSS styles, templates, policies | Covered by Contributors | |
/bin | jcr:read | Invoke AEM servlets (Gradial calls APIs here) | Must be explicitly added if not in base group | |
| Launches | /content/launches | jcr:read, rep:write, jcr:versionManagement | Create/manage Launches, check-in/out versions | Add to Authors, or create dedicated group |
| Assets (DAM) | /content/dam (or equivalent) | jcr:read, rep:write, jcr:versionManagement, crx:replicate | Upload/edit assets and metadata, manage versions | Add to DAM Users, or grant directly |
| Content Fragments (if separate) | /content/dam/<fragments> | rep:write, jcr:versionManagement | Create/update Content Fragments | Grant at CF folder level |
| Site Pages | /content/<site> | jcr:read, rep:write, jcr:versionManagement | Create/update pages | Add to Authors for your site |
| Experience Fragments | /content/experience-fragments/<site> | jcr:read, rep:write, jcr:versionManagement | Create/update XFs | Add to Authors for XF folders |
| Tags | /content/cq:tags/<site> | jcr:read, rep:write, jcr:versionManagement, crx:replicate (if publishing) | Apply/create tags, version/tag changes, publish if needed | Create a custom group for tag admins |
| Publishing (Optional) | /content (scoped) or /content/dam | crx:replicate, jcr:addChildNodes (if asset publishing required) | Needed only if Gradial should publish | Add only if workflows expect Gradial to replicate |
| Avoid | Any | jcr:all | Grants superuser access | Not recommended |
Important Notes
- The private key in
service token.jsongenerally expires each year, so you will need to regenerate the Service Credentials JSON before it expires - Access tokens themselves expire frequently; Gradial automatically fetches new tokens using the private key
Reference
For additional information, see these Adobe documentation resources:- AEM Cloud Service Authentication with Service Credentials
- Managing Users and Groups in AEM as a Cloud Service
- AEM Users, Groups and Permissions in Cloud Service
Need Help?
Contact your Gradial representative for additional support with your AEM as a Cloud Service integration.