Use this page when adding or reviewing permissions in a manifest, install contract, route contract, or admin workflow. Declaration must exist before enforcement.
Every permission used by an addon or system surface must be declared before it is enforced.
A permission declaration must state:
Permission keys follow the naming rules in Addon Development/Permissions Contract Basics and Permissions/Roles and Groups.
Addon manifests may declare permission needs, but the manifest is intake truth only. AEM validates the addon contract and Permissions owns the accepted catalog record.
The stored registry, manifest declaration, runtime check, and documentation must agree.
Updates may add new permissions. They must not silently rename or remove existing published permission keys.
Deprecated keys require a documented replacement path and a Addon Development/Changelog Entry Rules record.
A permission key belongs to one owner. If two packages declare the same permission key, the package must be the same governed addon lineage or the collision must be rejected for review.
See Addon Development/Route and Slug Collision Handling and Installer/Package Install and Update Flow.
Updated: 2026-05-07 01:26:36