Order of user group permissions in AEM Assets

Question

I am new to User Admin and am setting up some new usergroups. I have seen references in the documentation that you can "nest" groups to give a baseline set of permissions.
 
My question is about what order AEM goes through the permissions. If I create a new custom user group, and make it a member of DAM Users, and then make some more restrictive permissions in my custom group will those supersede the ones DAM Users grants?
 
Example: Custom group would only be allowed to access specific folders under /dam. DAM Users grants access to the entire /dam. Would a user in my custom group still be limited to only the groups the custom groups allows or would DAM User take precedent?
 
Thanks!

Nikhil_Verma · Accepted Answer

User and group permissions can be pretty confusing when you start to think about numerous possible use cases.

For the example use case you stated, your custom group users may or may not be able to access those specific restricted DAM folders. It depends on the order in which the permissions were applied.

Example 1:

There's a group: 'DAM-Users'
- It has allow access to all DAM folders
Created a new custom group: 'Restricted-DAM-Users'
- We set deny access to 'My Assets' folder in DAM
Created a user: 'dam-user'
- We make this user member of both groups: 'DAM-Users' & 'Restricted-DAM-Users'

What is the expected final permission for the 'dam-user' on DAM folder 'My Assets'?

-> In this case, the user will not be able to access the 'My Assets' folder.

Example 2 (in continuation)

But now,

If I create another new user group, say, 'Lenient-DAM-Users'
- Set allow access to 'My Assets' folder
Make 'dam-user' member of this 'Lenient-DAM-Users' group.

Now what is the expected final permission for the 'dam-user' on DAM folder 'My Assets'?

-> Now, the user will be able to access the 'My Assets' folder.

To understand more technically in depth, I suggest reading the below Adobe docs:

- https://experienceleague.adobe.com/docs/experience-manager-65/administering/security/user-group-ac-admin.html?lang=en#how-access-rights-are-evaluated

- Best practices: https://experienceleague.adobe.com/docs/experience-manager-65/administering/security/security.html?lang=en#best-practices

It is easy to lose yourself in the permissions sets especially when there are complex number of user groups and permissions.

Here's a quick way to test the permissions on a given path:

Go to CRXDE, http://[host]:[port]/crx/de/index.jsp
Select the path you want to test access to.
Select the 'Access Control' tab
See the order of the permissions under 'Access Control List'. These are the list of permissions applied on that path.
The bottom most permission takes more precedence.
You can also change the order of the permissions by click and drag.

achennapragada · Answer

hi @kate.sumbler-2 ,When any user group(e.g. DAM Users) is added to a custom group. The permissions provided for DAM users will be applicable to the custom group as well.  Examplecustom group 1 -> /content/dam/project1, content/xyz/sites1DAM users have access to /content/damupon making custom group1 a member of DAM Users group custom group1 will have following permissions.Custom group : /content/dam (including /content/dam/project1) + content/xyz/sites1The only catch here will be if your group explicitly denies restrictions to a specific folder, then that takes precedenceExamplecustom group 1 -> /content/dam/project1, deny - content/dam/project2DAM users have access to /content/damupon making custom group1 a member of DAM Users group custom group1 will have following permissions.Custom group : /content/dam - /content/dam/project 2The general recommendation is to provide allow permissions to respective folders rather than deny any folderThanks,Anil

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded