AEM cloud - cant find a way to assign a user to have different roles on different envs.

Question

AEM could manager allows you to put users into a group, and to assign product profiles.

There are two product profiles per instance, AEM Administrators-xxx and AEM Users-xxx

In cloud manager, we can create groups, e.g:

my-administrators
my-authors.

we have 7 envs (prod, stage, uat, hot, dev, test etc). So 14 product profiles in total.

What we cant do in aem cloud is assign users to existing AEM groups, such as administrators or Authors (but it does let you assign DAM users, which, without the other groups, is useless).

So we have user A and user B

If we want to make user A administrator on dev, but Author on the rest, and we want to make user B be administrator on prod, but author on the rest, there is no sane way to do this.

What we did is put my-administrators in the administrator group on each local instance (not using the cloud console), and put my-authors in the Authors group.

This means if we put a user into the my-administrators group in the cloud console, it puts them in the administrators group when they login to that env.

In order for user to login to any env, he has to be assigned a product profile for that env. So we assign the Admin Users-xxx to all users who need to access environment xxx, but this does not control what role or permissions they are given (unfortunately), it only controls if they can login or not. The problem is, we cant make user A only admin on dev, he will become admin on prod also, because he can login to prod (but for a different role), and because the groups are synced to all envs.

We have tried many different ways to try to implement basic permissions, but so far have failed.

We are thinking one way might be to create every group we need (aka role), with a different name for every env.

E.g. my-administrators-dev, my-admininstators-prod etc. Then we go into each env, and put ONLY that envs groups into administrator.

To make it worse, you cant nest groups in AEM Cloud admin. So if we have a group with say 20 people in it (e.g. marketing), and we want to make them all say authors on an env, we have to manually put each person into say the my-authors-stage group, we can't just add marketing. If someone is hired in marketing, we have to manually assign them to each group one by one.

This is a nightmare to maintain - we will end up with hundreds of env specific groups, with manually configured local rights on each machine.

Howe do other people do this?

To make it worse, the groups UI on AEM instances is a disaster - search doesn't work (it only returns the first 5), you cant even order the list, and to search you have to scroll, and it loads one page at a time (very slowly) so you cant use the browsers page search (withouth first scrolling through all pages). Its unusable.

Vijayalakshmi_S · Accepted Answer

Hi @tb3dock,IMS Groups and IMS Users are at Admin Console/IMS level and to be reused across products in an Org. Not just for AEM.Whereas Product Profiles are specific to an AEM instance. Also, IMS groups can't be assigned to Product profiles in Admin console. This is mentioned in this video (Timing : 01:57) - https://experienceleague.adobe.com/docs/experience-manager-learn/cloud-service/accessing/adobe-ims-user-groups.html?lang=enOnly IMS users can be assigned to either AEMUsers-xxx or AEMAdministrators-xxx OOTB product profile or any custom profile groups.Regarding Groups Sync:When an IMS user logs into an AEM instance, all the IMS groups and product profile groups he/she is associated to will reflect/sync in that particular instance and  Not " the groups are synced to all envs." It is up to us to decide to which of the IMS groups/product profile groups we would like to associate the permissions to in AEM instance. Given this understanding, for your use case of User A being admin on DEV and author on rest and vice versa for User B,you can create profile groups and have the IMS user assigned to those custom profile groups.And when the custom profile groups is synced in AEM instance, You can associate the same as Member to AEM groups (with desired permissions).   I suggest you to try this in DEV/Sandbox instance and see if this flow works. If you have already tried custom profile groups, could you please elaborate the issue in the same.

Kishore_Kumar_ · Answer

Hi @tb3dock ,

I haven't worked extensively on AEMaaCS User permissions but just trying to understand, Can't we assign the "my-authors" IMS Group (created via Admin Console) to AEM-Users-XXX in product profile and then in AEM instance assign specific AEM group based permissions to "my-authors" IMS Group, say we have OOTB "Content-Authors" Group in AEM, we can add "my-authors" IMS Group to it ?

Cadastre-se

Fazer o login com rede social

Bem-vindo

Fazer o login com rede social

Verificando arquivo em busca de vírus

Este arquivo não pode ser baixado