Expand my Community achievements bar.

SOLVED

IMS group mapping to Product profile is not synced in to AEM

Avatar

Level 1

Hi, 

 

On admin console, we have a custom product profile and one IMS Group (AD group) is mapped to this Product profile. In AEM I can see both Product profile group and IMS groups are synced but that the IMS group is NOT showing as member of Product Profile group. My question is, does mapping of IMS group to product profile also gets synced to AEM as-is or we will have to add IMS group to OOTB AEM group (e.g DAM-Users) and manage permissions?
 

Which is appropriate mapping to manage permission in AEMasCS ? 

IMS Group--> Product Profile Group--> DAM-Users 

IMS Group --> DAM-Users

 

I can see IMS Users--> Product profile mapping is synced in AEM but not IMS Group-->Product Profile. Can someone please guide?

Topics

Topics help categorize Community content and increase your ability to discover relevant content.

1 Accepted Solution

Avatar

Correct answer by
Employee Advisor

@chandra-deshmukh Recommended approach is :

Users -> IMS Groups -> AEM Groups

USers are assigned to Product Profiles so that they can access the Product(AEM) and the user gets synced into your AEM instance. They should not have any role play in managing user permissions.

 

AEM Groups created in AEM should have all the user permission mappings. IMS groups synced from Admin Console should be made member of this group. Users should not be directly assigned to custom AEM Groups, instead these users should be made member of IMS Group which is the member of AEM Group.

 

Please note IMS Groups are just logical grouping to provide a layer of abstraction to the internal mapping of users in AEM. 
Please refer to below doc for better understanding:
https://experienceleague.adobe.com/docs/experience-manager-cloud-service/content/security/ims-suppor...

 

View solution in original post

3 Replies

Avatar

Correct answer by
Employee Advisor

@chandra-deshmukh Recommended approach is :

Users -> IMS Groups -> AEM Groups

USers are assigned to Product Profiles so that they can access the Product(AEM) and the user gets synced into your AEM instance. They should not have any role play in managing user permissions.

 

AEM Groups created in AEM should have all the user permission mappings. IMS groups synced from Admin Console should be made member of this group. Users should not be directly assigned to custom AEM Groups, instead these users should be made member of IMS Group which is the member of AEM Group.

 

Please note IMS Groups are just logical grouping to provide a layer of abstraction to the internal mapping of users in AEM. 
Please refer to below doc for better understanding:
https://experienceleague.adobe.com/docs/experience-manager-cloud-service/content/security/ims-suppor...

 

Avatar

Employee

Thanks @krati_garg  for this explanation. This is helpful.

I was thinking to do below mapping to manage the permissions in AEM. 

Users-->IMS Group-->Product Profile-->AEM Groups

This way, we could have avoided manual mapping of IMS Group-->AEM Groups in AEM and for customer also it is easy to manage via admin console. 

 

However, I noticed that IMS Group-->Product Profile mapping is not getting synced in AEM (neither we can do it manually in AEM) and we have to do IMS Group-->AEM Group mapping. 

So, I feel there is no point creating custom product profiles as we have many OOTB profiles available which can be leveraged to manage the access to the Product (AEM).

 

Avatar

Administrator

@chandra-deshmukh 

Did you find the suggestions from users helpful? Please let us know if more information is required. Otherwise, please mark the answer as correct for posterity. If you have found out solution yourself, please share it with the community.



Kautuk Sahni