Expand my Community achievements bar.

Dive into Adobe Summit 2024! Explore curated list of AEM sessions & labs, register, connect with experts, ask questions, engage, and share insights. Don't miss the excitement.
SOLVED

Order of user group permissions in AEM Assets

Avatar

Level 2

I am new to User Admin and am setting up some new usergroups. I have seen references in the documentation that you can "nest" groups to give a baseline set of permissions.

 

My question is about what order AEM goes through the permissions. If I create a new custom user group, and make it a member of DAM Users, and then make some more restrictive permissions in my custom group will those supersede the ones DAM Users grants?

 

Example: Custom group would only be allowed to access specific folders under /dam. DAM Users grants access to the entire /dam. Would a user in my custom group still be limited to only the groups the custom groups allows or would DAM User take precedent?

 

Thanks!

1 Accepted Solution

Avatar

Correct answer by
Level 5

User and group permissions can be pretty confusing when you start to think about numerous possible use cases.

 

For the example use case you stated, your custom group users may or may not be able to access those specific restricted DAM folders. It depends on the order in which the permissions were applied.

Example 1:

  • There's a group: 'DAM-Users'
    • It has allow access to all DAM folders
  • Created a new custom group: 'Restricted-DAM-Users'
    • We set deny access to 'My Assets' folder in DAM
  • Created a user: 'dam-user'
    • We make this user member of both groups: 'DAM-Users' & 'Restricted-DAM-Users'

What is the expected final permission for the 'dam-user' on DAM folder 'My Assets'?

-> In this case, the user will not be able to access the 'My Assets' folder.

 

Example 2 (in continuation)

But now,

  • If I create another new user group, say, 'Lenient-DAM-Users'
    • Set allow access to 'My Assets' folder
  • Make 'dam-user' member of this  'Lenient-DAM-Users' group.

Now what is the expected final permission for the 'dam-user' on DAM folder 'My Assets'?

-> Now, the user will be able to access the 'My Assets' folder.

 

To understand more technically in depth, I suggest reading the below Adobe docs:

https://experienceleague.adobe.com/docs/experience-manager-65/administering/security/user-group-ac-a...

- Best practices: https://experienceleague.adobe.com/docs/experience-manager-65/administering/security/security.html?l...

 

It is easy to lose yourself in the permissions sets especially when there are complex number of user groups and permissions.

Screen Shot 2022-08-08 at 3.26.51 pm.png

Here's a quick way to test the permissions on a given path:

  • Go to CRXDE, http://[host]:[port]/crx/de/index.jsp
  • Select the path you want to test access to.
  • Select the 'Access Control' tab
  • See the order of the permissions under 'Access Control List'. These are the list of permissions applied on that path.
  • The bottom most permission takes more precedence.
  • You can also change the order of the permissions by click and drag.

View solution in original post

2 Replies

Avatar

Level 3

hi @Kate_Sumbler ,

When any user group(e.g. DAM Users) is added to a custom group. The permissions provided for DAM users will be applicable to the custom group as well. 

 

Example

  1. custom group 1 -> /content/dam/project1, content/xyz/sites1
  2. DAM users have access to /content/dam
  3. upon making custom group1 a member of DAM Users group custom group1 will have following permissions.
  4. Custom group : /content/dam (including /content/dam/project1) + content/xyz/sites1

The only catch here will be if your group explicitly denies restrictions to a specific folder, then that takes precedence

Example

  1. custom group 1 -> /content/dam/project1, deny - content/dam/project2
  2. DAM users have access to /content/dam
  3. upon making custom group1 a member of DAM Users group custom group1 will have following permissions.
  4. Custom group : /content/dam - /content/dam/project 2

The general recommendation is to provide allow permissions to respective folders rather than deny any folder

Thanks,

Anil

Avatar

Correct answer by
Level 5

User and group permissions can be pretty confusing when you start to think about numerous possible use cases.

 

For the example use case you stated, your custom group users may or may not be able to access those specific restricted DAM folders. It depends on the order in which the permissions were applied.

Example 1:

  • There's a group: 'DAM-Users'
    • It has allow access to all DAM folders
  • Created a new custom group: 'Restricted-DAM-Users'
    • We set deny access to 'My Assets' folder in DAM
  • Created a user: 'dam-user'
    • We make this user member of both groups: 'DAM-Users' & 'Restricted-DAM-Users'

What is the expected final permission for the 'dam-user' on DAM folder 'My Assets'?

-> In this case, the user will not be able to access the 'My Assets' folder.

 

Example 2 (in continuation)

But now,

  • If I create another new user group, say, 'Lenient-DAM-Users'
    • Set allow access to 'My Assets' folder
  • Make 'dam-user' member of this  'Lenient-DAM-Users' group.

Now what is the expected final permission for the 'dam-user' on DAM folder 'My Assets'?

-> Now, the user will be able to access the 'My Assets' folder.

 

To understand more technically in depth, I suggest reading the below Adobe docs:

https://experienceleague.adobe.com/docs/experience-manager-65/administering/security/user-group-ac-a...

- Best practices: https://experienceleague.adobe.com/docs/experience-manager-65/administering/security/security.html?l...

 

It is easy to lose yourself in the permissions sets especially when there are complex number of user groups and permissions.

Screen Shot 2022-08-08 at 3.26.51 pm.png

Here's a quick way to test the permissions on a given path:

  • Go to CRXDE, http://[host]:[port]/crx/de/index.jsp
  • Select the path you want to test access to.
  • Select the 'Access Control' tab
  • See the order of the permissions under 'Access Control List'. These are the list of permissions applied on that path.
  • The bottom most permission takes more precedence.
  • You can also change the order of the permissions by click and drag.