Adobe Experience Manager Assets

Kate_Sumbler · 8/5/22

I am new to User Admin and am setting up some new usergroups. I have seen references in the documentation that you can "nest" groups to give a baseline set of permissions.

My question is about what order AEM goes through the permissions. If I create a new custom user group, and make it a member of DAM Users, and then make some more restrictive permissions in my custom group will those supersede the ones DAM Users grants?

Example: Custom group would only be allowed to access specific folders under /dam. DAM Users grants access to the entire /dam. Would a user in my custom group still be limited to only the groups the custom groups allows or would DAM User take precedent?

Thanks!

Nikhil_Verma · 8/7/22

User and group permissions can be pretty confusing when you start to think about numerous possible use cases.

For the example use case you stated, your custom group users may or may not be able to access those specific restricted DAM folders. It depends on the order in which the permissions were applied.

Example 1:

There's a group: 'DAM-Users'
- It has allow access to all DAM folders
Created a new custom group: 'Restricted-DAM-Users'
- We set deny access to 'My Assets' folder in DAM
Created a user: 'dam-user'
- We make this user member of both groups: 'DAM-Users' & 'Restricted-DAM-Users'

What is the expected final permission for the 'dam-user' on DAM folder 'My Assets'?

-> In this case, the user will not be able to access the 'My Assets' folder.

Example 2 (in continuation)

But now,

If I create another new user group, say, 'Lenient-DAM-Users'
- Set allow access to 'My Assets' folder
Make 'dam-user' member of this 'Lenient-DAM-Users' group.

Now what is the expected final permission for the 'dam-user' on DAM folder 'My Assets'?

-> Now, the user will be able to access the 'My Assets' folder.

To understand more technically in depth, I suggest reading the below Adobe docs:

- https://experienceleague.adobe.com/docs/experience-manager-65/administering/security/user-group-ac-a...

- Best practices: https://experienceleague.adobe.com/docs/experience-manager-65/administering/security/security.html?l...

It is easy to lose yourself in the permissions sets especially when there are complex number of user groups and permissions.

Here's a quick way to test the permissions on a given path:

Go to CRXDE, http://[host]:[port]/crx/de/index.jsp
Select the path you want to test access to.
Select the 'Access Control' tab
See the order of the permissions under 'Access Control List'. These are the list of permissions applied on that path.
The bottom most permission takes more precedence.
You can also change the order of the permissions by click and drag.

View solution in original post

achennapragada · 8/5/22

hi @Kate_Sumbler ,

When any user group(e.g. DAM Users) is added to a custom group. The permissions provided for DAM users will be applicable to the custom group as well.

Example

custom group 1 -> /content/dam/project1, content/xyz/sites1
DAM users have access to /content/dam
upon making custom group1 a member of DAM Users group custom group1 will have following permissions.
Custom group : /content/dam (including /content/dam/project1) + content/xyz/sites1

The only catch here will be if your group explicitly denies restrictions to a specific folder, then that takes precedence

Example

custom group 1 -> /content/dam/project1, deny - content/dam/project2
DAM users have access to /content/dam
upon making custom group1 a member of DAM Users group custom group1 will have following permissions.
Custom group : /content/dam - /content/dam/project 2

The general recommendation is to provide allow permissions to respective folders rather than deny any folder

Thanks,

Anil

Nikhil_Verma · 8/7/22

User and group permissions can be pretty confusing when you start to think about numerous possible use cases.

For the example use case you stated, your custom group users may or may not be able to access those specific restricted DAM folders. It depends on the order in which the permissions were applied.

Example 1:

There's a group: 'DAM-Users'
- It has allow access to all DAM folders
Created a new custom group: 'Restricted-DAM-Users'
- We set deny access to 'My Assets' folder in DAM
Created a user: 'dam-user'
- We make this user member of both groups: 'DAM-Users' & 'Restricted-DAM-Users'

What is the expected final permission for the 'dam-user' on DAM folder 'My Assets'?

-> In this case, the user will not be able to access the 'My Assets' folder.

Example 2 (in continuation)

But now,

If I create another new user group, say, 'Lenient-DAM-Users'
- Set allow access to 'My Assets' folder
Make 'dam-user' member of this 'Lenient-DAM-Users' group.

Now what is the expected final permission for the 'dam-user' on DAM folder 'My Assets'?

-> Now, the user will be able to access the 'My Assets' folder.

To understand more technically in depth, I suggest reading the below Adobe docs:

- https://experienceleague.adobe.com/docs/experience-manager-65/administering/security/user-group-ac-a...

- Best practices: https://experienceleague.adobe.com/docs/experience-manager-65/administering/security/security.html?l...

It is easy to lose yourself in the permissions sets especially when there are complex number of user groups and permissions.

Here's a quick way to test the permissions on a given path:

Go to CRXDE, http://[host]:[port]/crx/de/index.jsp
Select the path you want to test access to.
Select the 'Access Control' tab
See the order of the permissions under 'Access Control List'. These are the list of permissions applied on that path.
The bottom most permission takes more precedence.
You can also change the order of the permissions by click and drag.

Adobe Experience Manager Assets

Order of user group permissions in AEM Assets

Learn

Documentation

Community

Support

Resources

Adobe account

Adobe