With this article let's try to understand the overall approach to manage User Groups and permissions on Admin console and that on AEM Author instance specifically for AEM as a Cloud Service migration project.
When we are trying to migrate from older AEM versions to AEM as a Cloud Service, along with code and content we also need to do migrate users and user groups. For AEM as a Cloud Service it is required to migrate all users to Adobe Admin Console since access to AEM Author has to be managed by IMS Authentication.
AEM users and their respective permissions migration can be taken care by the Content Transfer Tool and User Mapping Tool. Once migration is completed even then we need to plan and change the user management approach so as to better utilize the functionalities of Admin console.
The below points should be noted about the admin console user management:
We can create IMS User Groups on the Admin console. The idea for these groups on admin console is to manage user permissions on AEM Author.
But we need to understand that user groups on IMS should not be used for actual ACLs based permissions on AEM instance.
Instead IMS Groups need to made members of AEM ACL groups directly on AEM Security console.
By this we can add and remove users on the Admin console and subsequently control their permissions on AEM Author.