admin console only has two permissions, author-user and author-administrators. How do we create more fine grained control

Avatar

Avatar
Affirm 5
Level 4
TB3dock
Level 4

Likes

37 likes

Total Posts

223 posts

Correct reply

5 solutions
Top badges earned
Affirm 5
Ignite 10
Boost 25
Give Back 25
Validate 10
View profile

Avatar
Affirm 5
Level 4
TB3dock
Level 4

Likes

37 likes

Total Posts

223 posts

Correct reply

5 solutions
Top badges earned
Affirm 5
Ignite 10
Boost 25
Give Back 25
Validate 10
View profile
TB3dock
Level 4

07-07-2021

admin console only has two permissions, author-user and author-administrators.

This basically gives any AEM users full access to everything, which is highly dangerous.

With EpiServer, we could easily create groups with specific permissions, e.g. only edit marketing pages, or only create affiliate pages, or only add images to our external-marketing DAM directory.  We could even let content admins create their own permission structures for their users via checkbox interface with meaningful permission names.

 

Is any of this possible with AEM Cloud, and if so, how?  There seems to be no option in the admin console, where users permissions and groups are managed for our 10+ environments.

 

One confusing piece is that if you login to one of the many environments author instances directly, there is a security, users groups and permissions. But these are not reflected in the admin console, so presumably are not usable.  In addition, the author permission tab has an incomprehensible, enormous and unusable list of groups and permissions, e.g. "107830685PLC_ADMIN_GROUP_NAME_SUFFIX" and "/libs/settings/dam/cmf/models".  Many of these mystery groups have users in them, although we have not put them in directly.

Accepted Solutions (1)

Accepted Solutions (1)

Avatar

Avatar
Boost 500
MVP
Vijayalakshmi_S
MVP

Likes

573 likes

Total Posts

728 posts

Correct reply

240 solutions
Top badges earned
Boost 500
Give Back 50
Give Back 5
Ignite 10
Ignite 5
View profile

Avatar
Boost 500
MVP
Vijayalakshmi_S
MVP

Likes

573 likes

Total Posts

728 posts

Correct reply

240 solutions
Top badges earned
Boost 500
Give Back 50
Give Back 5
Ignite 10
Ignite 5
View profile
Vijayalakshmi_S
MVP

08-07-2021

Hi @TB3dock,

Adobe Admin console has IMS users, IMS groups and Product profile (User and Administrators).

As such IMS groups don't hold permissions specific to AEM resources. It is to be thought of as credentials/group that is accessible across allowed/licensed Adobe products for the org. 

In order to use the same to AEM users/ AEM groups (as available in Tools -> Security -> Users/Groups in AEM instance), we need to associate synced IMS groups as a member of AEM groups (which ultimately has permission to desired AEM resources)

 

In Cloud Manager, under each environment, we have "Manage Access" action which will land in Admin console -> respective product instance. 

Video demo with sample use case (Write access to Specific DAM folder) is available in the below tutorial - https://experienceleague.adobe.com/docs/experience-manager-learn/cloud-service/accessing/walk-throug...

 

In order to have clear distinction of Adobe console IMS users, IMS groups and AEM's user and groups, you can refer the entire "Accessing AEM" section in the same doc.

https://experienceleague.adobe.com/docs/experience-manager-learn/cloud-service/accessing/overview.ht...

 

Answers (0)