admin console only has two permissions, author-user and author-administrators.
This basically gives any AEM users full access to everything, which is highly dangerous.
With EpiServer, we could easily create groups with specific permissions, e.g. only edit marketing pages, or only create affiliate pages, or only add images to our external-marketing DAM directory. We could even let content admins create their own permission structures for their users via checkbox interface with meaningful permission names.
Is any of this possible with AEM Cloud, and if so, how? There seems to be no option in the admin console, where users permissions and groups are managed for our 10+ environments.
One confusing piece is that if you login to one of the many environments author instances directly, there is a security, users groups and permissions. But these are not reflected in the admin console, so presumably are not usable. In addition, the author permission tab has an incomprehensible, enormous and unusable list of groups and permissions, e.g. "107830685PLC_ADMIN_GROUP_NAME_SUFFIX" and "/libs/settings/dam/cmf/models". Many of these mystery groups have users in them, although we have not put them in directly.
Adobe Admin console has IMS users, IMS groups and Product profile (User and Administrators).
As such IMS groups don't hold permissions specific to AEM resources. It is to be thought of as credentials/group that is accessible across allowed/licensed Adobe products for the org.
In order to use the same to AEM users/ AEM groups (as available in Tools -> Security -> Users/Groups in AEM instance), we need to associate synced IMS groups as a member of AEM groups (which ultimately has permission to desired AEM resources)
In Cloud Manager, under each environment, we have "Manage Access" action which will land in Admin console -> respective product instance.