Your achievements

Level 1

0% to

Level 2

Tip /
Sign in

Sign in to Community

to gain points, level up, and earn exciting badges like the new
Bedrock Mission!

Learn more

View all

Sign in to view all badges

SOLVED

admin console only has two permissions, author-user and author-administrators. How do we create more fine grained control

TB3dock
Level 8
Level 8

admin console only has two permissions, author-user and author-administrators.

This basically gives any AEM users full access to everything, which is highly dangerous.

With EpiServer, we could easily create groups with specific permissions, e.g. only edit marketing pages, or only create affiliate pages, or only add images to our external-marketing DAM directory.  We could even let content admins create their own permission structures for their users via checkbox interface with meaningful permission names.

 

Is any of this possible with AEM Cloud, and if so, how?  There seems to be no option in the admin console, where users permissions and groups are managed for our 10+ environments.

 

One confusing piece is that if you login to one of the many environments author instances directly, there is a security, users groups and permissions. But these are not reflected in the admin console, so presumably are not usable.  In addition, the author permission tab has an incomprehensible, enormous and unusable list of groups and permissions, e.g. "107830685PLC_ADMIN_GROUP_NAME_SUFFIX" and "/libs/settings/dam/cmf/models".  Many of these mystery groups have users in them, although we have not put them in directly.

1 Accepted Solution
Vijayalakshmi_S
Correct answer by
Community Advisor
Community Advisor

Hi @TB3dock,

Adobe Admin console has IMS users, IMS groups and Product profile (User and Administrators).

As such IMS groups don't hold permissions specific to AEM resources. It is to be thought of as credentials/group that is accessible across allowed/licensed Adobe products for the org. 

In order to use the same to AEM users/ AEM groups (as available in Tools -> Security -> Users/Groups in AEM instance), we need to associate synced IMS groups as a member of AEM groups (which ultimately has permission to desired AEM resources)

 

In Cloud Manager, under each environment, we have "Manage Access" action which will land in Admin console -> respective product instance. 

Video demo with sample use case (Write access to Specific DAM folder) is available in the below tutorial - https://experienceleague.adobe.com/docs/experience-manager-learn/cloud-service/accessing/walk-throug...

 

In order to have clear distinction of Adobe console IMS users, IMS groups and AEM's user and groups, you can refer the entire "Accessing AEM" section in the same doc.

https://experienceleague.adobe.com/docs/experience-manager-learn/cloud-service/accessing/overview.ht...

 

View solution in original post

1 Reply
Vijayalakshmi_S
Correct answer by
Community Advisor
Community Advisor

Hi @TB3dock,

Adobe Admin console has IMS users, IMS groups and Product profile (User and Administrators).

As such IMS groups don't hold permissions specific to AEM resources. It is to be thought of as credentials/group that is accessible across allowed/licensed Adobe products for the org. 

In order to use the same to AEM users/ AEM groups (as available in Tools -> Security -> Users/Groups in AEM instance), we need to associate synced IMS groups as a member of AEM groups (which ultimately has permission to desired AEM resources)

 

In Cloud Manager, under each environment, we have "Manage Access" action which will land in Admin console -> respective product instance. 

Video demo with sample use case (Write access to Specific DAM folder) is available in the below tutorial - https://experienceleague.adobe.com/docs/experience-manager-learn/cloud-service/accessing/walk-throug...

 

In order to have clear distinction of Adobe console IMS users, IMS groups and AEM's user and groups, you can refer the entire "Accessing AEM" section in the same doc.

https://experienceleague.adobe.com/docs/experience-manager-learn/cloud-service/accessing/overview.ht...

 

View solution in original post