AEM could manager allows you to put users into a group, and to assign product profiles.
There are two product profiles per instance, AEM Administrators-xxx and AEM Users-xxx
In cloud manager, we can create groups, e.g:
we have 7 envs (prod, stage, uat, hot, dev, test etc). So 14 product profiles in total.
What we cant do in aem cloud is assign users to existing AEM groups, such as administrators or Authors (but it does let you assign DAM users, which, without the other groups, is useless).
So we have user A and user B
If we want to make user A administrator on dev, but Author on the rest, and we want to make user B be administrator on prod, but author on the rest, there is no sane way to do this.
What we did is put my-administrators in the administrator group on each local instance (not using the cloud console), and put my-authors in the Authors group.
This means if we put a user into the my-administrators group in the cloud console, it puts them in the administrators group when they login to that env.
In order for user to login to any env, he has to be assigned a product profile for that env. So we assign the Admin Users-xxx to all users who need to access environment xxx, but this does not control what role or permissions they are given (unfortunately), it only controls if they can login or not. The problem is, we cant make user A only admin on dev, he will become admin on prod also, because he can login to prod (but for a different role), and because the groups are synced to all envs.
We have tried many different ways to try to implement basic permissions, but so far have failed.
We are thinking one way might be to create every group we need (aka role), with a different name for every env.
E.g. my-administrators-dev, my-admininstators-prod etc. Then we go into each env, and put ONLY that envs groups into administrator.
To make it worse, you cant nest groups in AEM Cloud admin. So if we have a group with say 20 people in it (e.g. marketing), and we want to make them all say authors on an env, we have to manually put each person into say the my-authors-stage group, we can't just add marketing. If someone is hired in marketing, we have to manually assign them to each group one by one.
This is a nightmare to maintain - we will end up with hundreds of env specific groups, with manually configured local rights on each machine.
Howe do other people do this?
To make it worse, the groups UI on AEM instances is a disaster - search doesn't work (it only returns the first 5), you cant even order the list, and to search you have to scroll, and it loads one page at a time (very slowly) so you cant use the browsers page search (withouth first scrolling through all pages). Its unusable.
Solved! Go to Solution.
Hi @TB3dock,
Regarding Groups Sync:
Given this understanding, for your use case of User A being admin on DEV and author on rest and vice versa for User B,
I suggest you to try this in DEV/Sandbox instance and see if this flow works. If you have already tried custom profile groups, could you please elaborate the issue in the same.
Hi @TB3dock ,
I haven't worked extensively on AEMaaCS User permissions but just trying to understand, Can't we assign the "my-authors" IMS Group (created via Admin Console) to AEM-Users-XXX in product profile and then in AEM instance assign specific AEM group based permissions to "my-authors" IMS Group, say we have OOTB "Content-Authors" Group in AEM, we can add "my-authors" IMS Group to it ?
Thanks for the reply. We can assign permissions on my-authors local group in AEM instance, on each instance. So dev, test, uat, prod etc. all have a local group called my-authors. If we now put user A in my authors via admin console, and assign AEM Users xxdevxxx profile to this via IMS, A can login to dev and gets author permissions. Now lets say we need to give A access to a different role on prod. Lets say we have another group called "my-viewers" with different permissions. As soon as we assign "AEM Users xxxprodxxx" to the group "my-viewers", A now has "my-authors" on prod. This is because AEM syncs groups to all envs, not just the one we want. Because A is in that group on another env, he is also in this group on this env, because he also has a product profile for this env. Its a bazar architecture.
One workaround to this inflexible system is to create individual groups for every env. If we have say 10 roles, and 7 envs, we need 70 groups, and for each group, we only assign permissions in one local env only. This would be a nightmare to setup and manage. Perhaps we are supposed to use product profiles for this, but there is a major bug where product profiles randomly dont sync, which Adobe has been working in without resolution for 3 months now.
Hi @TB3dock,
Regarding Groups Sync:
Given this understanding, for your use case of User A being admin on DEV and author on rest and vice versa for User B,
I suggest you to try this in DEV/Sandbox instance and see if this flow works. If you have already tried custom profile groups, could you please elaborate the issue in the same.
Step-1: Create user groups in Admin console, which match with your business user groups. To map each group to an env, you can create groups like "Author-Dev"
Step-2: Assign "AEM Users-xxx" product profile to these groups
Step-3: When any user logs in, these groups will be synced to AEMaaCS instance. (All groups will be synced)
Step-4: Use runmode specific repo-init scripts or netcentric tool to assign OOTB groups to the env-specific groups only.
So, if Author-Dev, Author-Stage and Author-Prod are synced to Dev instance, declare only Author-Dev as a member of content-authors.
This way, if a user is Author in Dev, but only a reviewer in Stage, he would get permissions based on Role +env
https://sling.apache.org/documentation/bundles/repository-initialization.html
https://github.com/Netcentric/accesscontroltool
Views
Likes
Replies