Expand my Community achievements bar.

Don’t miss the AEM Skill Exchange in SF on Nov 14—hear from industry leaders, learn best practices, and enhance your AEM strategy with practical tips.
SOLVED

AEM cloud - cant find a way to assign a user to have different roles on different envs.

Avatar

Level 9

AEM could manager allows you to put users into a group, and to assign product profiles.

There are two product profiles per instance, AEM Administrators-xxx and AEM Users-xxx

In cloud manager, we can create groups, e.g: 

  1. my-administrators
  2. my-authors.

we have 7 envs (prod, stage, uat, hot, dev, test etc).  So 14 product profiles in total.

What we cant do in aem cloud is assign users to existing AEM groups, such as administrators or Authors (but it does let you assign DAM users, which, without the other groups, is useless).

 

So we have user A and user B

If we want to make user A administrator on dev, but Author on the rest, and we want to make user B be administrator on prod, but author on the rest, there is no sane way to do this.

 

What we did is put my-administrators in the administrator group on each local instance (not using the cloud console), and put my-authors in the Authors group.

This means if we put a user into the my-administrators group in the cloud console, it puts them in the administrators group when they login to that env.

In order for user to login to any env, he has to be assigned a product profile for that env. So we assign the Admin Users-xxx to all users who need to access environment xxx, but this does not control what role or permissions they are given (unfortunately), it only controls if they can login or not.  The problem is, we cant make user A only admin on dev, he will become admin on prod also, because he can login to prod (but for a different role), and because the groups are synced to all envs.

 

We have tried many different ways to try to implement basic permissions, but so far have failed.

We are thinking one way might be to create every group we need (aka role), with a different name for every env.

 

E.g. my-administrators-dev, my-admininstators-prod etc.  Then we go into each env, and put ONLY that envs groups into administrator.

 

To make it worse, you cant nest groups in AEM Cloud admin. So if we have a group with say 20 people in it (e.g. marketing), and we want to make them all say authors on an env, we have to manually put each person into say the my-authors-stage group, we can't just add marketing.  If someone is hired in marketing, we have to manually assign them to each group one by one.

 

This is a nightmare to maintain - we will end up with hundreds of env specific groups, with manually configured local rights on each machine.

 

Howe do other people do this?

 

To make it worse, the groups UI on AEM instances is a disaster - search doesn't work (it only returns the first 5), you cant even order the list, and to search you have to scroll, and it loads one page at a time (very slowly) so you cant use the browsers page search (withouth first scrolling through all pages).  Its unusable.

 

 

1 Accepted Solution

Avatar

Correct answer by
Community Advisor

Hi @TB3dock,

  • IMS Groups and IMS Users are at Admin Console/IMS level and to be reused across products in an Org. Not just for AEM.
  • Whereas Product Profiles are specific to an AEM instance. 
  • Also, IMS groups can't be assigned to Product profiles in Admin console. This is mentioned in this video (Timing : 01:57)https://experienceleague.adobe.com/docs/experience-manager-learn/cloud-service/accessing/adobe-ims-u...
    • Only IMS users can be assigned to either AEMUsers-xxx or AEMAdministrators-xxx OOTB product profile or any custom profile groups.

Regarding Groups Sync:

  • When an IMS user logs into an AEM instance, all the IMS groups and product profile groups he/she is associated to will reflect/sync in that particular instance and  Not " the groups are synced to all envs." 
    • It is up to us to decide to which of the IMS groups/product profile groups we would like to associate the permissions to in AEM instance. 

Given this understanding, for your use case of User A being admin on DEV and author on rest and vice versa for User B,

  • you can create profile groups and have the IMS user assigned to those custom profile groups.
  • And when the custom profile groups is synced in AEM instance, You can associate the same as Member to AEM groups (with desired permissions).   

I suggest you to try this in DEV/Sandbox instance and see if this flow works. If you have already tried custom profile groups, could you please elaborate the issue in the same. 

View solution in original post

4 Replies

Avatar

Community Advisor

Hi @TB3dock ,

 

I haven't worked extensively on AEMaaCS User permissions but just trying to understand, Can't we assign the "my-authors" IMS Group (created via Admin Console) to AEM-Users-XXX in product profile and then in AEM instance assign specific AEM group based permissions to "my-authors" IMS Group, say we have OOTB "Content-Authors" Group in AEM, we can add "my-authors" IMS Group to it ?

Avatar

Level 9

Thanks for the reply.  We can assign permissions on my-authors local group in AEM instance, on each instance.  So dev, test, uat, prod etc. all have a local group called my-authors.  If we now put user A in my authors via admin console, and assign AEM Users xxdevxxx profile to this via IMS, A can login to dev and gets author permissions.  Now lets say we need to give A access to a different role on prod.  Lets say we have another group called "my-viewers" with different permissions. As soon as we assign "AEM Users xxxprodxxx" to the group "my-viewers", A now has "my-authors" on prod. This is because AEM syncs groups to all envs, not just the one we want.  Because A is in that group on another env, he is also in this group on this env, because he also has a product profile for this env.  Its a bazar architecture.

One workaround to this inflexible system is to create individual groups for every env. If we have say 10 roles, and 7 envs, we need 70 groups, and for each group, we only assign permissions in one local env only. This would be a nightmare to setup and manage.  Perhaps we are supposed to use product profiles for this, but there is a major bug where product profiles randomly dont sync, which Adobe has been working in without resolution for 3 months now.

 

 

Avatar

Correct answer by
Community Advisor

Hi @TB3dock,

  • IMS Groups and IMS Users are at Admin Console/IMS level and to be reused across products in an Org. Not just for AEM.
  • Whereas Product Profiles are specific to an AEM instance. 
  • Also, IMS groups can't be assigned to Product profiles in Admin console. This is mentioned in this video (Timing : 01:57)https://experienceleague.adobe.com/docs/experience-manager-learn/cloud-service/accessing/adobe-ims-u...
    • Only IMS users can be assigned to either AEMUsers-xxx or AEMAdministrators-xxx OOTB product profile or any custom profile groups.

Regarding Groups Sync:

  • When an IMS user logs into an AEM instance, all the IMS groups and product profile groups he/she is associated to will reflect/sync in that particular instance and  Not " the groups are synced to all envs." 
    • It is up to us to decide to which of the IMS groups/product profile groups we would like to associate the permissions to in AEM instance. 

Given this understanding, for your use case of User A being admin on DEV and author on rest and vice versa for User B,

  • you can create profile groups and have the IMS user assigned to those custom profile groups.
  • And when the custom profile groups is synced in AEM instance, You can associate the same as Member to AEM groups (with desired permissions).   

I suggest you to try this in DEV/Sandbox instance and see if this flow works. If you have already tried custom profile groups, could you please elaborate the issue in the same. 

Avatar

Community Advisor

Step-1: Create user groups in Admin console, which match with your business user groups. To map each group to an env, you can create groups like "Author-Dev"

Step-2: Assign "AEM Users-xxx" product profile to these groups

Step-3: When any user logs in, these groups will be synced to AEMaaCS instance. (All groups will be synced)

Step-4: Use runmode specific repo-init scripts or netcentric tool to assign OOTB groups to the env-specific groups only.

So, if Author-Dev, Author-Stage and Author-Prod are synced to Dev instance, declare only Author-Dev as a member of content-authors.

 

This way, if a user is Author in Dev, but only a reviewer in Stage, he would get permissions based on Role +env

 

 https://sling.apache.org/documentation/bundles/repository-initialization.html

https://github.com/Netcentric/accesscontroltool 


Aanchal Sikka