Expand my Community achievements bar.

Don’t miss the AEM Skill Exchange in SF on Nov 14—hear from industry leaders, learn best practices, and enhance your AEM strategy with practical tips.
SOLVED

AEM Page Authentication

Avatar

Level 1

Hello,

I have a question about providing permissions for bulk users on AEM pages. Let me explain little bit more about my requirement.

I would like to have a person to feed in details of multiple users in our website and request access to a AEM page. Once they submit the details, in the back-end I should be able to reach out to AEM for provisioning the access to those users. Can I do it leveraging web services?

Thanks

Rajesh

1 Accepted Solution

Avatar

Correct answer by
Employee Advisor

I can only speak of for AEM :-)

Technically you should be able to do it, although I am not sure if there's an "offical" REST API to do that (in that case it shouldn't be hard to write it yourself).

But I am very hesitant to recommend it to you; because if you add for each user a dedicated ACL to individual pages, you'll end up in lots of ACLs (with a performance impact!), and the whole setup will get unmanageable from an ACL perspective. It's easy to allow certain users to view certain pages, but what do you do if you need to remove these permissions? Or review them? And in any case, are you talking about your frontend (a.k.a publish instances) or authoring? In case of publish, you should apply the ACLs to all of them.

From an AEM product point of view, Closed User Groups is the feature you are should use. You should really try to match your usecase to it, because everything more granular is likely to cause additional effort on implementation of a solution and maintenance of ACLs and permissions.

Jörg

View solution in original post

4 Replies

Avatar

Employee Advisor

I understand you in a way, that you have AEM pages on publish, which are secured by default, and people need to request access for these pages on a different site. Is that correct?

In that case I would try to group your AEM pages. You should not give access on single pages, but group a bunch of pages into a "page set". Then create groups on your IDP (LDAP-Server, Active Directory, whatever), connect that to your AEM and configure AEM in a way, that in order to access pages of page set "A" the user needs to be member of a group "group-A".

And then you don't need to change ACLs or anything else on AEM side when allowing people to access the AEM pages, but rather make them members of a group. That approach scales much better and is much more managable than granting read access to individual users.

regards,

Jörg

Avatar

Level 1

Hello Jorg,

Thank you for your kind reply. Yes, I agree this is a solution for my requirement.

I would like to refine it more by eliminating the dependency on IDP since my users are going to be outside the organization.

I want to build a solution which gets user(s) information(like First Name, Last Name, Email, Phone etc.) from our portal (usually people inside the organization will upload it in bulk) and mention the pages to be accessed. Once they hit the submit button, in the back-end I should be able to make some REST call (POST method) to AEM or AE Cloud so that permissions will be given to those pages and we will send a notification to individual users with their page(s) links and credentials. I am anticipating my solution will have to use the legacy authentication instead of IDP.

Is it possible to integrate our portal this way with AEM or AE Cloud?

Thanks,

Rajesh

Avatar

Correct answer by
Employee Advisor

I can only speak of for AEM :-)

Technically you should be able to do it, although I am not sure if there's an "offical" REST API to do that (in that case it shouldn't be hard to write it yourself).

But I am very hesitant to recommend it to you; because if you add for each user a dedicated ACL to individual pages, you'll end up in lots of ACLs (with a performance impact!), and the whole setup will get unmanageable from an ACL perspective. It's easy to allow certain users to view certain pages, but what do you do if you need to remove these permissions? Or review them? And in any case, are you talking about your frontend (a.k.a publish instances) or authoring? In case of publish, you should apply the ACLs to all of them.

From an AEM product point of view, Closed User Groups is the feature you are should use. You should really try to match your usecase to it, because everything more granular is likely to cause additional effort on implementation of a solution and maintenance of ACLs and permissions.

Jörg