Expand my Community achievements bar.

Enhance your AEM Assets & Boost Your Development: [AEM Gems | June 19, 2024] Improving the Developer Experience with New APIs and Events
SOLVED

AEMaaCS - IMS Groups and Users - Same Product Profile

Avatar

Community Advisor

Hi AEM Community,

 

I am a little confused in IMS Users and IMS Groups w.r.t IMS Product Profiles.

 

Scenario -

I have added an IMS User to AEM Users Product Profile.

This IMS User is also assigned to an IMS Group.

 

As per Adobe IMS User Groups Video (https://experienceleague.adobe.com/docs/experience-manager-learn/cloud-service/accessing/adobe-ims-u...)

IMS User Groups cannot be assigned to AEM Product Profiles.

 

However, I was able to assign AEM Users Product Profile to the IMS Group without getting any error/warning displayed.

(Ideally this should be blocked or some warning message should be displayed!)

 

This poses the below query -

If I go ahead and remove the AEM Users Product Profile for the IMS User without removing it for the IMS Group.

Will the IMS User be able to access the AEM instance?

@arunpatidar@kautuk_sahni@Himanshu_Jain , @Jagadeesh_Prakash 

 

Thanks,

Rohan Garg

Topics

Topics help categorize Community content and increase your ability to discover relevant content.

1 Accepted Solution

Avatar

Correct answer by
Community Advisor

Hi All, 

 

Thank you for your responses! Here's the explanation I think is valid - 

1. From Product Profiles Console, you can add IMS Users but not IMS Groups.

2. From IMS Users & Groups console, you can only assign/remove groups & products. You cannot assign/remove product profiles.

 

There is a clear separation of concern here.

If User A has access to Instance 1's AEM Administrators profile & If User A is part of Group X which has been further assigned Instance 1's AEM Users profile then both will run in parallel.

If we see User A's profiles under the instance - we will see 2 Product profiles - 1 Administrators profile and the other 1 AEM Users profile (sub texted by Assigned By X User Group)

View solution in original post

5 Replies

Avatar

Employee Advisor

Hi,

 

To address the confusion and ensure proper user access management I would  recommend following these steps:

  1. Remove the assignment of the AEM Users Product Profile from the IMS Group that you had assigned it to.

  2. Assign the AEM Users Product Profile directly to individual IMS Users instead of IMS Groups. This ensures better control and granularity over user access rights.

  3. Review and adjust the permissions and access configurations for both the IMS Users and IMS Groups to align with your desired access requirements.

  4. If necessary, create separate IMS Groups for specific access roles or permissions within AEM, and assign the relevant AEM Product Profiles to those IMS Groups.

By following to these steps, you can ensure that user access in AEM is properly managed, avoiding any conflicts or unexpected behaviors.

Avatar

Community Advisor

Thank you for your reply @ManviSharma! I have few queries on this - 

For Point 2 - Usually in AEM, we give permissions on group rather than individual user. Shouldn't the same principle apply on IMS?

For Point 4 - The IMS User Groups should be product agnostic ideally, reusable across multiple experience products. Won't creating separate IMS groups w.r.t AEM roles deviate from this practice?

Avatar

Community Advisor

Hi Rohan,

Following below my observations regarding the scenario you mentioned.

1.Every user group is assigned to one of the product profile . As soon you assign the user to that group user will be able to access that product .

Also you cannot remove that product profile from the user if user is assigned to that group , checkbox will be disabled.

 

For ex: You have a dev-author group and you assigned dev-author-general-user product profile as every AEM product consist 2 profiles general user & admin. As soon you added this group to the user this product profile will be available by default to the user and you cannot remove it until you removed the user from that group.

 

Thanks

 

 

 

 

Himanshu Jain

Avatar

Community Advisor

@Himanshu_Jain - Thanks for the response.

 

For Point 1 - Every user group is assigned to one of the product profile.

I read the below note saying currently you cannot assign groups to product profiles.

Rohan_Garg_0-1686914646181.png

This however does not seem to be true then. Correct?
If I am able to assign product profiles to groups then assigning groups to product profiles should also be similar.

I understand that similar to AEM, The user should not be given permission individually but rather as part of the group. But the note above caused this confusion in my understanding.

Avatar

Correct answer by
Community Advisor

Hi All, 

 

Thank you for your responses! Here's the explanation I think is valid - 

1. From Product Profiles Console, you can add IMS Users but not IMS Groups.

2. From IMS Users & Groups console, you can only assign/remove groups & products. You cannot assign/remove product profiles.

 

There is a clear separation of concern here.

If User A has access to Instance 1's AEM Administrators profile & If User A is part of Group X which has been further assigned Instance 1's AEM Users profile then both will run in parallel.

If we see User A's profiles under the instance - we will see 2 Product profiles - 1 Administrators profile and the other 1 AEM Users profile (sub texted by Assigned By X User Group)