Expand my Community achievements bar.

Radically easy to access on brand approved content for distribution and omnichannel performant delivery. AEM Assets Content Hub and Dynamic Media with OpenAPI capabilities is now GA.
Learn More
SOLVED

AEMaaCS - IMS Groups and Users - Same Product Profile

Avatar

Community Advisor
Community Advisor
6/15/23 11:20:35 AM

Hi AEM Community,

 

I am a little confused in IMS Users and IMS Groups w.r.t IMS Product Profiles.

 

Scenario -

I have added an IMS User to AEM Users Product Profile.

This IMS User is also assigned to an IMS Group.

 

As per Adobe IMS User Groups Video (https://experienceleague.adobe.com/docs/experience-manager-learn/cloud-service/accessing/adobe-ims-u...)

IMS User Groups cannot be assigned to AEM Product Profiles.

 

However, I was able to assign AEM Users Product Profile to the IMS Group without getting any error/warning displayed.

(Ideally this should be blocked or some warning message should be displayed!)

 

This poses the below query -

If I go ahead and remove the AEM Users Product Profile for the IMS User without removing it for the IMS Group.

Will the IMS User be able to access the AEM instance?

@arunpatidar@kautuk_sahni@Himanshu_Jain , @Jagadeesh_Prakash 

 

Thanks,

Rohan Garg

Topics

Topics help categorize Community content and increase your ability to discover relevant content.

Experience Manager as a Cloud Service Experience Manager Cloud Manager User and Groups

Views

741

Replies

5
Sign in to like this content

Total Likes

Translate
Translate
1 Accepted Solution

Avatar

Correct answer by
Community Advisor
Community Advisor
6/19/23 5:32:17 AM

Hi All, 

 

Thank you for your responses! Here's the explanation I think is valid - 

1. From Product Profiles Console, you can add IMS Users but not IMS Groups.

2. From IMS Users & Groups console, you can only assign/remove groups & products. You cannot assign/remove product profiles.

 

There is a clear separation of concern here.

If User A has access to Instance 1's AEM Administrators profile & If User A is part of Group X which has been further assigned Instance 1's AEM Users profile then both will run in parallel.

If we see User A's profiles under the instance - we will see 2 Product profiles - 1 Administrators profile and the other 1 AEM Users profile (sub texted by Assigned By X User Group)

View solution in original post

Views

649

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply
5 Replies

Avatar

Employee Advisor
Employee Advisor
6/15/23 11:58:07 AM

Hi,

 

To address the confusion and ensure proper user access management I would  recommend following these steps:

  1. Remove the assignment of the AEM Users Product Profile from the IMS Group that you had assigned it to.

  2. Assign the AEM Users Product Profile directly to individual IMS Users instead of IMS Groups. This ensures better control and granularity over user access rights.

  3. Review and adjust the permissions and access configurations for both the IMS Users and IMS Groups to align with your desired access requirements.

  4. If necessary, create separate IMS Groups for specific access roles or permissions within AEM, and assign the relevant AEM Product Profiles to those IMS Groups.

By following to these steps, you can ensure that user access in AEM is properly managed, avoiding any conflicts or unexpected behaviors.

Views

739

Replies

1
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Community Advisor
Community Advisor
6/16/23 4:33:40 AM
In response to ManviSharma

Thank you for your reply @ManviSharma! I have few queries on this - 

For Point 2 - Usually in AEM, we give permissions on group rather than individual user. Shouldn't the same principle apply on IMS?

For Point 4 - The IMS User Groups should be product agnostic ideally, reusable across multiple experience products. Won't creating separate IMS groups w.r.t AEM roles deviate from this practice?

Views

684

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Community Advisor
Community Advisor
6/15/23 11:50:51 PM

Hi Rohan,

Following below my observations regarding the scenario you mentioned.

1.Every user group is assigned to one of the product profile . As soon you assign the user to that group user will be able to access that product .

Also you cannot remove that product profile from the user if user is assigned to that group , checkbox will be disabled.

 

For ex: You have a dev-author group and you assigned dev-author-general-user product profile as every AEM product consist 2 profiles general user & admin. As soon you added this group to the user this product profile will be available by default to the user and you cannot remove it until you removed the user from that group.

 

Thanks

 

 

 

 

Himanshu Jain

Views

692

Replies

1
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Community Advisor
Community Advisor
6/16/23 4:28:59 AM
In response to Himanshu_Jain

@Himanshu_Jain - Thanks for the response.

 

For Point 1 - Every user group is assigned to one of the product profile.

I read the below note saying currently you cannot assign groups to product profiles.

Rohan_Garg_0-1686914646181.png

This however does not seem to be true then. Correct?
If I am able to assign product profiles to groups then assigning groups to product profiles should also be similar.

I understand that similar to AEM, The user should not be given permission individually but rather as part of the group. But the note above caused this confusion in my understanding.

Views

684

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Correct answer by
Community Advisor
Community Advisor
6/19/23 5:32:17 AM

Hi All, 

 

Thank you for your responses! Here's the explanation I think is valid - 

1. From Product Profiles Console, you can add IMS Users but not IMS Groups.

2. From IMS Users & Groups console, you can only assign/remove groups & products. You cannot assign/remove product profiles.

 

There is a clear separation of concern here.

If User A has access to Instance 1's AEM Administrators profile & If User A is part of Group X which has been further assigned Instance 1's AEM Users profile then both will run in parallel.

If we see User A's profiles under the instance - we will see 2 Product profiles - 1 Administrators profile and the other 1 AEM Users profile (sub texted by Assigned By X User Group)

Views

650

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply
Related Conversations
AEMaaCS + dispatcher enabled_host: does anyone know what is this file? Solved

Views

100

Likes

0

Replies

2
AEM Assets bulk import with dropbox and onedrive Solved

Views

99

Likes

0

Replies

2
Timeout gateway error - 504 and connection is failing at the intermediate dispatcher server Solved

Views

97

Likes

0

Replies

4
What is a difference between Restarting the AEM from OSGi console and restarting it with remote server access SSH tool like Putty or Gitbash Solved

Views

128

Likes

0

Replies

2
How to disable DUO two factor Authentication for specific users

Views

61

Likes

0

Replies

1