Hi @Satish2info!
Let me reiterate on what I outlined in my responses:
When a user logs in to AEM, all his group memberships and according permissions are evaluated. There is no OOTB way to identify a "group that is not actively used". The requirement from your business stakeholders to identify "last log into specific group" is nothing that fits into the way AEM handles and evaluates group memberships of users. In AEM, a user does not log in to a specific group. He signs in to his account and all his group memberships are evaluated and applied automatically.
To find a solution to this you would first need to clearly specify the business and technical requirements: What do you understand by "group is not actively used"? By going into the requirement details, you will most like find that there is no sharp definition that can be applied.
The definition of a "group not actively used" will be hard to find. From an AEM perspective, all (nested) groups and permissions of a user account are evaluated when accessing the system. A couple of questions to answer for this:
- Are different groups overlapping in terms of permissions?
If yes: How would you identify to which group an access to the overlapping item/permission should be attributed? If there is a solution to this requirement at all highly depends on the structure of your groups and permissions. - How do you want to handle requests that per-default span across all permissions of a user? Example: A users searches for a keyword via universal search. The system will read through all items the user has access to (from all groups), independently from his current task being related to one or another group. Another example: A user opens the content tree view. He will be presented with all tenants/nodes/paths he has access to from all his groups. They will all be in the listing. How would you identify which of them he is "actively working" on and which ones are not related to his work?
As a conclusion, I don't see a feasible way to clearly identify which groups a user is "using actively" in an automated manner. Most ideas I can think of would be guessing on groups which would lead to blurry results and most probably false-positives. It would make life harder for content authors because you would most probably identify wrong groups to be removed, requiring users to justify/re-request their permissions.
You could think of a manual process involving additional steps for the content author. E. g. you could ask the user after login to log which groups/tenants he needs for the task he wants to work on. While this might be straight-forward for occasional users working on a single tasks, it will be much less useful for full-time content authors or power users handling a lot of different tasks (potentially for multiple groups) during their work day.
Another approach would be to provide different accounts to each user, each of them with only one group membership. Example: "userA_group1" and "userA_group2". However, this will make work much more tedious and inefficient for your content authors, especially for users regularly working on different tenants/groups during their day as they would need to switch accounts multiple times during their work days.
There are other approaches that involve large customizations of AEMs authentication and authorizations system requiring huge efforts that will clearly outnumber the benefits of the business requirement.
My recommendation is to drop the requirement of identifying "groups not actively used", at least from the AEM perspective because most probably there is no reliable way to achieve this. Instead handle group revocation as part of the organizations overall roles and rights management. Different organizations have different approaches to this. Some only grant roles for a defined period of time and if a users needs the role beyond that, he needs to re-apply for it. Others require their employees to actively review their own roles on a regular basis. IMO this should be handled outside of AEM.
Hope that helps!
