How monitor the user activity in the Group in AEM author | Community
Skip to main content
S
Satish2info-1
Level 3
November 1, 2023
Solved

How monitor the user activity in the Group in AEM author

  • November 1, 2023
  • 3 replies
  • 2675 views

Hi Team,

 

I have a requirement from the business, Business has to remove the users which are not actively using the groups. Here is the requirement.

 

User belongs to Group A and Group B, If user not actively using one of the group then remove the user from that group. Programmatically i have achieved some portion when the user logins and what are the groups he belongs .

 

Could you please help , How we can identify which  group user using the  actively ?

 

Thank you, 

 

This post is no longer active and is closed to new replies. Need help? Start a new post to ask your question.
Best answer by MarkusBullaAdobe

Hi @satish2info-1!

Let me reiterate on what I outlined in my responses:

 

When a user logs in to AEM, all his group memberships and according permissions are evaluated. There is no OOTB way to identify a "group that is not actively used". The requirement from your business stakeholders to identify "last log into specific group" is nothing that fits into the way AEM handles and evaluates group memberships of users. In AEM, a user does not log in to a specific group. He signs in to his account and all his group memberships are evaluated and applied automatically.
To find a solution to this you would first need to clearly specify the business and technical requirements: What do you understand by "group is not actively used"? By going into the requirement details, you will most like find that there is no sharp definition that can be applied.

 

The definition of a "group not actively used" will be hard to find. From an AEM perspective, all (nested) groups and permissions of a user account are evaluated when accessing the system. A couple of questions to answer for this:

  • Are different groups overlapping in terms of permissions?
    If yes: How would you identify to which group an access to the overlapping item/permission should be attributed? If there is a solution to this requirement at all highly depends on the structure of your groups and permissions.
  • How do you want to handle requests that per-default span across all permissions of a user? Example: A users searches for a keyword via universal search. The system will read through all items the user has access to (from all groups), independently from his current task being related to one or another group. Another example: A user opens the content tree view. He will be presented with all tenants/nodes/paths he has access to from all his groups. They will all be in the listing. How would you identify which of them he is "actively working" on and which ones are not related to his work?

As a conclusion, I don't see a feasible way to clearly identify which groups a user is "using actively" in an automated manner. Most ideas I can think of would be guessing on groups which would lead to blurry results and most probably false-positives. It would make life harder for content authors because you would most probably identify wrong groups to be removed, requiring users to justify/re-request their permissions.

You could think of a manual process involving additional steps for the content author. E. g. you could ask the user after login to log which groups/tenants he needs for the task he wants to work on. While this might be straight-forward for occasional users working on a single tasks, it will be much less useful for full-time content authors or power users handling a lot of different tasks (potentially for multiple groups) during their work day.

Another approach would be to provide different accounts to each user, each of them with only one group membership. Example: "userA_group1" and "userA_group2". However, this will make work much more tedious and inefficient for your content authors, especially for users regularly working on different tenants/groups during their day as they would need to switch accounts multiple times during their work days.

There are other approaches that involve large customizations of AEMs authentication and authorizations system requiring huge efforts that will clearly outnumber the benefits of the business requirement.

 

My recommendation is to drop the requirement of identifying "groups not actively used", at least from the AEM perspective because most probably there is no reliable way to achieve this. Instead handle group revocation as part of the organizations overall roles and rights management. Different organizations have different approaches to this. Some only grant roles for a defined period of time and if a users needs the role beyond that, he needs to re-apply for it. Others require their employees to actively review their own roles on a regular basis. IMO this should be handled outside of AEM.

 

 

Hope that helps!

3 replies

Shashi_Mulugu
Community Advisor
Shashi_MuluguCommunity Advisor
Community Advisor
November 1, 2023

@satish2info-1 how are the groups defined? Are they different paths with no common access paths/folders between them? I personally feel, finding inactive users from system based on their login patterns and archiving them is an option, but cleaning up groups maybe seeing for first time.. if access paths are completely different we can do something technically but may cause system slows for authors..

    S
    Satish2info-1Author
    Level 3
    November 1, 2023

    Hi @shashi_mulugu ,

    Thank you for your reply,
    All groups are defined under the home/groups/... , No specific or common paths are defined.
    "I personally feel, finding inactive users from system based on their login patterns and archiving them is an option" -- Please provide the option you are thinking.


    Thank you

      Shashi_Mulugu
      Community Advisor
      Shashi_MuluguCommunity Advisor
      Community Advisor
      November 2, 2023

      @satish2info-1 https://medium.com/tech-learnings/adobe-experience-manager-reporting-on-users-last-login-date-e2035021cb9e

      Please follow above well articulated post on how to get inactive users list based on login 

        MarkusBullaAdobe
        Adobe Employee
        MarkusBullaAdobeAdobe Employee
        Adobe Employee
        November 2, 2023

        Hi @satish2info-1!

        It's a common requirement to disable access for users that have been inactive (meaning: not logged in) for a certain period.

        A differentiation for different groups is a very special use case, though. This is not easily achievable and I would doubt that the business value would justify the required implementation efforts.

        Complexity starts with the requirement specification:

        How do you identify a certain "group" or "role" not being used by the content author? Oftentimes, group permissions are overlapping, making it very hard to identify an "unused" group. There are various actions in AEM where all existing permissions of a user are taken into account, e. g. when using the search functionality. Even if you are only working on a specific tenant where group A provides you with the according permissions, you would still get search results (or listings or other repository accesses) for all available groups, including B and C which you might not have been (actively) using/needing for a long time.

         

        Usually, similar requirements are handled on an organizational level. Larger organizations do have existing processes in place to manage and revoke permissions or roles that apply to all applications, not just AEM. Roles and group memberships are managed within their identity management system.

         

        I would recommend to refrain from implementing your outlined scenario inside of AEM.

         

        Hope that helps!

          kautuk_sahni
          Community Manager
          kautuk_sahniCommunity Manager
          Community Manager
          November 6, 2023

          @satish2info-1 Did you find the suggestions from users helpful? Please let us know if more information is required. Otherwise, please mark the answer as correct for posterity. If you have found out solution yourself, please share it with the community.

          Kautuk Sahni
          S
          Satish2info-1Author
          Level 3
          November 7, 2023

          Hi @kautuk_sahni ,

          The suggestions not helpful, still I am looking for the solution. How we will identify which group user actively using. checking different solutions.

           

          Thank you 

            MarkusBullaAdobe
            Adobe Employee
            MarkusBullaAdobeAdobe EmployeeAccepted solution
            Adobe Employee
            November 7, 2023

            Hi @satish2info-1!

            Let me reiterate on what I outlined in my responses:

             

            When a user logs in to AEM, all his group memberships and according permissions are evaluated. There is no OOTB way to identify a "group that is not actively used". The requirement from your business stakeholders to identify "last log into specific group" is nothing that fits into the way AEM handles and evaluates group memberships of users. In AEM, a user does not log in to a specific group. He signs in to his account and all his group memberships are evaluated and applied automatically.
            To find a solution to this you would first need to clearly specify the business and technical requirements: What do you understand by "group is not actively used"? By going into the requirement details, you will most like find that there is no sharp definition that can be applied.

             

            The definition of a "group not actively used" will be hard to find. From an AEM perspective, all (nested) groups and permissions of a user account are evaluated when accessing the system. A couple of questions to answer for this:

            • Are different groups overlapping in terms of permissions?
              If yes: How would you identify to which group an access to the overlapping item/permission should be attributed? If there is a solution to this requirement at all highly depends on the structure of your groups and permissions.
            • How do you want to handle requests that per-default span across all permissions of a user? Example: A users searches for a keyword via universal search. The system will read through all items the user has access to (from all groups), independently from his current task being related to one or another group. Another example: A user opens the content tree view. He will be presented with all tenants/nodes/paths he has access to from all his groups. They will all be in the listing. How would you identify which of them he is "actively working" on and which ones are not related to his work?

            As a conclusion, I don't see a feasible way to clearly identify which groups a user is "using actively" in an automated manner. Most ideas I can think of would be guessing on groups which would lead to blurry results and most probably false-positives. It would make life harder for content authors because you would most probably identify wrong groups to be removed, requiring users to justify/re-request their permissions.

            You could think of a manual process involving additional steps for the content author. E. g. you could ask the user after login to log which groups/tenants he needs for the task he wants to work on. While this might be straight-forward for occasional users working on a single tasks, it will be much less useful for full-time content authors or power users handling a lot of different tasks (potentially for multiple groups) during their work day.

            Another approach would be to provide different accounts to each user, each of them with only one group membership. Example: "userA_group1" and "userA_group2". However, this will make work much more tedious and inefficient for your content authors, especially for users regularly working on different tenants/groups during their day as they would need to switch accounts multiple times during their work days.

            There are other approaches that involve large customizations of AEMs authentication and authorizations system requiring huge efforts that will clearly outnumber the benefits of the business requirement.

             

            My recommendation is to drop the requirement of identifying "groups not actively used", at least from the AEM perspective because most probably there is no reliable way to achieve this. Instead handle group revocation as part of the organizations overall roles and rights management. Different organizations have different approaches to this. Some only grant roles for a defined period of time and if a users needs the role beyond that, he needs to re-apply for it. Others require their employees to actively review their own roles on a regular basis. IMO this should be handled outside of AEM.

             

             

            Hope that helps!

              Terms & ConditionsAccessibility statement

              Loading footer...