Expand my Community achievements bar.

Enhance your AEM Assets & Boost Your Development: [AEM Gems | June 19, 2024] Improving the Developer Experience with New APIs and Events
SOLVED

How monitor the user activity in the Group in AEM author

Avatar

Level 3

Hi Team,

 

I have a requirement from the business, Business has to remove the users which are not actively using the groups. Here is the requirement.

 

User belongs to Group A and Group B, If user not actively using one of the group then remove the user from that group. Programmatically i have achieved some portion when the user logins and what are the groups he belongs .

 

Could you please help , How we can identify which  group user using the  actively ?

 

Thank you, 

 

Topics

Topics help categorize Community content and increase your ability to discover relevant content.

1 Accepted Solution

Avatar

Correct answer by
Employee Advisor

Hi @Satish2info!

Let me reiterate on what I outlined in my responses:

 

When a user logs in to AEM, all his group memberships and according permissions are evaluated. There is no OOTB way to identify a "group that is not actively used". The requirement from your business stakeholders to identify "last log into specific group" is nothing that fits into the way AEM handles and evaluates group memberships of users. In AEM, a user does not log in to a specific group. He signs in to his account and all his group memberships are evaluated and applied automatically.
To find a solution to this you would first need to clearly specify the business and technical requirements: What do you understand by "group is not actively used"? By going into the requirement details, you will most like find that there is no sharp definition that can be applied.

 

The definition of a "group not actively used" will be hard to find. From an AEM perspective, all (nested) groups and permissions of a user account are evaluated when accessing the system. A couple of questions to answer for this:

  • Are different groups overlapping in terms of permissions?
    If yes: How would you identify to which group an access to the overlapping item/permission should be attributed? If there is a solution to this requirement at all highly depends on the structure of your groups and permissions.
  • How do you want to handle requests that per-default span across all permissions of a user? Example: A users searches for a keyword via universal search. The system will read through all items the user has access to (from all groups), independently from his current task being related to one or another group. Another example: A user opens the content tree view. He will be presented with all tenants/nodes/paths he has access to from all his groups. They will all be in the listing. How would you identify which of them he is "actively working" on and which ones are not related to his work?

As a conclusion, I don't see a feasible way to clearly identify which groups a user is "using actively" in an automated manner. Most ideas I can think of would be guessing on groups which would lead to blurry results and most probably false-positives. It would make life harder for content authors because you would most probably identify wrong groups to be removed, requiring users to justify/re-request their permissions.

You could think of a manual process involving additional steps for the content author. E. g. you could ask the user after login to log which groups/tenants he needs for the task he wants to work on. While this might be straight-forward for occasional users working on a single tasks, it will be much less useful for full-time content authors or power users handling a lot of different tasks (potentially for multiple groups) during their work day.

Another approach would be to provide different accounts to each user, each of them with only one group membership. Example: "userA_group1" and "userA_group2". However, this will make work much more tedious and inefficient for your content authors, especially for users regularly working on different tenants/groups during their day as they would need to switch accounts multiple times during their work days.

There are other approaches that involve large customizations of AEMs authentication and authorizations system requiring huge efforts that will clearly outnumber the benefits of the business requirement.

 

My recommendation is to drop the requirement of identifying "groups not actively used", at least from the AEM perspective because most probably there is no reliable way to achieve this. Instead handle group revocation as part of the organizations overall roles and rights management. Different organizations have different approaches to this. Some only grant roles for a defined period of time and if a users needs the role beyond that, he needs to re-apply for it. Others require their employees to actively review their own roles on a regular basis. IMO this should be handled outside of AEM.

 

 

Hope that helps!

View solution in original post

10 Replies

Avatar

Community Advisor

@Satish2info how are the groups defined? Are they different paths with no common access paths/folders between them? I personally feel, finding inactive users from system based on their login patterns and archiving them is an option, but cleaning up groups maybe seeing for first time.. if access paths are completely different we can do something technically but may cause system slows for authors..

Avatar

Level 3

Hi @Shashi_Mulugu ,

Thank you for your reply,
All groups are defined under the home/groups/... , No specific or common paths are defined.
"I personally feel, finding inactive users from system based on their login patterns and archiving them is an option" -- Please provide the option you are thinking.


Thank you

Avatar

Level 3

Hi @Shashi_Mulugu ,

I have already implemented the inactive user list and presented it to the business. But here they need a more detailed report.

like "last log into specific group information along with last authored information"

 

Is there any way we can achieve this programmatically?

 

Thank you,  

 

 

Avatar

Employee Advisor

Hi @Satish2info!

 

"Last log into specific group" does imply that your users do have different accounts inside of AEM based on their role. Is this statement correct? Do you have accounts such as "userA_marketing_APAC" and "userA_marketing_EMEA" or a similar pattern?

The common setup in AEM would be to have a user "userA" who is member of the groups "marketing_APAC" and "marketing_EMEA". In this case, it would be (almost) impossible to differentiate if the user has logged in based on his APAC or EMEA role.

 

If you need to collect additional information on the activities of your users, please check out Audit Logs of AEM. You might also want to have a look at the Audit Log Search tool from ACS AEM Commons.

 

Hope that helps!

Avatar

Level 3

Hi @markus_bulla_adobe ,

Here, I mean to say. user has actively used the group. Business is looking for the solution. 

"User belongs to Group A and Group B, if user not actively using one of the groups, then remove the user from that particular group. "

 

I have already explored the above suggested articles.

 

Thank you for your reply.

Avatar

Employee Advisor

Hi @Satish2info!

It's a common requirement to disable access for users that have been inactive (meaning: not logged in) for a certain period.

A differentiation for different groups is a very special use case, though. This is not easily achievable and I would doubt that the business value would justify the required implementation efforts.

Complexity starts with the requirement specification:

How do you identify a certain "group" or "role" not being used by the content author? Oftentimes, group permissions are overlapping, making it very hard to identify an "unused" group. There are various actions in AEM where all existing permissions of a user are taken into account, e. g. when using the search functionality. Even if you are only working on a specific tenant where group A provides you with the according permissions, you would still get search results (or listings or other repository accesses) for all available groups, including B and C which you might not have been (actively) using/needing for a long time.

 

Usually, similar requirements are handled on an organizational level. Larger organizations do have existing processes in place to manage and revoke permissions or roles that apply to all applications, not just AEM. Roles and group memberships are managed within their identity management system.

 

I would recommend to refrain from implementing your outlined scenario inside of AEM.

 

Hope that helps!

Avatar

Administrator

@Satish2info Did you find the suggestions from users helpful? Please let us know if more information is required. Otherwise, please mark the answer as correct for posterity. If you have found out solution yourself, please share it with the community.



Kautuk Sahni

Avatar

Level 3

Hi @kautuk_sahni ,

The suggestions not helpful, still I am looking for the solution. How we will identify which group user actively using. checking different solutions.

 

Thank you 

Avatar

Correct answer by
Employee Advisor

Hi @Satish2info!

Let me reiterate on what I outlined in my responses:

 

When a user logs in to AEM, all his group memberships and according permissions are evaluated. There is no OOTB way to identify a "group that is not actively used". The requirement from your business stakeholders to identify "last log into specific group" is nothing that fits into the way AEM handles and evaluates group memberships of users. In AEM, a user does not log in to a specific group. He signs in to his account and all his group memberships are evaluated and applied automatically.
To find a solution to this you would first need to clearly specify the business and technical requirements: What do you understand by "group is not actively used"? By going into the requirement details, you will most like find that there is no sharp definition that can be applied.

 

The definition of a "group not actively used" will be hard to find. From an AEM perspective, all (nested) groups and permissions of a user account are evaluated when accessing the system. A couple of questions to answer for this:

  • Are different groups overlapping in terms of permissions?
    If yes: How would you identify to which group an access to the overlapping item/permission should be attributed? If there is a solution to this requirement at all highly depends on the structure of your groups and permissions.
  • How do you want to handle requests that per-default span across all permissions of a user? Example: A users searches for a keyword via universal search. The system will read through all items the user has access to (from all groups), independently from his current task being related to one or another group. Another example: A user opens the content tree view. He will be presented with all tenants/nodes/paths he has access to from all his groups. They will all be in the listing. How would you identify which of them he is "actively working" on and which ones are not related to his work?

As a conclusion, I don't see a feasible way to clearly identify which groups a user is "using actively" in an automated manner. Most ideas I can think of would be guessing on groups which would lead to blurry results and most probably false-positives. It would make life harder for content authors because you would most probably identify wrong groups to be removed, requiring users to justify/re-request their permissions.

You could think of a manual process involving additional steps for the content author. E. g. you could ask the user after login to log which groups/tenants he needs for the task he wants to work on. While this might be straight-forward for occasional users working on a single tasks, it will be much less useful for full-time content authors or power users handling a lot of different tasks (potentially for multiple groups) during their work day.

Another approach would be to provide different accounts to each user, each of them with only one group membership. Example: "userA_group1" and "userA_group2". However, this will make work much more tedious and inefficient for your content authors, especially for users regularly working on different tenants/groups during their day as they would need to switch accounts multiple times during their work days.

There are other approaches that involve large customizations of AEMs authentication and authorizations system requiring huge efforts that will clearly outnumber the benefits of the business requirement.

 

My recommendation is to drop the requirement of identifying "groups not actively used", at least from the AEM perspective because most probably there is no reliable way to achieve this. Instead handle group revocation as part of the organizations overall roles and rights management. Different organizations have different approaches to this. Some only grant roles for a defined period of time and if a users needs the role beyond that, he needs to re-apply for it. Others require their employees to actively review their own roles on a regular basis. IMO this should be handled outside of AEM.

 

 

Hope that helps!