Hello - I have a requirement where an application wants to store user profile data for an authenticated application. I am analyzing how compliant we are to store this info.
Volume of Data
Users - 50,000
User Type - Health care professional.
User Data - May contain information such as HCP Medical number, medical license number etc. which might be available to public some where but should not be available from our systems.
Fields per user - 20
Possible JCR queries to retrieve data while user accessing application: 5 - 20
When we proposed external database to store this user profile information considering few issues with JCR such as below, I was challenged "why not JCR" when AEM has the capability to store information.
1. Data security. How secure the data in AEM as compared to an external database.
2. Number of queries might slow down the system.
3. Scalability of AEM is costly if application needs system infrastructure to be upgraded due to number of users and JCR queries.
Any guidance and adobe's recommendation would be helpful.
Solved! Go to Solution.
Views
Replies
Total Likes
As you have mentioned you can store the user data on AEM as nodes and add the fields as property, but you will need to consider few items before you finalize the approach:
We had similar requirement where we wanted to keep HCP information and handle the authentication mechanism and we preferred to use Third party API (OKTA) to manage and handle the data which will be pretty straight forward.
As you have mentioned you can store the user data on AEM as nodes and add the fields as property, but you will need to consider few items before you finalize the approach:
We had similar requirement where we wanted to keep HCP information and handle the authentication mechanism and we preferred to use Third party API (OKTA) to manage and handle the data which will be pretty straight forward.
Views
Replies
Total Likes
Views
Replies
Total Likes
The reasons for my recommendation is quite obvious: While you can store everything in AEM, i would like to avoid to store any sensitive data in there; one of the reasons is then AEM is security critical and and many AEM developers are not used to work under such constraints. Also AEM is not really helpful when you need to deal with such data, and it does not offer special protection or measures to help you here (for example it's very easy for code to use an admin session which can basically read all the data in the repository). So the governance and tests need to be much more stringent than in usual AEM projects.
Next, from an architectural point of view I would consolidate such sensitive data into a single place; in your case it sounds to me that you store a copy of that data in AEM, but its source is some different system (which provides the proper measures for protecting, auditing etc); so you would need to ensure consistency and also double the efforts to implement the proper security and compliance measures.
Technicalities aside - the simple answer is no. Do not store user data in AEM. Use integration that stores this data somewhere else.
Views
Replies
Total Likes
Thank you for all your inputs. We have decided to explore the information received from external systems to be stored in browser session. Lets see how it goes.
Views
Replies
Total Likes