Expand my Community achievements bar.

Don’t miss the AEM Skill Exchange in SF on Nov 14—hear from industry leaders, learn best practices, and enhance your AEM strategy with practical tips.
Read More & Register today!
SOLVED

Storing user data in aem. Is it recommended?

Avatar

Level 3
Level 3
5/25/21 7:29:03 AM

Hello - I have a requirement where an application wants to store user profile data for an authenticated application. I am analyzing how compliant we are to store this info. 

 

Volume of Data 

Users - 50,000

User Type - Health care professional. 

User Data - May contain information such as HCP Medical number, medical license number etc. which might be available to public some where but should not be available from our systems. 

Fields per user - 20

Possible JCR queries to retrieve data while user accessing application: 5 - 20 

 

When we proposed external database to store this user profile information considering few issues with JCR such as below, I was challenged "why not JCR" when AEM has the capability to store information. 

1. Data security. How secure the data in AEM as compared to an external database. 

2. Number of queries might slow down the system.

3. Scalability of AEM is costly if application needs system infrastructure to be upgraded due to number of users and JCR queries.  

 

Any guidance and adobe's recommendation would be helpful. 

 

 

 

 

Views

2.6K

Replies

7
Sign in to like this content

Total Likes

Translate
Translate
1 Accepted Solution

Avatar

Correct answer by
Community Advisor
Community Advisor
5/25/21 9:09:33 AM

Hi @perfecci0nista 

 

As you have mentioned you can store the user data on AEM as nodes and add the fields as property, but you will need to consider few items before you finalize the approach:

  1. You will be storing HCP information along with PII details.
  2. Ensure your organization has the correct data security policy in place and check the data retention policy.
  3. What is the architecture you have in place, i.e. how many publish instances will be there? If it's 1:1 mapping with 1 publish and 1 dispatcher it will be easier to maintain the data whereas if it's multiple publish insatnces you need to ensure the data is available across all the publish instances and all the instances are in sync. Sticky connection also will be required here during authentication.
  4. The number of queries that you have mentioned should not be an issue here in a large scale application.

We had similar requirement where we wanted to keep HCP information and handle the authentication mechanism and we preferred to use Third party API (OKTA) to manage and handle the data which will be pretty straight forward.

View solution in original post

Views

2.6K

Replies

4
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply
7 Replies

Avatar

Correct answer by
Community Advisor
Community Advisor
5/25/21 9:09:33 AM

Hi @perfecci0nista 

 

As you have mentioned you can store the user data on AEM as nodes and add the fields as property, but you will need to consider few items before you finalize the approach:

  1. You will be storing HCP information along with PII details.
  2. Ensure your organization has the correct data security policy in place and check the data retention policy.
  3. What is the architecture you have in place, i.e. how many publish instances will be there? If it's 1:1 mapping with 1 publish and 1 dispatcher it will be easier to maintain the data whereas if it's multiple publish insatnces you need to ensure the data is available across all the publish instances and all the instances are in sync. Sticky connection also will be required here during authentication.
  4. The number of queries that you have mentioned should not be an issue here in a large scale application.

We had similar requirement where we wanted to keep HCP information and handle the authentication mechanism and we preferred to use Third party API (OKTA) to manage and handle the data which will be pretty straight forward.

Views

2.6K

Replies

4
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply

Avatar

Level 3
Level 3
5/25/21 9:50:35 AM
In response to Asutosh_Jena_
My only worry points are storing 50000 users info and querying them time to time when the user logs in for personalization purpose. Is AEM JCR meant for storing such data or is it recommended to have the external DB to store that info. .

Views

2.6K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Employee Advisor
Employee Advisor
5/25/21 1:25:44 PM
In response to Asutosh_Jena_
I would recommend to store them outside.

Views

2.6K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Level 3
Level 3
5/25/21 9:11:44 PM
In response to Asutosh_Jena_
Hi Jorg - are there any strong reasons for this recommendation. Little more direction would be helpful. Thank you

Views

2.6K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Employee Advisor
Employee Advisor
5/25/21 11:29:19 PM
In response to Asutosh_Jena_

The reasons for my recommendation is quite obvious: While you can store everything in AEM, i would like to avoid to store any sensitive data in there; one of the reasons is then AEM is security critical and and many AEM developers are not used to work under such constraints. Also AEM is not really helpful when you need to deal with such data, and it does not offer special protection or measures to help you here (for example it's very easy for code to use an admin session which can basically read all the data in the repository). So the governance and tests need to be much more stringent than in usual AEM projects.

 

Next, from an architectural point of view I would consolidate such sensitive data into a single place; in your case it sounds to me that you store a copy of that data in AEM, but its source is some different system (which provides the proper measures for protecting, auditing etc); so you would need to ensure consistency and also double the efforts to implement the proper security and compliance measures.

Views

2.5K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Level 2
Level 2
5/26/21 2:27:50 AM

Technicalities aside - the simple answer is no. Do not store user data in AEM. Use integration that stores this data somewhere else.

Views

2.5K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Level 3
Level 3
5/27/21 7:12:19 AM

Thank you for all your inputs. We have decided to explore the information received from external systems to be stored in browser session. Lets see how it goes. 

Views

2.5K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Related Conversations
How to store multiple Org IDs, Environment IDs, Program IDs locally for AIO Plugin Deployment?

Views

62

Likes

0

Replies

1
SEO Best Practices for Dyamic Pages in AEM

Views

66

Likes

0

Replies

2
What is the idea way to bring content from Publish to Author in AEMaaCS

Views

144

Likes

0

Replies

6
My custom servlet is not being called

Views

98

Likes

0

Replies

4
Missing vanityurls-components package in software distribution

Views

100

Likes

0

Replies

3