Expand my Community achievements bar.

SOLVED

Storing user data in aem. Is it recommended?

Avatar

Level 3

Hello - I have a requirement where an application wants to store user profile data for an authenticated application. I am analyzing how compliant we are to store this info. 

 

Volume of Data 

Users - 50,000

User Type - Health care professional. 

User Data - May contain information such as HCP Medical number, medical license number etc. which might be available to public some where but should not be available from our systems. 

Fields per user - 20

Possible JCR queries to retrieve data while user accessing application: 5 - 20 

 

When we proposed external database to store this user profile information considering few issues with JCR such as below, I was challenged "why not JCR" when AEM has the capability to store information. 

1. Data security. How secure the data in AEM as compared to an external database. 

2. Number of queries might slow down the system.

3. Scalability of AEM is costly if application needs system infrastructure to be upgraded due to number of users and JCR queries.  

 

Any guidance and adobe's recommendation would be helpful. 

 

 

 

 

1 Accepted Solution

Avatar

Correct answer by
Community Advisor

Hi @perfecci0nista 

 

As you have mentioned you can store the user data on AEM as nodes and add the fields as property, but you will need to consider few items before you finalize the approach:

  1. You will be storing HCP information along with PII details.
  2. Ensure your organization has the correct data security policy in place and check the data retention policy.
  3. What is the architecture you have in place, i.e. how many publish instances will be there? If it's 1:1 mapping with 1 publish and 1 dispatcher it will be easier to maintain the data whereas if it's multiple publish insatnces you need to ensure the data is available across all the publish instances and all the instances are in sync. Sticky connection also will be required here during authentication.
  4. The number of queries that you have mentioned should not be an issue here in a large scale application.

We had similar requirement where we wanted to keep HCP information and handle the authentication mechanism and we preferred to use Third party API (OKTA) to manage and handle the data which will be pretty straight forward.

View solution in original post

7 Replies

Avatar

Correct answer by
Community Advisor

Hi @perfecci0nista 

 

As you have mentioned you can store the user data on AEM as nodes and add the fields as property, but you will need to consider few items before you finalize the approach:

  1. You will be storing HCP information along with PII details.
  2. Ensure your organization has the correct data security policy in place and check the data retention policy.
  3. What is the architecture you have in place, i.e. how many publish instances will be there? If it's 1:1 mapping with 1 publish and 1 dispatcher it will be easier to maintain the data whereas if it's multiple publish insatnces you need to ensure the data is available across all the publish instances and all the instances are in sync. Sticky connection also will be required here during authentication.
  4. The number of queries that you have mentioned should not be an issue here in a large scale application.

We had similar requirement where we wanted to keep HCP information and handle the authentication mechanism and we preferred to use Third party API (OKTA) to manage and handle the data which will be pretty straight forward.

Avatar

Level 3
My only worry points are storing 50000 users info and querying them time to time when the user logs in for personalization purpose. Is AEM JCR meant for storing such data or is it recommended to have the external DB to store that info. .

Avatar

Employee Advisor
I would recommend to store them outside.

Avatar

Level 3
Hi Jorg - are there any strong reasons for this recommendation. Little more direction would be helpful. Thank you

Avatar

Employee Advisor

The reasons for my recommendation is quite obvious: While you can store everything in AEM, i would like to avoid to store any sensitive data in there; one of the reasons is then AEM is security critical and and many AEM developers are not used to work under such constraints. Also AEM is not really helpful when you need to deal with such data, and it does not offer special protection or measures to help you here (for example it's very easy for code to use an admin session which can basically read all the data in the repository). So the governance and tests need to be much more stringent than in usual AEM projects.

 

Next, from an architectural point of view I would consolidate such sensitive data into a single place; in your case it sounds to me that you store a copy of that data in AEM, but its source is some different system (which provides the proper measures for protecting, auditing etc); so you would need to ensure consistency and also double the efforts to implement the proper security and compliance measures.

Avatar

Level 2

Technicalities aside - the simple answer is no. Do not store user data in AEM. Use integration that stores this data somewhere else.

Avatar

Level 3

Thank you for all your inputs. We have decided to explore the information received from external systems to be stored in browser session. Lets see how it goes.