Adobe Experience Manager Sites & More

anupampat · 1/23/25

Hi All,

If I have 2 technical accounts say A & B to integrate with a third party application and I have to restrict their permissions to upload an asset to specific path, I usually create an AEM group via yaml file say test_group and add the technical accounts as its member, heres the scenario :

Technical Account A - created and was not added to this group, when I go to Users in AEM cloud, I can see the technical service account without it being a member of test_group.

Account B - created and was added to the test_group, all works fine. I can upload an asset, create folders etc.

Later I added Account A to the test_group but it still can not create a folder and gives a 200 response instead of 201

Ps - I generated the Bearer token for both accounts and hit the Asset API via Postman

How much time does it take for the sync to happen, it was already 16-24 hours since I added the Technical account to the group? Is there a way to help AEM sync the permissions or an alternate route without using a new Technical/Service account?

Regards,

Anupam Patra

sarav_prakash · 1/23/25

@anupampat , I run into same issue sometimes. Solution is to DELETE the user at AEM, and allow to federate once again.

When a federated user is created from ims, the groups assigned at adminconsole is added and its permission are applied
when groups are modified at adminconsole, they dont automatically reflect at AEM. the old user permissions only continue to serve.
the user needs to deleted at aem.
when the same user is recreated, then new group assignments from adminconsole is fetched and applied.

So, delete your technical user. Test the api, when the user gets recreated, gruops will get applied.

View solution in original post

AmitVishwakarma · 1/23/25

It looks like Account A isn't picking up the permissions even after being added to the group. Here’s what you can try:

1. Sync Delay: It might take more time for the changes to show up, especially in the cloud. Try clearing the cache or logging out and back in.
2. Check Group Membership: Make sure Account A is properly added to the group and that the group has the correct permissions.

3. Force Sync: If you can, try refreshing the permissions manually or triggering a sync in AEM.
4. API Response: The 200 response means the request is being accepted, but permissions might be missing. Check the response for more details.
5. Admin Permissions: As a test, add Account A to an admin group to see if the issue is related to missing permissions.

Hope this helps!

sarav_prakash · 1/23/25

@anupampat , I run into same issue sometimes. Solution is to DELETE the user at AEM, and allow to federate once again.

When a federated user is created from ims, the groups assigned at adminconsole is added and its permission are applied
when groups are modified at adminconsole, they dont automatically reflect at AEM. the old user permissions only continue to serve.
the user needs to deleted at aem.
when the same user is recreated, then new group assignments from adminconsole is fetched and applied.

So, delete your technical user. Test the api, when the user gets recreated, gruops will get applied.

Adobe Experience Manager Sites & More

Technical Service Account

Learn

Documentation

Community

Support

Resources

Adobe account

Adobe