Configuring access to AEM walk-through configuring-access-to-aem-walkthrough

An abridged walk-though configuring Adobe IMS Users, User Groups and Product Profiles in Adobe AdminConsole, and how to leverage these Adobe IMS abstractions in AEM Author to define and manage specific group-based permissions.

So let’s see what steps we need to take in AEM to set up custom permissions that can flow through to our AEM users. For this, let’s configure AEM’s cloud service to provide our organizations editors access to AEM so they can manage our magazine related assets.
So throughout this video, I’ll refer to users and groups defined in the Adobe Admin Console as IMS users and IMS groups and IMS standing for Adobe’s Identity Management System and use it in groups that are defined in AEM as AEM users and AEM groups. Okay, so let’s start in Adobe Admin Console. First let’s define the IMS group we want to use for editors and we’ll name this group, editorial employees to match how this group is managed in our company’s user directory.
Next we want to place our IMS user in this editorial employees IMS group. Typically this would be done via Adobe user sync tool, bulk upload, or seamless integration with a supported user directory. However, we’ll do it manually here.
Since the IMS group doesn’t provide any access to AEM, we’ll need to add them to the AEM environments product profile. To look at the proper product profiles, we’ll jump over to cloud manager, find the environment that we’re trying to manage, tap manage access and this will take us directly to that Environment’s AEM author’s product instance, which lists the product profiles.
From here it’s easy to add our IMS user to the AEM user’s product profile, which allows the users to log in with basic read-only permissions to AEM. Similar to IMS group membership, product profile membership is typically managed via more automated process as well. But again, let’s do it manually here. We’ll need to have an IMS user that is part of the IMS group, login to AEM to force a sync of the new user group to AEM. We can access user login, or we could add ourselves temporarily to this user group and login. Either way, you’ll want this to happen before we begin configuring AEM to ensure we’re configuring the exact right group in AEM. I’ll pull from a quick log into AEM behind the scenes to ensure that our IMS groups are synced. Okay, now that the new editorial employee IMS group should have been sync to AEM author, let’s log into AEM author with a user that is in the AEM administrators’ product profile, which will provide us with permissions to manage users, groups, and permissions in AEM. Once logged in into AEM with our administrator user, the first step is to define the various AME groups will need, and understand what their members will need to do in AEM. Let’s create a magazine editors user group that should have only right access to the magazine folder, but read access to everything else. We do this via tools, security, groups.
Create a new group and give it a semantic meaningful name. And we can even indicate if this is an AEM group or a synced IMS group so we don’t get confused later in the future. Next, we need to evaluate what AEM provided or out of the box AEM user groups exist that provide a good baseline of permissions for our use case. So the out of the box contributors group, provides read access to AEM. And the AEM users product profile, automatically adds our users to this group. So we don’t have to explicitly add our user here since our magazine editors need access to parts the DAM, let’s add them as members of the DAM users group to ensure they have access to all the features in AEM assets.
Lastly, we want to ensure that our users can use workflow, which is provided by the out of the box workflow users group. The DAM Users group, happens to be a member of the workflow-Users group. So, we don’t have to explicitly add this group either. So this means our AEM magazine editors group only needs to be a member of DAM users along with a few custom permissions we’ll apply next. In order to restrict right access only to the magazine folder for this AEM group, we need to add some custom permissions and to do this we head over to tools, security, permissions. Before we permission a magazine editors AEM group, let’s look at the out of the box dam-users group that we’re using as a base and defines permissions we’ll want to override. And this case we want to remove the rep colon rate permission on slash content slash dam, which is the root of AEM assets, and then reapply it lower down on the magazine folder. As noted before dam-users provides a bunch of permissions required back for AEM assets to fully function. As you can imagine it’s much better to leverage this as a baseline for AEM assets and then tweak as needed for each use case rather than trying to recreate these permissions on every custom user group. AEM groups that need to do something similar for AEM sites, could follow a similar pattern, but using the out of the box authors group. Okay, let’s select our custom user group and apply the permissions. We add a new ACE for denying right access to AEM assets. Select the path AEM to apply it to, and in this case slash content slash dam.
Select the privilege to deny in this case rep colon, right and then we’ll ensure, deny selected. We can ignore the advanced restrictions below, but these provide for a super fine level of permission granularity and advanced use cases.
Okay, let’s save this ACE and we’ll add one more. And this is going to allow right access to the magazine folder and everything beneath it. So, select the path to the magazine folder, select the privilege to allow, and in this case, we’ll be allowing rep colon, right since we’re overriding the permissions we set higher up the tree and make sure allow is selected. Once this ACE is added, we’re just about done. Now, all we need to do is get our AEM users into this new AEM user group. To do this we’ll want to add the synced IMS groups that represent the organizational groups of users that need to act as magazine editors in AEM. And ensure that the synced group is a member of the AEM only magazine editors group. In this case, we put our editors in an IMS group named editorial employees. So we can simply make the synced IMS group, a member of the AEM Magazine’s editor group.
Now any users that are part of the IMS editorial employee group, and are also members of the AEM author services, AEM users product profile will be able to log into this AEM author with limited read access to AEM before access to the magazine as its folder.
So let’s try this out, I’ll log my administrator out of AEM author, and then log back into AEM author using the IMS user we added to the editorial employee IMS group.
Okay. We’re on AEM as an editor now. So let’s head over to AEM assets.
Sure enough we can still see asset tools like collections and shared links since we still have read access, drilling into files we can see the folders and assets, but notice there’s no create button nor do we have access to any destructive operations like delete, move, or add it, which makes sense because right access has been revoked, except for under the magazine folder. Let’s keep drilling in until we find the magazine folder. Once in the magazine folder, we have the usual create button, so this will allow us to create folders, assets, or content fragments, and access to actions that right back to the repository under this folder. So, for example, I can create a new folder, upload a few assets.
We can go to the assets properties, updates title, save, and we can see that our changes persisted. So as you can see, our editor user has full right permissions under the magazine folder. Note, the AEM groups can also be created for strictly AEM specific organizational purposes as well. This is not necessarily entirely the domain of IMS groups. For instance, we can create AEM groups that defined sets of users that can be used in AEM workflow, but don’t have any permissions attached to them. -