Permissions and security
Control fine-grained access to configurations, folders, and resources in Document Authoring (DA) and AEM Edge Delivery Services.
The AEM Edge Delivery ecosystem of access control
There are four different areas where someone may want to place access control on their content:
- Ability to author content - This access control is handled by DA or Java-based AEM.
- Ability to preview content - This access control is handled by Edge Delivery Services.
- Ability to publish content - This access control is handled by Edge Delivery Services.
- Ability to view origin content - This access control is handled by Edge Delivery Services.
Understanding identities
DA and Edge Delivery have different identity requirements. Where DA uses Adobe Identity (IMS) to guarantee a seamless experience within Adobe Experience Cloud, Edge Delivery needs to support services outside Adobe like Microsoft SharePoint and Google Drive.
| Action | Supported identities | Handled by | Tool |
| Edit source content | IMS Org, IMS Group, email | DA Config | https://da.live/config |
| View source content | IMS Org, IMS Group, email | DA Config | https://da.live/config |
| Preview content | email, email wildcard, Edge Delivery group | Edge Delivery Config Service | https://tools.aem.live/tools/user-admin/index.html |
| Publish content | email, email wildcard, Edge Delivery group | Edge Delivery Config Service | https://tools.aem.live/tools/user-admin/index.html |
| View origin content | email, email wildcard, Edge Delivery group | Edge Delivery Config Service | https://tools.aem.live/tools/admin-edit/index.html |
Understanding organizations
Adobe Identity is a bit unique in that you can belong to multiple organizations. The way to think of this is to imagine if you were a consultant for two companies. Your contract may expire with one while the other is still in place. Having the ability to granularly say which organization you're doing work for through different organizations is a feature of IMS. Are you Alison Parker working on behalf of Geometrixx or are you Alison Parker working on behalf of We.Retail?
A user may say, "I should have access to this content." and the answer is often, "Select the right organization in the profile menu."
Ability to preview, publish, and view Edge Delivery content
Please read the guide on aem.live: https://www.aem.live/docs/authentication-setup-authoring
Ability to author content
Introduction & concepts
DA provides a simple, yet powerful, way to organize and manage permissions to your authored content.
- Identity provider (IdP) - DA uses Adobe Identity (aka IMS). You will need an Adobe account (free) to access protected content. If you wish to bring your own identity provider, you can do this through built-in IMS integrations.
- Organization, groups, or email - You can use IMS organizations, IMS groups, or an IMS email address as the audiences for your content. While organizations and groups provide a central place to manage identity, if you do not have access to Adobe Admin Console, you can use email addresses directly in DA.
- Read, write, or none - To reduce confusion over fine-grained access control, DA provides simple
read,write, and[ ](empty / none) actions to help you better understand how your content creators are impacted. - Folders, children, files, configs - You have the ability to finely tune what types of content people have access to.
- Sheet-based - Access and permissions are controlled through the config sheet for your organization. The syntax will feel familiar to anyone who has managed a metadata sheet for Edge Delivery Services.
Get your IMS Organization ID
Use Admin Console to get your IMS organization ID. This is the unique number before the @ symbol in the URL. You will also use Admin Console to create groups and add users.
Add the IMS Org ID and associated groups
In your the permissions sheet of the DA organization config (https://da.live/config#/name-of-org/),
Add your paths, organization/groups, and the action each are allowed to take. Let's unpack what we've done line by line.
Permissions sheet
Note that we list our permissions in a sheet inside our organization config. We will use plain language to describe each row:
- Row 1 - This is a required header for your permission columns.
- Row 2 - I would like everyone in my organization to
readthe configs that apply to DA. - Row 3 - I would like only people in my organization's da-admins group to
writeconfigs. - Row 4 - I would like everyone in my organization to
readall content in my org. - Row 5 - I would like to grant the da-authors group the ability to
writeany content inside my org. - Row 6 - I would like to grant everyone in my organization
writeaccess to the Geometrixx Outdoors drafts folder. - Row 7 - I would like to grant da-visitors
writeaccess to the Geometrixx Gov drafts folder. - Row 8 - I would like to grant da-blog-authors
writeaccess to the Geometrixx Blog folder.
Once entered, you can save the config w/ your permissions sheet. Below are our recommended permission sheets to get started with.
Projects that have an Adobe Organization.
| path | groups | actions | comments |
| CONFIG | {{YOUR_ORG_ID}} | read | |
| CONFIG | {{YOUR_ORG_ID}}/admins | write | |
| / + ** | {{YOUR_ORG_ID}} | read | |
| / + ** | {{YOUR_ORG_ID}}/authors | write | |
| /your-site/drafts/** | {{YOUR_ORG_ID}} | write |
For projects that only have email / Adobe Identity.
| path | groups | actions | comments |
| CONFIG | [email protected], [email protected] | write | |
| / + ** | [email protected], [email protected] | write |
FAQ & tips
Below you will find answers to a few common questions as well as some additional resources.
-
What if I do not have an IMS organization to manage groups? You can provide email addresses as a comma separated list in place of a group.
-
Help! I messed something up and cannot access my org, what do I do? Please reach out to us in your Adobe Support Slack, Teams, or Discord.
-
Does this have anything to do with previewing and publishing permissions? No. This is only for who can view and edit authored content in DA. For preview and publish permissions, please see the Edge Delivery docs.
-
I see read, write, and none. Is there a delete? Write implies both read and delete.
-
What does "none" [_] do? In practice, this is a deny.
-
My author keeps getting taken to a 404 page. Why? They do not have permission to access the content or the content simply doesn't exist. Items to check:
- If they were recently added to a new group, have them log out and log back in again. This will refresh DA's knowledge of the groups they are in.
- Double check your paths and children wildcards. It's possible you have something set for children, but not set for the root folder they want to access.
-
Is there a way to use a more human-readable name for the organization? Unfortunately, not at the moment. In balancing performance, maintainability, and usability this is not currently an option. This is an area of interest for us in the future.
-
Can I use multiple organizations in my permission sheet? Yes! They can even be on the same line in the groups.
-
I locked a specific file w/ none [_], but people can still see it in the browse view. Why? DA's permissions are not designed to prevent display of file or folder names directly inside a list. If you have extremely sensitive information, you are encouraged to stage your content in a fully locked sub-folder. Please rethink:
my-boss-sucks.htmlbefore you save it inside a readable folder. -
Do you support individual file locking? Yes, but it is implemented through the none pattern. File locking has proven to provide logistical authoring challenges when implemented in the past. We encourage you to use the none pattern, lean on versioning, preview permissions, and snapshots to accomplish the same goals as file locking.
Developer reference
For more comprehensive documentation, please see our developer wiki regarding ACLs. You will find a thorough reference of all permission options available while also covering more complex use cases.