Permissions and security

Control fine-grained access to configurations, folders, and resources in Document Authoring (DA).

Introduction & concepts

DA provides a simple, yet powerful, way to organize and manage permissions to your authored content.

  1. Identity provider (IdP) - DA uses Adobe Identity (aka IMS). You will need an Adobe account (free) to access protected content. If you wish to bring your own identity provider, you can do this through built-in IMS integrations.
  2. Organization, groups, or email - You can use IMS organizations, IMS groups, or an IMS email address as the audiences for your content. While organizations and groups provide a central place to manage identity, if you do not have access to Adobe Admin Console, you can use email addresses directly in DA.
  3. Read, write, or none - To reduce confusion over fine-grained access control, DA provides simple read, write, and none actions to help you better understand how your content creators are impacted.
  4. Folders, children, files, configs - You have the ability to finely tune what types of content people have access to.
  5. Sheet-based - Access and permissions are controlled through the config sheet for your organization. The syntax will feel familiar to anyone who has managed a metadata sheet for Edge Delivery Services.

Get your IMS Organization ID

Use Admin Console to get your IMS organization ID. This is the unique number before the @ symbol in the URL. You will also use Admin Console to create groups and add users.

Add the IMS Org ID and associated groups

In your the permissions sheet of the DA organization config (https://da.live/config#/name-of-org/),
Add your paths, organization/groups, and the action each are allowed to take. Let's unpack what we've done line by line.

Permissions sheet

Note that we list our permissions in a sheet inside our organization config. We will use plain language to describe each row:

  1. Row 1 - This is a required header for your permission columns.
  2. Row 2 - I would like everyone in my organization to read the configs that apply to DA.
  3. Row 3 - I would like only people in my organization's da-admins group to write configs.
  4. Row 4 - I would like everyone in my organization to read all content in my org.
  5. Row 5 - I would like to grant the da-authors group the ability to write any content inside my org.
  6. Row 6 - I would like to grant everyone in my organization write access to the Geometrixx Outdoors drafts folder.
  7. Row 7 - I would like to grant da-visitors write access to the Geometrixx Gov drafts folder.
  8. Row 8 - I would like to grant da-blog-authors write access to the Geometrixx Blog folder.

Once entered, you can save the config w/ your permissions sheet. Below are our recommended permission sheets to get started with.

Projects that have an Adobe Organization.

CONFIG

{{YOUR_ORG_ID}}

read

CONFIG

{{YOUR_ORG_ID}}/admins

write

/ + **

{{YOUR_ORG_ID}}

read

/ + **

{{YOUR_ORG_ID}}/authors

write

/your-site/drafts/**

{{YOUR_ORG_ID}}

write

For projects that only have email / Adobe Identity.

CONFIG

[email protected], [email protected]

write

/ + **

[email protected], [email protected]

write

FAQ & tips

Below you will find answers to a few common questions as well as some additional resources.

  1. What if I do not have an IMS organization to manage groups? You can provide email addresses as a comma separated list in place of a group.

  2. Help! I messed something up and cannot access my org, what do I do? Please reach out to us in your Adobe Support Slack, Teams, or Discord.

  3. Does this have anything to do with previewing and publishing permissions? No. This is only for who can view and edit authored content in DA. For preview and publish permissions, please see the Edge Delivery docs.

  4. I see read, write, and none. Is there a delete? Write implies both read and delete.

  5. What does "none" [_] do? In practice, this is a deny.

  6. My author keeps getting taken to a 404 page. Why? They do not have permission to access the content or the content simply doesn't exist. Items to check:

    1. If they were recently added to a new group, have them log out and log back in again. This will refresh DA's knowledge of the groups they are in.
    2. Double check your paths and children wildcards. It's possible you have something set for children, but not set for the root folder they want to access.

  7. Is there a way to use a more human-readable name for the organization? Unfortunately, not at the moment. In balancing performance, maintainability, and usability this is not currently an option. This is an area of interest for us in the future.

  8. Can I use multiple organizations in my permission sheet? Yes! They can even be on the same line in the groups.

  9. I locked a specific file w/ none [_], but people can still see it in the browse view. Why? DA's permissions are not designed to prevent display of file or folder names directly inside a list. If you have extremely sensitive information, you are encouraged to stage your content in a fully locked sub-folder. Please rethink: my-boss-sucks.html before you save it inside a readable folder.

  10. Do you support individual file locking? Yes, but it is implemented through the none pattern. File locking has proven to provide logistical authoring challenges when implemented in the past. We encourage you to use the none pattern, lean on versioning, preview permissions, and snapshots to accomplish the same goals as file locking.

Developer documentation

For more comprehensive documentation, please see our developer wiki regarding ACLs.
You will find a much more thorough walkthrough of all permission options available while also covering more complex use cases.