Permissions and security

Control fine-grained access to configurations, folders, and resources in Document Authoring (DA) and AEM Edge Delivery Services.

The AEM Edge Delivery ecosystem of access control

There are four different areas where someone may want to place access control on their content:

1. Ability to author content - This access control is handled by DA or Java-based AEM.
2. Ability to preview content - This access control is handled by Edge Delivery Services.
3. Ability to publish content - This access control is handled by Edge Delivery Services.
4. Ability to view content - This access control is handled by Edge Delivery Services.

Understanding identities

DA and Edge Delivery have different identity requirements. Where DA uses Adobe Identity to guarantee a seamless experience within Adobe Experience Cloud, Edge Delivery needs to support services outside Adobe like Microsoft SharePoint and Google Drive.

This difference can create confusion if you've worked with Edge Delivery in the past. When using Microsoft or Google as a content provider, users are identified by email address. When using DA & Edge Delivery together, users are identified by IMS userids.

A common pitfall

It's common for administrators to setup access control on their Edge Delivery site using email addresses.  With this setup, authors receive access denied when trying to preview or publish from DA. This is because the Adobe Identity (IMS) token DA sends to Edge Delivery will not contain an email address. The simple resolution for this is to add the IMS userid to the desired area of access control... preview, publish, view. You can find this by either using Adobe Admin Console or using DA's profile menu.

1. da.live > click top right profile menu
2. profile menu > click name (copies userid to clipboard)
3. paste into your Edge Delivery access control admin tool of choice

IMS userid-based access will work everywhere: DA, Edge Delivery, Java-based AEM, and potentially other Experience Cloud services. Once you setup an IMS userid within Edge Delivery, you're set everywhere.

Email-based access will only work within Edge Delivery: Sidekick & AEM Admin. You will not be able to use DA with an email-only setup.

Bound by organization

Adobe Identity is a bit unique in that you can belong to multiple organizations. The way to think of this is to imagine if you were a consultant for two companies. Your contract may expire with one while the other is still in place. Having the ability to granularly say which organization you are doing work for through different organizations is a feature of IMS. Are you Alison Parker working on behalf of Geometrixx or are you Alison Parker working on behalf of We.Retail?

A user may say, "I should have access to this content." and the answer is often, "Select the right organization in the profile menu."

Setup and limit the ability to preview and publish

As an administrator, you can set preview and publish permissions at an organization or site level. At an organization level, all sites will have the same preview and publish permissions. You may also want to familiarize yourself with the available roles for Edge Delivery Services. This guide is not meant to be all encompassing for the myriad of options available.

One-time setup

The goal of this step is to get your IMS userid into your AEM Edge Delivery Config. If you know how to accomplish this already, you can skip this section. We will assume you only have emails in your AEM Edge Delivery Config.

At the time of this writing, when you create a new AEM project on a new organization in Github following the AEM tutorial, the email address associated with your github organization will be automatically added to your AEM Edge Delivery Config. You will need to add your IMS userid to your config.

Get your IMS userid

1. Visit da.live in your browser.
2. Sign in (if you are not already)
3. Open the profile menu from the top right
4. Click your name, this will copy your IMS userid.
5. Take note of the organization as the userid is bound to this org.
6. Paste the copied userid somewhere safe.

List the current users of your Edge Delivery Config

1. Visit User Admin on labs.aem.live

2. Sign in

   1. You may need to add the project to Sidekick first.
   2. This is likely the account / email associated with your github account, but can be something else if this organization was not newly created.

3. Fill in your organization

4. Fetch the current users

Add the IMS userid to to the Edge Delivery Config

1. Click the "Add User..." button
2. Add the userid to the email field
3. Add the desired role
4. Save the user

You should see a successful response:

One-time setup conclusion

Congratulations! You have successfully added your IMS userid to AEM Edge Delivery Services. Going forward, you can use DA's AEM Permissions app to manage users and roles for this organization and sites.

Ability to author content

Introduction & concepts

DA provides a simple, yet powerful, way to organize and manage permissions to your authored content.

1. Identity provider (IdP) - DA uses Adobe Identity (aka IMS). You will need an Adobe account (free) to access protected content. If you wish to bring your own identity provider, you can do this through built-in IMS integrations.
2. Organization, groups, or email - You can use IMS organizations, IMS groups, or an IMS email address as the audiences for your content. While organizations and groups provide a central place to manage identity, if you do not have access to Adobe Admin Console, you can use email addresses directly in DA.
3. Read, write, or none - To reduce confusion over fine-grained access control, DA provides simple read, write, and [ ] (empty / none) actions to help you better understand how your content creators are impacted.
4. Folders, children, files, configs - You have the ability to finely tune what types of content people have access to.
5. Sheet-based - Access and permissions are controlled through the config sheet for your organization. The syntax will feel familiar to anyone who has managed a metadata sheet for Edge Delivery Services.

Get your IMS Organization ID

Use Admin Console to get your IMS organization ID. This is the unique number before the @ symbol in the URL. You will also use Admin Console to create groups and add users.

Add the IMS Org ID and associated groups

In your the permissions sheet of the DA organization config (https://da.live/config#/name-of-org/),
Add your paths, organization/groups, and the action each are allowed to take. Let's unpack what we've done line by line.

Permissions sheet

Note that we list our permissions in a sheet inside our organization config. We will use plain language to describe each row:

1. Row 1 - This is a required header for your permission columns.
2. Row 2 - I would like everyone in my organization to read the configs that apply to DA.
3. Row 3 - I would like only people in my organization's da-admins group to write configs.
4. Row 4 - I would like everyone in my organization to read all content in my org.
5. Row 5 - I would like to grant the da-authors group the ability to write any content inside my org.
6. Row 6 - I would like to grant everyone in my organization write access to the Geometrixx Outdoors drafts folder.
7. Row 7 - I would like to grant da-visitors write access to the Geometrixx Gov drafts folder.
8. Row 8 - I would like to grant da-blog-authors write access to the Geometrixx Blog folder.

Once entered, you can save the config w/ your permissions sheet. Below are our recommended permission sheets to get started with.

Projects that have an Adobe Organization.

For projects that only have email / Adobe Identity.

FAQ & tips

Below you will find answers to a few common questions as well as some additional resources.

1. What if I do not have an IMS organization to manage groups? You can provide email addresses as a comma separated list in place of a group.

2. Help! I messed something up and cannot access my org, what do I do? Please reach out to us in your Adobe Support Slack, Teams, or Discord.

3. Does this have anything to do with previewing and publishing permissions? No. This is only for who can view and edit authored content in DA. For preview and publish permissions, please see the Edge Delivery docs.

4. I see read, write, and none. Is there a delete? Write implies both read and delete.

5. What does "none" [_] do? In practice, this is a deny.

6. My author keeps getting taken to a 404 page. Why? They do not have permission to access the content or the content simply doesn't exist. Items to check:

   1. If they were recently added to a new group, have them log out and log back in again. This will refresh DA's knowledge of the groups they are in.
   2. Double check your paths and children wildcards. It's possible you have something set for children, but not set for the root folder they want to access.

7. Is there a way to use a more human-readable name for the organization? Unfortunately, not at the moment. In balancing performance, maintainability, and usability this is not currently an option. This is an area of interest for us in the future.

8. Can I use multiple organizations in my permission sheet? Yes! They can even be on the same line in the groups.

9. I locked a specific file w/ none [_], but people can still see it in the browse view. Why? DA's permissions are not designed to prevent display of file or folder names directly inside a list. If you have extremely sensitive information, you are encouraged to stage your content in a fully locked sub-folder. Please rethink: my-boss-sucks.html before you save it inside a readable folder.

10. Do you support individual file locking? Yes, but it is implemented through the none pattern. File locking has proven to provide logistical authoring challenges when implemented in the past. We encourage you to use the none pattern, lean on versioning, preview permissions, and snapshots to accomplish the same goals as file locking.

Developer reference

For more comprehensive documentation, please see our developer wiki regarding ACLs. You will find a thorough reference of all permission options available while also covering more complex use cases.