Currently, many organizations are moving towards centralized digital foundation with aim of centralized platform, publishing etc. that requires managing the content in multiple languages for multiple markets (for ex. countries US, UK, Sweden etc.). Managing content for multiple markets on one AEM instance requires strong security management along with flexibility to introduce new market content on AEM instance without affecting other market content security. This requires creating a dynamic and flexible solution in AEM to manage security for different markets content.
Challenge: Here we have challenge to manage security where we have large number of markets on single AEM instance. For ex. if we have more than 10 or 20 languages content sites then we can have 20 groups for 20 languages but for case where new language site content is introduced or to manage security for existing language content sites security admin must deny other 19 languages content in 20th group so that content author belongs to 20th group can see only that content which is allowed for 20th group. For initial setup security admin must repeat this exercise for each group and when new language content is introduced then security admin must repeat same exercise for new 21st group to deny other 20 languages content. This number will keep increasing and this exercise will become nightmare process for security admin. To setup such process here is solution:
Solution: This challenge can be achieved by creating security groups in a way in AEM which allows content authors to see content of that market only to which they belong or provided permission. Here are steps to create security groups to make security admin task easy.
Step 1: Create deny group. For ex. all-authors-deny
Step 2: Provide read permission in all-authors-deny group required to login any user into AEM platform or you can provide read permission on root.
Step 3: After providing read permission on root Deny all available language sites read permission by unchecking read permission checkbox.
Step 4: Assign user in all-authors-deny group to check user can login into AEM or not and language site should not be visible to user.
Step 5: Create allow group for language on which you want to give permission to user. For example, if you want to give permission on en-us then create group with name all-authors-en-us (You can give group name as per your organization standard).
Step 6: Provide read permission in allow group so that site visible to user who is member of allowed group and you can give other permissions as well for ex. create, modify, replicate as required.
Above process will help Security Admin to manage security for all sites along with introducing new site on platform by just assigning new site user into all-authors-deny group along with denying new site in all-authors-deny group and create new allow group having allowed permission for new site only. With this approach Security Admin doesn’t have to go through each group to deny all site which are not required for new site user.
Written and curated by: Digvijay Singh Tomar, Lead Digital Architect – AEM. You can follow him on Linkedin.