Set Up Adobe IMS Groups for Content Author Permissions and Sync with AEM Dev, Stage, and Prod

 

Managing user permissions efficiently is critical in large-scale Adobe Experience Manager (AEM) environments, especially when integrated with Adobe’s

This guide walks you through the end-to-end setup — from creating an IMS group in Adobe Admin Console to syncing and mapping it in AEM Cloud environments.

---

Step 1: Understand How IMS and AEM Permissions Work Together

Before diving into setup, let’s clarify the relationship:

• Adobe IMS (Identity Management System): Centralized user/group management for Adobe solutions, including AEM as a Cloud Service.
• AEM Cloud Service: Uses IMS authentication — meaning users log in with their Adobe ID and their roles/permissions are derived from IMS groups.

When an IMS group is synced with AEM:

• A corresponding group is auto-created in AEM (prefixed by ims:).
• You can then map that IMS group to AEM groups or permissions.

This ensures that when a new user is added to the IMS group, they automatically get the same permissions in AEM across all environments.

---

Step 2: Create an IMS Group for Content Authors

1. Log in to the Adobe Admin Console.
2. Navigate to your AEM Product Configuration:
   • Go to Products → AEM as a Cloud Service.
3. Select the specific Environment or Program (e.g., “Marketing Sites” or “Corporate Portal”).
4. Under Product Profiles, click New Profile or select an existing one.
5. Create a new IMS group for content authors, for example:
   aem-authors-marketing
6. Assign relevant permissions and entitlements:
   • Access to AEM environments (Dev, Stage, Prod).
   • Permissions for Assets, Sites, or Forms as needed.

Notes: Follow a naming convention like aem-[role]-[project] (e.g., aem-author-corporate, aem-admin-commerce) to maintain clarity across multiple AEM programs.

---

Step 3: Assign Users to the IMS Group

Once your IMS group exists:

• Go to Users in the Adobe Admin Console.
• Add users or bulk import them.
• Assign them to the IMS group you just created.

These users will inherit permissions as soon as they log into AEM environments tied to that IMS group.

---

Step 4: Sync IMS Groups with AEM Environments

Adobe automatically syncs IMS groups with all linked AEM environments — Dev, Stage, and Prod — under the same Cloud Manager program.

Verify the Sync:

1. Log in to your AEM Author instance (e.g., Dev).
2. Go to: Tools → Security → Groups
3. Search for the group with prefix ims: (e.g., ims:aem-authors-marketing).
4. You’ll see the group auto-created by the IMS sync process.

---

Flow Diagram: IMS Group to AEM Sync

Diagram: How Adobe IMS groups map and sync across AEM Dev, Stage, and Prod environments.

 

---

Step 5: Map IMS Groups to AEM Local Groups or Roles

IMS groups define who can log in; AEM groups define what they can do.

1. Go to AEM Author → Tools → Security → Groups.
2. Open your IMS group (e.g., ims:aem-authors-marketing).
3. Add this group as a member of local AEM groups such as:
   • content-authors
   • asset-contributors
   • workflow-users
4. Save changes.

---

Step 6: Ensure Consistency Across Environments

AEM Cloud Service automatically syncs IMS groups across environments. However, ensure that local AEM group mappings are consistent.

• Use Cloud Manager pipelines or configuration sync tools to promote security configurations.
• Optionally automate mappings with Repository Initialization (Repo Init) scripts:

Sample Repository Initialization (Repo Init) script 

create group aem-authors
add "ims:aem-authors-marketing" to group aem-authors

---

Step 7: Test the Setup

1. Log in as a test user from the IMS group.
2. Verify access to AEM Author UI.
3. Confirm:
   • Can they open and edit pages/assets?
   • Are permissions consistent across environments?
   • Does removal from IMS revoke access?

---

Summary

Step	Action	Outcome
1	Create IMS group	Centralized author group in Admin Console
2	Assign users	Access managed via Adobe ID
3	Sync with AEM	Auto-created in all environments
4	Map to AEM groups	Permissions applied correctly
5	Validate & Test	Consistent access across Dev, Stage, Prod

---

Final Thoughts

Using Adobe IMS groups to manage AEM permissions is a best practice that enhances security, scalability, and ease of management. By configuring groups once in IMS and mapping them in AEM, you can ensure consistent authoring permissions across Dev, Stage, and Production — saving time and preventing access drift.

---

SEO Metadata

SEO Title: How to Set Up Adobe IMS Groups for AEM Permissions Across Environments

Meta Description: Learn step-by-step how to create Adobe IMS groups, assign permissions, and sync them across AEM Dev, Stage, and Prod environments for secure and consistent author access.

Tags: AEM, Adobe IMS, Adobe Admin Console, AEM Cloud Service, AEM Permissions, AEM Security, AEM Author Roles, DevOps, Cloud Manager

Migrating Workflows from AEM On-Premise to AEM as a Cloud Service (or New Workflow Structure)

 When working with Adobe Experience Manager (AEM), many teams encounter challenges while migrating existing workflows from an on-premise setup to the new cloud-based or modern AEM structure. One of the most common issues stems from the changes in workflow storage and runtime model generation.

This article outlines the key steps required to successfully migrate AEM workflows from the traditional /etc location to the newer /conf/global/settings/workflows structure.

Note:

Legacy workflow designs (both design-time and runtime) are held under the following path:

/etc/workflow/models/

Custom workflow designs are held under:

/conf/global/settings/workflow/models/...

Runtime workflow designs (both out-of-the-box and custom) are held under the following path:

/var/workflow/models/

Out-of-the-box workflow launchers are held under the following path:

/libs/settings/workflow/launcher/

Custom workflow launchers are held under:

/conf/global/settings/workflow/launcher/...

Legacy workflow launchers are held under the following path:

/etc/workflow/launcher/

 Legacy workflow scripts are held under the following path:

 /etc/workflow/scripts/

Custom workflow scripts are held under:

/apps/workflow/scripts/...

---

1. Verify Existing Workflows in the Legacy Location

Before starting the migration, confirm that all your current workflows exist in the legacy path:

/etc/workflow/models

This ensures you know exactly which models need to be transitioned and helps avoid missing dependencies during migration.

2. Update Workflow Locations

For each workflow model you plan to migrate, update its location reference from the old /etc structure to the new /conf path. The recommended destination is:

/conf/global/settings/workflows/models

You can perform this migration one workflow at a time to minimize potential errors. Be sure to update any internal or hardcoded URLs or references that point to the old /etc path.

3. Synchronize Workflow Models

Once the workflow has been moved to its new location, open it in the AEM Workflow Console and click on the Sync button.

This step is crucial : it generates the corresponding runtime models required for execution in the new environment.

4. Integrate Runtime Models into Your Source Code

After synchronization, locate the newly created runtime models. These are typically stored under the following paths:

/conf/global/settings/workflows/models

/var/workflow/models

Download or export these models and integrate them into your project’s source code repository. This ensures that your workflows are version-controlled and properly deployed across environments.

Now your filter looks as below,

Your filter could look like this (assuming you have your workflow model design and runtime version under appropriate paths)

<filter root="/conf/global/settings/workflow/models/your-workflow-model"/>

<filter root="/var/workflow/models/your-workflow-model"/>

 

Conclusion

Migrating workflows from /etc to /conf may seem complex at first, but by following these structured steps, you can ensure a smooth transition. The key is to migrate one workflow at a time, validate synchronization, and keep your runtime models aligned with your codebase.

This process not only modernizes your workflow architecture but also ensures full compatibility with AEM’s latest standards and best practices.

Read more : https://experienceleague.adobe.com/en/docs/experience-manager-65/content/implementing/developing/extending-aem/extending-workflows/workflows-best-practices#locations

How to Restore content in AEM as a Cloud Service

 How to Restore content in AEM as a Cloud Service

In Adobe Experience Manager (AEM) as a Cloud Service, managing and maintaining digital content efficiently is crucial for ensuring business continuity and data integrity. Accidental deletions, version rollbacks, or content structure issues can occur during day-to-day operations, making content restoration an essential capability for administrators and authors alike. Fortunately, AEM as a Cloud Service provides built-in tools and automated processes to help restore content quickly and safely - whether from version history, backup snapshots, or cloud environments. This article walks you through the available methods, best practices, and key considerations for restoring content in AEM as a Cloud Service.

In this article we will see how to achieve this on AEM cloud?

Step 1 

Create user role

By default, no permissions are assigned for executing content restorations in development, staging, or production environments. To authorize specific users or groups to perform this action, complete the following steps.

Steps to Delegate Content Restoration Permissions

1.       Create a product profile with a clear and descriptive name that reflects its purpose (for example, Content Restoration Administrators).

2.       Grant the Program Access permission for the specific program where content restoration will be performed.

3.       Grant the Environment Restore Create permission for the required environment(s) — or for all environments within the program — based on your operational needs.

4.       Assign users to the newly created product profile to enable them to perform content restoration tasks.

Step 2  

 Create a New Product Profile

First create a product profile to which you can assign custom permissions.

1.       Log into Cloud Manager at my.cloudmanager.adobe.com.

2.       On the Cloud Manager landing page, select the Manage Access button.

 

You will be redirected to the Products tab of the Admin Console, where you can manage users and permissions for Cloud Manager. In the Admin Console, select the New Profile button. Enter the details

 

 

 Step 3

Add users to the product profile.

Step 4 

Restore the content of an environment

To restore the content of an environment:

1.       Log into Cloud Manager at my.cloudmanager.adobe.com and select the appropriate organization.

2.       Click the program for which you want to initiate a restore.

3.       List all environments for the program by doing one of the following:

From the left side menu, under Services, click  Environments.

From the left side menu, under Program, click Overview, then from the Environments card, click  Show All.

NOTE

The Environments card lists three environments only. Click Show All in the card to see all environments of the program.

4.       In the Environments table, to the right of an environment whose content you want to restore, click  , then click Restore Content.

5.       On the Restore Content tab of the environment’s page, in the Time to restore drop-down list, select the time frame of the restore.

If you chose Last 24 hours, in the adjacent Time field, specify the exact time within the last 24 hours to restore.

If you chose Last week, in the adjacent Day field, select a date within the past seven days, excluding the previous 24 hours.

6.       Once you select a date or specify a time, the Backups available section below shows a list of available backups that can be restored

7.       Click  next to a backup to see its code version and AEM release, then weigh the restore impact before selecting a backup (see Choose the right backup).

The time stamp displayed for the restore options is based on the computer’s time zone of the user.

8.       At the right end of the row representing the backup you want to restore, click  to start the restore process.

9.       Review the details in the Restore Content dialog box, then click Restore.

The backup process has been initiated. You can monitor its progress in the Restore Activity list. The duration of the restore operation varies based on the size and complexity of the content being restored.

When the restore completes successfully, the environment does the following:

·  Runs the same code and AEM release that were active at the time the restore operation was initiated.

·  Contains the same content that existed at the timestamp of the selected snapshot, with indexes rebuilt to align with the current code base.

Choose the right backup

Cloud Manager’s self-service restore process restores content only, not code. Before performing a restore, review any code changes made since the target restore point by checking the commit history between the current and restored commit IDs.

There are several scenarios.

·        The environment’s custom code and the restore are located in the same repository and on the same branch.

·        The environment’s custom code and the restore are located in the same repository but on separate branches, both originating from a common commit.

·        The environment’s custom code and the restore are located in different repositories.

In this case, a commit ID is not displayed.

Adobe highly recommends that you clone both repositories and use a diff tool to compare the branches.

Also, keep in mind that a restore might cause your production and staging environments to fall out of sync. You are responsible for the consequences of restoring content.

Restore activity

The Restore Activity list shows the status of the ten most recent restore requests including any active restore operations.

By clicking  for a backup, you can download logs for that backup and inspect the code details including the differences between the snapshot and data at the moment the restore was initiated.

https://youtu.be/Yc4HpCY8knI