Separating groups of users and their respective forms can be accomplished very simply with AEM. You merely need to know what folders to allow or deny specific rights on.
The typical author configuration of AEM Forms has your users being provided with the following groups and privileges:
- forms-user – the main group to create forms content.
- forms-power-user – the ability to create more complex forms with JavaScript in addition to the rules editor.
Depending on their abilities, users may also be assigned:
- forms-submission-reviewers
- template-authors
- template-power-user
- fdm-authors
- workflow-editors
- workflow-user
- fd-administrators
See the AEM Forms on OSGi Groups and Privileges guide for more details on all the rights and privileges.
Given all of these rights, “User A” could interact and edit all of “User B”‘s assets. Full CRUD is provided to all forms users. For smaller implementations this is may be acceptable but for larger deployments or where multiple departments are sharing the same instance, it can provide opportunities for error and loss.
Let’s look at a simple way to ensure “User B” cannot interact with “User A”‘s forms.
Group Setup
Create 2 new groups and use 2 of the out of the box users (part of the AEM sample content) to apply different groups and abilities to:
- cavery
- imccoy
From http://localhost:4502/security/groups.html create Group A and Group B.
In Group A add user “cavery” and in Group B, add user “imccoy”. Each of these groups should also include all of the previously mentioned form access groups. Ideally you’ll create a “Adaptive Forms Users” and “Adaptive Forms Power Users” that include the rights you require of each of those groups omitting the rights you don’t need.
Once the users are members of their appropriate groups and have the appropriate rights, we’ll create folders in forms manager to hold the corresponding group’s forms.
Go to http://localhost:4502/aem/forms.html/content/dam/formsanddocuments and create 2 folders. “Group A” (group-a) and “Group B” (group-b).
In each of the 2 folders, create a new Adaptive Form, “Form A” (form-a) and “Form B” (form-b). The details of the form itself are of no consequence as long as you have objects present in the new folders.
Storage Concepts
On each of your forms, click on the properties icon and note the URL in your browser. It will include a DAM location such as: /content/dam/formsanddocuments/group-a/form-a. If you edit the form, your browser location will include /content/forms/af/group-a/form-a.html. Each form contains an entry in both /content/dam/formsanddocuments and /content/forms/af. The dam entry contains the metadata of the form. Browsing in CRXDE to your dam instance will allow you to see the stored properties and their values: http://localhost:4502/crx/de/index.jsp#/content/dam/formsanddocuments/group-a/form-a/jcr%3Acontent/metadata. The forms entry contains the actual list of nodes and items that make up your form. You can clearly see all of the objects that make up your form here: http://localhost:4502/crx/de/index.jsp#/content/forms/af/group-a/form-a/jcr%3Acontent/guideContainer/rootPanel/items
Security
The goal now will be to protect Group A’s content.
Go to http://localhost:4502/security/permissions.html/principal/everyone where we will apply security for each of the 2 groups.
- Click on Group A then click Add ACE (Access control entry)
- Select the path /content/dam/formsanddocuments/group-a
- In the privileges selector, chose: jcr:all
- Select Permission Type: Allow
- Click Save
We have now specifically allowed access to users that are part of Group A to access all aspects of this folder. AEM uses the DAM to “look” for forms and their related assets. You can chose to also protect the forms portion but it is not necessary unless you wish to specifically lock down portions of your form content.
- Click on everyone
- Select the path /content/dam/formsanddocuments/group-a
- In the privileges selector, chose: jcr:all
- Select Permission Type: Deny
- Click Save
We have now specifically denied access to all users. Users that are part of Group A will override this denial.
Test the Security Settings
Click on the user icon and Impersonate the user cavery.
Now browse to the forms manager. You should be able to access the Group A folder and all assets inside it.
Now “Revert to Self” before then impersonating the user “imccoy”.
Once “imccoy” is impersonated, the Group A folder and included forms will no longer be visible but the Group B folder is visible and accessible. The “imccoy” user would be completely unaware of the existence of the other folder.
Fragments
If you wish users to be able to access fragments of other departments (recommended) or have read-only access to a series of fragments then you will need to add read access to the appropriate groups or the “everyone” group.
With the read added in addition to the deny, users in Group B are now able to view assets in Group A’s folder. The options to modify and create are not present. This allows the user to look the forms as well as reuse fragments but does not allow such actions as publish.
The the combination of groups and permissions an administrator can create a multi-department environment that allows an excellent level of segregation of assets but with the ability to share and reuse fragments in a safe and stable manner.