Bloomreachexperiencemanager User Roles and Permissions

This section covers user management, roles, and permissions for Bloomreach Experience Manager (brXM) and associated analytics tools. Bloomreach Experience Manager is an enterprise-grade, open-source digital experience platform built on Apache Hippo CMS.

Overview

Bloomreach Experience Manager provides comprehensive user management capabilities designed for large organizations managing complex digital experiences. The platform offers fine-grained access control through role-based permissions, domain-based security, and workflow management.

User management in brXM operates through multiple layers:

• User Accounts: Individual user credentials and profiles
• Groups: Collections of users with similar responsibilities
• Roles: Sets of permissions defining what users can do
• Domains: Security domains for organizing users and content
• Workflow: Approval processes requiring specific permissions

As a Java-based CMS built on JCR (Java Content Repository) standards, brXM provides enterprise-grade security features including LDAP/Active Directory integration, SSO support, and detailed audit logging.

Platform User Management

• Roles & Permissions - Understanding user roles
• Adding & Removing Users - User administration

Accessing User Management

To access user management in Bloomreach Experience Manager:

1. Log in to the CMS console at /cms
2. Navigate to Admin in the top menu
3. Select Users from the admin menu
4. Alternatively, access Groups or Permissions from the admin menu

Only users with administrative privileges can access the full user management interface. The admin section provides centralized control over users, groups, roles, and security domains.

Bloomreach Experience Manager Roles

Default System Roles

Admin

• Full system administration access
• Can create, modify, and delete users and groups
• Manages all security domains and permissions
• Access to system configuration and settings
• Can modify workflow definitions
• View audit logs and system statistics
• Should be limited to 2-3 trusted administrators

Author

• Create and edit content documents
• Save drafts and submit for publication
• Cannot publish without approval (by default)
• Access to assigned channels and folders
• Can upload and manage assets
• Limited to content creation workflows

Editor

• All author permissions plus:
• Can approve and publish content
• Manage content workflow for their domain
• Can create and manage taxonomies
• Access to content analytics and reports
• Typically assigned to content managers

Webmaster

• Manage website structure and components
• Configure page layouts and templates
• Manage site menus and navigation
• Cannot modify system configuration
• Focus on site architecture, not content

Developer

• Access to template and component development
• Can modify site components and layouts
• Access to developer console
• Cannot access production content by default
• Typically works in development environments

Asset Manager

• Upload and organize digital assets
• Manage image galleries and media libraries
• Set metadata and tags for assets
• Cannot publish content or modify site structure
• Focus on DAM (Digital Asset Management)

Permission Levels

Permissions in brXM are hierarchical and can be assigned to specific:

• Content folders: Read, write, or no access
• Channels: Which sites/channels users can modify
• Document types: Which content types users can create
• Assets: Access to media and document libraries
• Taxonomies: Ability to manage categories and tags

Adding and Inviting Users

Creating New Users

To add a user in brXM:

1. Navigate to Admin > Users
2. Click Add User or New User
3. Enter required information:
   • Username (unique identifier)
   • First and last name
   • Email address
   • Initial password (user should change on first login)
4. Assign to groups (optional)
5. Set security domain
6. Configure password expiration policy
7. Click Save

Users should receive their credentials through secure channels and be prompted to change passwords on first login.

Assigning Groups and Roles

Groups in brXM combine users with similar responsibilities:

1. Navigate to Admin > Groups
2. Select an existing group or create a new one
3. Click Add User to Group
4. Select users from the available list
5. Save changes

Common group structures:

• Content Authors: Writers and content creators
• Content Editors: Reviewers and publishers
• Marketing Team: Campaign and promotional content
• Regional Teams: Content for specific geographies
• External Contributors: Vendors or freelance writers

Configuring Permissions

To set granular permissions:

1. Navigate to Admin > Permissions
2. Select the user or group
3. Choose the security domain
4. Set folder-level permissions:
   • Read: Can view content
   • Write: Can edit and create content
   • Delete: Can remove content
5. Configure channel access
6. Set workflow permissions
7. Apply changes

Permissions can be inherited from parent folders or explicitly set at each level.

Security Domains

Bloomreach uses security domains to organize users and content:

Default Domains

• Hippocms: System administration domain
• Website: Public website content
• Assets: Digital asset management
• Custom: Organization-specific domains

Creating Custom Domains

For multi-site or multi-tenant setups:

1. Navigate to Admin > Domains
2. Create a new security domain
3. Assign users and groups to the domain
4. Configure domain-specific permissions
5. Link content folders to the domain

This allows complete separation of access between different sites, brands, or business units.

Workflow and Publication Management

brXM includes built-in workflow for content approval:

Workflow Roles

• Requestor: Submits content for review
• Reviewer: Reviews and approves/rejects
• Publisher: Final approval and publication
• Unpublisher: Can take content offline

Configuring Workflow Permissions

1. Navigate to Admin > Workflow
2. Define workflow steps and transitions
3. Assign roles to each step
4. Configure notification rules
5. Test workflow with sample content

Workflow ensures content quality and compliance by requiring multiple approvals before publication.

LDAP and Active Directory Integration

For enterprise environments, brXM supports directory integration:

LDAP Configuration

1. Edit the repository configuration file
2. Add LDAP connection parameters:
   • Server URL and port
   • Base DN for users and groups
   • Bind credentials
3. Map LDAP attributes to brXM user properties
4. Configure group synchronization
5. Restart the application

Benefits of Directory Integration

• Centralized user management
• Automatic user provisioning
• Single sign-on (SSO) support
• Group synchronization
• Password policy enforcement
• Reduced administrative overhead

API Access and Authentication

Repository API Authentication

brXM provides several APIs for programmatic access:

1. Content REST API: For content delivery
2. Management API: For administrative tasks
3. JCR API: Low-level repository access

API Authentication Methods

• Basic Authentication: Username and password
• Token-Based: JWT tokens for API access
• Session-Based: For web applications
• Certificate-Based: For system integrations

Creating API Users

For API access:

1. Create a dedicated user account
2. Assign minimal required permissions
3. Use service account credentials
4. Configure IP restrictions if possible
5. Monitor API usage and access logs

Never use personal accounts for API access; always create dedicated service accounts.

Single Sign-On (SSO)

brXM supports SSO through various protocols:

SAML 2.0 Integration

1. Configure SAML service provider in brXM
2. Exchange metadata with identity provider
3. Map SAML attributes to user properties
4. Configure group mappings
5. Test authentication flow
6. Enable SSO for production

Supported Identity Providers

• Microsoft Azure AD
• Okta
• OneLogin
• ADFS (Active Directory Federation Services)
• Custom SAML 2.0 providers

Security Best Practices

Access Control

1. Implement Role-Based Access Control: Use groups and roles, not individual permissions
2. Principle of Least Privilege: Grant minimum necessary access
3. Separate Environments: Different permissions for dev/stage/production
4. Regular Access Reviews: Audit user permissions quarterly
5. Remove Stale Accounts: Disable inactive users after 90 days

Authentication Security

1. Enforce Strong Passwords: Minimum 12 characters, complexity requirements
2. Enable Password Expiration: Force password changes every 90 days
3. Account Lockout: Lock accounts after failed login attempts
4. Session Timeout: Auto-logout after inactivity
5. Multi-Factor Authentication: Implement via SSO provider

Content Security

1. Workflow Enforcement: Require approval for sensitive content
2. Version Control: Enable versioning for all content
3. Audit Logging: Monitor content changes and access
4. Backup Strategy: Regular backups of repository
5. Disaster Recovery: Tested recovery procedures

Common Issues and Solutions

Issue: User Cannot Log In

Solution:

• Verify username and password are correct
• Check if account is locked due to failed attempts
• Ensure user is assigned to at least one security domain
• Verify password hasn't expired
• Check LDAP connectivity if using directory integration

Issue: User Cannot See Content

Solution:

• Verify user has read permissions for the content folder
• Check security domain assignments
• Ensure user is in correct group for channel access
• Review inherited permissions from parent folders
• Check if content is in a private branch

Issue: Cannot Publish Content

Solution:

• Verify user has publish permissions
• Check if workflow approval is required
• Ensure content meets validation requirements
• Verify user has access to target channel
• Check for workflow state conflicts

Issue: LDAP Synchronization Failing

Solution:

• Test LDAP connection from server
• Verify bind credentials are correct
• Check firewall rules allow LDAP traffic
• Review LDAP query filters and base DN
• Check application logs for specific errors

Issue: Permission Changes Not Taking Effect

Solution:

• Permissions may be cached; restart user session
• Check if user has permissions from multiple groups (conflicts)
• Verify domain-level permissions aren't overriding folder permissions
• Clear application cache
• Review permission inheritance hierarchy

Audit Logging and Monitoring

brXM provides comprehensive audit capabilities:

Audit Log Features

• User login/logout events
• Content creation, modification, and deletion
• Permission changes
• Workflow transitions
• Failed authentication attempts
• Configuration changes

Accessing Audit Logs

1. Navigate to Admin > Audit
2. Filter by:
   • User
   • Date range
   • Event type
   • Content path
3. Export logs for compliance reporting

Regular audit review helps identify:

• Unusual access patterns
• Potential security breaches
• Compliance violations
• Training needs

Multi-Site and Multi-Tenant Management

For organizations managing multiple sites:

Site-Specific Access

1. Create separate channels for each site
2. Configure channel-specific groups
3. Assign users to appropriate channels
4. Use security domains for complete separation
5. Configure workflow per channel if needed

Multi-Tenant Architecture

For completely separate organizations on one platform:

1. Create dedicated security domains per tenant
2. Configure separate user repositories
3. Implement tenant-specific authentication
4. Segregate content at repository level
5. Use separate databases for full isolation

Analytics Tool Access

Google Analytics 4

Manage GA4 access in Admin > Account/Property Access Management:

• Administrator: Full control over account settings and users
• Editor: Can modify configurations and settings
• Analyst: Can create reports and audiences, no configuration changes
• Viewer: Read-only access to reports and data

brXM integrates with GA4 through:

• Built-in analytics modules
• Custom template code
• Tag management systems
• Server-side event tracking

Google Tag Manager

Manage GTM access in Admin > User Management:

• Administrator: Full control over container and users
• Publish: Can publish container changes to production
• Approve: Can approve changes but not publish
• Edit: Can edit tags and triggers but cannot approve or publish
• Read: View-only access to container configuration

Implement GTM in brXM templates for flexible tag management.

Meta Business Manager

Manage access in Business Settings > People:

• Admin: Full control over business settings and assets
• Employee: Limited access based on assigned assets and permissions

Integration Considerations

When connecting brXM to analytics platforms:

1. Template-Level Integration: Add tracking codes to HST templates
2. Component-Based Tracking: Track component interactions
3. Event Tracking: Capture user interactions with content
4. E-commerce Tracking: For sites with shopping functionality
5. Cross-Domain Tracking: For multi-site implementations

Best Practices

1. Use Groups Over Individual Permissions: Assign permissions to groups, not individual users
2. Implement Workflow: Require approval for production content changes
3. Enable Audit Logging: Track all user actions for security and compliance
4. Regular Permission Audits: Review access quarterly and remove unnecessary permissions
5. Separate Environments: Different user sets for dev/stage/production
6. Document Access Policies: Maintain clear documentation of roles and responsibilities
7. Use LDAP/SSO: Centralize authentication for enterprise deployments
8. Version All Content: Enable versioning to track changes and enable rollback
9. Monitor Failed Logins: Set up alerts for suspicious authentication activity
10. Test Permission Changes: Always verify permission changes in non-production first

Additional Resources

• Bloomreach Experience Manager Documentation
• brXM Security Guide
• User Management Configuration
• LDAP Integration Guide
• Workflow Configuration