Tuesday, June 30, 2026

A Layered Access Management Model for Adobe Experience Platform (AEP)

A Layered Access Management Model for Adobe Experience Platform (AEP)

Scalable, governable RBAC across AEP, Customer Journey Analytics, and Adobe Data Collection

As Adobe Experience Platform (AEP) implementations grow across business units, regions, and use cases, managing user access can quickly become complex. One of the most common challenges is providing the right level of access while maintaining governance, security, and operational simplicity.

During a recent AEP implementation, I adopted a layered access management model that leverages Adobe's native capabilities while keeping the architecture scalable and easy to maintain. Rather than creating numerous Product Profiles for every business role, the model separates identity, product entitlement, and platform authorization.

In short

Assign people to User Groups (who they are). Each group grants access along two parallel tracks: Product Profiles (which Adobe apps — and these fully govern Customer Journey Analytics and Data Collection) and AEP Roles (what a user can do on platform resources, scoped by sandbox). The two tracks meet in only a couple of narrow spots — for example, a CJA administrator managing Data Management needs a minimal AEP Role. Keep each layer doing one job and you get least-privilege access without a sprawl of Product Profiles.

The group, profile, and role names below are illustrative — swap in your own naming convention as you adapt the model.

Access Management Architecture


Access Management Principles

Before diving into the layers, it helps to establish the ground rules the model operates by:

  • User access is provisioned through Adobe User Groups — the only object you assign people to.
  • Each User Group is mapped to one or more Product Profiles and/or AEP Roles based on business responsibilities.
  • Users may belong to multiple User Groups as required by their job functions.
  • Product Profiles govern access to Adobe applications and their capabilities. Customer Journey Analytics and Data Collection are managed almost entirely through Product Profiles — they need an AEP Role only for the two capabilities that reach into platform resources (CJA Data Management and Data Collection datastreams).
  • AEP Roles govern access to Adobe Experience Platform resources only — sandboxes, datasets, schemas, identities, and other platform capabilities.
  • Sandbox access is controlled through AEP Role assignments. Administrative capabilities (Manage Sandboxes, Manage Packages, Reset Sandboxes) are restricted to designated platform administrator roles.
  • Access follows the principle of least privilege — only the permissions required to perform a responsibility.
  • Production administrative access is restricted to authorized platform administrators, while development activities are performed within designated non-production sandboxes.
Permissions are additive. When a user belongs to multiple User Groups, their effective access is the union of all permissions granted through the associated Product Profiles and AEP Roles. Design groups so overlapping membership never accidentally escalates privilege.

Layer 1 – Adobe Admin Console User Groups

User Groups represent business personas, not technical permissions. Examples include:

  • Platform Administrators
  • Platform Developers
  • Data Engineers
  • Data Analysts
  • Customer Journey Analytics Administrators
  • Customer Journey Analytics Business Users
  • Data Collection Administrators
  • Data Collection Developers

This simplifies onboarding and offboarding, since users are assigned to business groups instead of individual permissions.

Layer 2 – Adobe Product Profiles

Product Profiles determine which Adobe applications a user can access. Instead of creating Product Profiles for every business role, I recommend a hybrid approach.

For Customer Journey Analytics and Adobe Data Collection, the Product Profile is almost the entire access model — capabilities within those applications (Connections, Data Views, tags, rules, and so on) are controlled by the profile itself.

There are two narrow exceptions: the capabilities that reach into AEP platform resources. Managing CJA Data Management (Connections & Data Views) and creating Data Collection datastreams each require a small, dedicated AEP Role in addition to the Product Profile, because both write to or read from platform objects (datasets, schemas, sandboxes). Everything else in these two applications is profile-governed.

ProductProduct ProfileType
Adobe Experience PlatformAEP-Default-All-UsersOOTB
Customer Journey AnalyticsCJA AdministratorCustom
Customer Journey AnalyticsCJA Business UserCustom
Adobe Data CollectionData Collection AdministratorCustom
Adobe Data CollectionData Collection DeveloperCustom

Why a Hybrid Approach?

  • Use the OOTB AEP-Default-All-Users Product Profile as the standard platform entitlement.
  • Create custom Product Profiles only where business segregation is required, such as Customer Journey Analytics and Adobe Data Collection.
  • Keep Product Profiles focused on application access, not detailed permissions.

Layer 3 – AEP Roles

AEP Roles determine what users can do inside Adobe Experience Platform. They apply only to AEP platform resources — Customer Journey Analytics and Data Collection are otherwise handled through Product Profiles, apart from the two narrow crossovers noted earlier (CJA Data Management and Data Collection datastreams).

Sample AEP Roles

RoleExample Permissions
Platform AdministratorManage Sandboxes, Datasets, Schemas, Sources, Destinations, Identity, Governance, Query Service
Platform DeveloperCreate and modify Schemas, Datasets, Sources, Destinations, Queries (typically non-production)
Data EngineerManage Data Ingestion, Schemas, Datasets, Monitoring
Data AnalystRead Datasets, Execute Queries, View Schemas
CJA Data Management (minimal)Minimal AEP access to the datasets and schemas that back CJA Connections and Data Views — the only place CJA touches an AEP Role
Data Collection Datastreams (minimal)Manage Datastreams plus view access to the target sandbox, datasets, and schemas — the only place Data Collection touches an AEP Role

The key idea is to keep Product Profiles simple while using AEP Roles to enforce least-privilege access on the platform.

Example Access Mapping

Business PersonaAdmin Console User GroupProduct ProfileAEP Role
Platform AdministratorPlatform AdminsAEP-Default-All-Users (OOTB)Platform Administrator
Platform DeveloperPlatform DevelopersAEP-Default-All-Users (OOTB)Platform Developer
Data EngineerData EngineeringAEP-Default-All-Users (OOTB)Data Engineer
Data AnalystAnalytics TeamAEP-Default-All-Users (OOTB)Data Analyst
CJA AdministratorCJA AdministratorsCJA AdministratorMinimal — Data Management only
CJA Business UserCJA Business UsersCJA Business UserNone
Data Collection AdministratorData Collection AdminsData Collection AdministratorN/A
Data Collection DeveloperData Collection DevelopersData Collection DeveloperN/A

Reading the table: each persona gets exactly one User Group, which carries the Product Profile and (where applicable) the AEP Role. None / N/A means the persona needs no AEP Role — Customer Journey Analytics and Adobe Data Collection are otherwise governed by their Product Profiles, not by AEP RBAC. The two platform crossovers are handled explicitly: CJA Data Management is granted here on the CJA Administrator (a minimal AEP Role for the underlying datasets and schemas), while Data Collection datastreams are owned by the Platform Administrator in this example — which is why the Data Collection personas show N/A. If your Data Collection team owned datastreams instead, they would carry a minimal AEP Role too.

Customer Journey Analytics Consideration

Customer Journey Analytics access is normally governed entirely by its Product Profile. There is one exception worth calling out.

If a user is responsible for managing Connections, Data Views, and Data Management in CJA, the CJA Product Profile alone is not sufficient. In addition to it, the user should also:

  • Hold the AEP application Product Profile (e.g., AEP-Default-All-Users) so they can reach the Adobe Experience Platform interface, where Data Management lives.
  • Have a minimal AEP Role that grants access to the datasets and schemas backing those Connections and Data Views. This is the only situation in which CJA relies on an AEP Role.
  • Be assigned as a Product Administrator in the Adobe Admin Console when responsible for administering Customer Journey Analytics.
Understanding the distinction between Product Profiles, Product Administrators, and AEP Roles is critical when designing access for CJA administrators.

Separation of Responsibilities

One of the biggest advantages of this model is that every layer has a clear purpose.

LayerResponsibility
Admin Console User GroupRepresents the user's business function
Product ProfileDetermines which Adobe products the user can access
AEP RoleDetermines what the user can do within AEP
Sandbox PermissionsDetermines where the user can perform those actions

Keeping these responsibilities separate results in a cleaner and more maintainable access model.

Benefits

This approach provides several advantages:

  • Reduced number of Product Profiles
  • Simplified onboarding and offboarding
  • Better governance and auditability
  • Clear separation of business and technical responsibilities
  • Easier administration
  • Scalable role-based access control (RBAC)
  • Improved security through the Principle of Least Privilege

How to Apply This Model

If you want to adapt this in your own tenant, a practical order of operations is:

  1. List your business personas. Start from what people actually do (administer, develop, engineer, analyze, report) — not from Adobe's technical objects.
  2. Create one User Group per persona in the Admin Console. This is the only thing you'll assign people to.
  3. Default to the OOTB AEP Product Profile. Add custom Product Profiles only where you need product-level segregation (e.g., CJA, Data Collection).
  4. Define AEP Roles for least privilege and map each platform User Group to the role that matches its persona. Groups that only need CJA or Data Collection generally require no AEP Role — the exceptions are the two crossovers (CJA Data Management, and Data Collection datastreams if that team owns them).
  5. Scope with sandbox permissions so non-production personas can't touch production.
  6. Handle CJA administration separately — remember the Product Administrator assignment for anyone managing Connections and Data Views (see the note above).
  7. Document the mapping (a table like the one above) and make it the single source of truth for onboarding and audits.
Rule of thumb: if you're about to create a new Product Profile, first ask whether an AEP Role or sandbox permission can express the same intent. Reserve Product Profiles for product access, and let Roles handle what and where.

Final Thoughts

As AEP deployments mature, access management becomes a critical success factor. Rather than treating User Groups, Product Profiles, and AEP Roles as interchangeable, defining a clear responsibility for each layer results in a governance model that is scalable, maintainable, and easier to operate.

This layered approach has worked well in practice by reducing administrative overhead while maintaining flexibility for different Adobe products such as AEP, Customer Journey Analytics, and Adobe Data Collection.

I'd be interested to hear how others are designing their AEP access models. Are you using mostly OOTB Product Profiles, creating custom Product Profiles, or adopting a layered RBAC strategy similar to this?

Tuesday, June 23, 2026

Troubleshooting Snowflake Source Connection Issues in Adobe Experience Platform (AEP)

While configuring Snowflake as a source in Adobe Experience Platform (AEP), I encountered a generic authentication error that initially appeared to be related to credentials or key-pair authentication. However, as with many integration issues, the root cause was not immediately obvious.

This experience highlighted several areas worth validating whenever a Snowflake-to-AEP connection fails.

Common Areas to Investigate

1. Verify Snowflake Credentials and Permissions

Before diving into advanced troubleshooting, confirm:

  • Username is correct

  • Assigned role has access to the warehouse, database, schema, and objects

  • Warehouse is active

  • Account identifier is configured correctly

Many connection failures originate from simple configuration issues.

2. Validate Key-Pair Authentication

If you're using key-pair authentication, ensure:

  • The private key is in a supported format (typically PKCS#8)

  • The corresponding public key is registered against the Snowflake user

  • The correct private key is being supplied to the connector

A common point of confusion is the distinction between:

  • .p8 files

  • .pem files

  • Base64-encoded private keys

The file extension itself is less important than the underlying content. Both .p8 and .pem files can contain valid PEM-formatted private keys.

3. Generating a Base64-Encoded Private Key

Many integrations require the private key to be supplied as a Base64-encoded string.

Linux documentation often references:

cat snowflake_private_key.p8 | base64 -w0 > snowflake_private_key_base64.txt

The equivalent Python script is:

import base64 input_file = "snowflake_private_key.p8" output_file = "snowflake_private_key_base64.txt" with open(input_file, "rb") as f: encoded_key = base64.b64encode(f.read()).decode("utf-8") with open(output_file, "w") as f: f.write(encoded_key) print(f"Base64-encoded key saved to {output_file}")

This produces the same output as the Linux command and works across Windows, macOS, and Linux.

4. Check Network Policies and IP Whitelisting

One of the most overlooked causes of authentication failures is network access.

Even when credentials and keys are configured correctly, Snowflake may reject incoming connections if:

  • Network policies are enabled

  • IP allowlists are configured

  • Corporate firewalls restrict outbound traffic

  • Adobe Experience Platform IP ranges are not permitted

In these cases, the error may still appear as a generic authentication failure.

A useful question to ask is:

Is there a Snowflake Network Policy or IP allowlist that could be blocking connections from Adobe Experience Platform?

5. Verify Source Configuration

Review:

  • Account identifier
  • Authentication method
  • User configuration
  • Warehouse, database, and schema access
  • Source object selection (table/view)

Small configuration inconsistencies can prevent successful authentication.

Validating Connectivity Outside AEP

Before spending too much time troubleshooting the AEP connector, it can be helpful to validate the Snowflake connection directly from your local machine. This helps isolate whether the issue is related to Snowflake authentication and connectivity or specific to the AEP source configuration.

Use the Python script below to validate connectivity from your local environment outside of AEP.

Note: If Snowflake Network Policies or IP whitelisting are enabled, ensure your local IP address is allowed. For initial testing, you may consider temporarily relaxing or disabling the network policy (following your organization's security guidelines) to eliminate IP restrictions as a potential cause.

In my case, the issue was not related to Snowflake connectivity or IP whitelisting. The root cause was an improperly encoded private key value being supplied to the connector. Running this local validation helped quickly narrow down the troubleshooting scope and confirm that key-pair authentication was working correctly outside of AEP.


import snowflake.connector
from cryptography.hazmat.primitives import serialization

USER = "user"
ACCOUNT = "organization-accountname"
DATABASE = "DATABASE"
WAREHOUSE = "WAREHOUSE"

PRIVATE_KEY_FILE = "snowflake_private_key.p8"

# Read private key from file
with open(PRIVATE_KEY_FILE, "rb") as key_file:
    private_key = serialization.load_pem_private_key(
        key_file.read(),
        password=None,
    )

# Convert to DER format required by Snowflake connector
private_key_der = private_key.private_bytes(
    encoding=serialization.Encoding.DER,
    format=serialization.PrivateFormat.PKCS8,
    encryption_algorithm=serialization.NoEncryption(),
)

conn = snowflake.connector.connect(
    user=USER,
    account=ACCOUNT,
    private_key=private_key_der,
    warehouse=WAREHOUSE,
    database=DATABASE,
)

try:
    cur = conn.cursor()
    cur.execute("""
        SELECT
            CURRENT_ORGANIZATION_NAME(),
            CURRENT_ACCOUNT_NAME(),
            CURRENT_ACCOUNT(),
            CURRENT_USER()
    """)
    print(cur.fetchone())

finally:
    cur.close()
    conn.close()

Key Takeaways

When troubleshooting Snowflake source connections in AEP:

  1. Validate credentials and permissions.

  2. Confirm key-pair authentication is configured correctly.

  3. Ensure private keys are encoded in the expected format.

  4. Check Snowflake network policies and IP allowlists.

  5. Review connector configuration details carefully.

Most importantly, don't assume every authentication error is caused by bad credentials. In many enterprise environments, network restrictions and key-formatting issues are equally likely root causes.

By methodically validating each layer, you can significantly reduce troubleshooting time and get your Snowflake source connected successfully.

Thursday, July 3, 2025

Search Indexing Demystified: Push vs Pull, and When to Use Each

Search engines are essential to building content-driven user experiences — from marketing websites to product catalogs to knowledge portals. But before you can deliver great search results, you need a solid content indexing strategy.

One of the foundational questions in search implementation is:

“How do we get our content into the search engine index?”

The answer revolves around two key paradigms: Push vs Pull indexing.

In this post, we’ll break down what each means, when to use them, real-world use cases, and how tools like ElasticSearch support both.

1. What is Search Indexing and Why Does It Matter?

Search indexing is the process of collecting, processing, and storing content in a search engine so it can be retrieved when users search.

Indexing ensures:

  • New content is discoverable (e.g., product pages, articles)
  • Updates are reflected in search (e.g., price or availability changes)
  • Deleted content is removed from results
⚠️ Without proper indexing, your search results may be stale, incomplete, or misleading — leading to a poor user experience.

2. Push vs Pull Indexing: Core Concepts





Push Indexing

You actively send content to the search engine via APIs, SDKs, or data pipelines.

When to Use:

  • Real-time updates are essential (e.g., stock, pricing)
  • You own/control the source (e.g., CMS, PIM)
  • Structured content (databases, JSON)

Typical Scenarios:

  • E-commerce platforms updating inventory
  • CMS pushing new articles
  • News feeds or user-generated content systems

Pull Indexing

The search engine retrieves content itself using crawlers, connectors, or scheduled jobs.

When to Use:

  • Indexing public or 3rd-party content
  • Static content where real-time isn’t critical
  • Unstructured sources (HTML, PDFs, docs)

Typical Scenarios:

  • Crawling a blog using sitemap.xml
  • Indexing SharePoint or Google Drive documents
  • Pulling external data via REST APIs

3. Push vs Pull: Decision Matrix


4. ElasticSearch as an Example


Push Indexing in ElasticSearch

  • Use Index API or Bulk API to send data
  • Set up Ingest Pipelines for transformation
    POST /products/_doc/123
{
"name": "Product X",
"description": "High quality...",
"price": 59.99
}

Pull Indexing in ElasticSearch

Via Enterprise Search connectors:

  • Web crawler (starting from sitemap)
  • REST API data source
  • Database connectors (MySQL, MongoDB, etc.)

5. Real-World Use Cases



6. How Other Platforms Handle Indexing



7. Final Thoughts: Designing Your Indexing Pipeline

When deciding between Push and Pull:

Consider:

  • Content structure (structured vs unstructured)
  • Frequency of updates
  • Source system control
  • Access restrictions

Hybrid approaches often work best:

  • Push structured, frequently updated content (e.g., products)
  • Pull public or slowly changing content (e.g., blogs, FAQs)

 Takeaway

Before implementing search, take time to define your indexing strategy — it’s as important as search relevance itself.

If you’re using ElasticSearch:

  • Start with Push for internal systems
  • Explore Pull using crawlers or connectors as your content ecosystem expands

And remember: great search depends not just on what you show, but on how fast and reliably you get it there.

Monday, March 31, 2025

Enabling Custom Validation for Content Fragment Fields in AEM as a Cloud Service – New CF Editor

In my earlier posts, we discussed how to enable Composite MultiField in Content Fragments and how to enable dynamic data fields in the new Content Fragment editor. In this post, we will explore how to enable custom validations for Content Fragment fields. Most of the steps are similar to those outlined in the previous posts. You will create a field in the Content Fragment model, and using the field name, you will register the extension. Please refer to one of the earlier posts for a step-by-step guide to enabling the extension.

While creating a Content Fragment Model, you can set up various out-of-the-box (OOTB) validations for the CF fields, such as MaxLength and Required. These validations should be applied to the overridden fields by fetching the configurations from the model. Additionally, other validations like Email, URL, and Regex can also be applied to the fields from the model.

Note: Please be aware that the content of this blog does not reflect the views of Adobe or my current organization. Before applying this approach, make sure to validate it thoroughly and ensure that it aligns with Adobe's recommendations.



Now, additional validations can be applied through the extension. The out-of-the-box (OOTB) validations, such as Email, URL, and custom regex validations, are applied first, followed by custom validations. For example, if I enable Email validation, the field will only accept valid email addresses. Then, I can add another custom validation rule to reject certain predefined emails, such as [email protected]. This can be achieved through custom regex, but I’m just using this as an example for the demo.

Extension Component to enable additional custom validation Rules:

CustomFieldValidation.js

import React, { useEffect, useState } from "react";
import { attach } from "@adobe/uix-guest";
import { extensionId } from "./Constants";
import { TextField, Provider, View, defaultTheme } from "@adobe/react-spectrum";

const CustomFieldValidation = () => {
  const [connection, setConnection] = useState(null);
  const [model, setModel] = useState(null);
  const [value, setValue] = useState("");
  const [customError, setCustomError] = useState(null);
  const [isInvalid, setIsInvalid] = useState(false);
  const [validationInProgress, setValidationInProgress] = useState(false);

  const validate = (val) => {
    if (!connection?.host?.field) return;

    let error = null;

    // Custom validation rule
    if (typeof val === "string" && val.toLowerCase() === "[email protected]") {
      error = "The value '[email protected]' is not allowed.";
    }

    setCustomError(error);
    setIsInvalid(!!error);

    if (!error || validationInProgress) return;

    setValidationInProgress(true);

    // Delay call to allow host readiness
    setTimeout(() => {
      try {
        connection.host.field
          .setValidationState({ state: "invalid", message: error })
          .catch((err) => {
            console.warn(
              "setValidationState failed:",
              err?.message || JSON.stringify(err)
            );
          })
          .finally(() => setValidationInProgress(false));
      } catch (err) {
        console.warn("setValidationState threw:", err?.message || JSON.stringify(err));
        setValidationInProgress(false);
      }
    }, 1000); // 1s delay for stability
  };

  const handleChange = (val) => {
    setValue(val);

    try {
      connection?.host?.field?.onChange(val).catch((err) =>
        console.warn("onChange failed:", err?.message || JSON.stringify(err))
      );
    } catch (err) {
      console.warn("onChange threw:", err?.message || JSON.stringify(err));
    }

    validate(val);
  };

  useEffect(() => {
    const init = async () => {
      try {
        if (!extensionId) {
          throw new Error("Missing extensionId. Check Constants file.");
        }

        const conn = await attach({ id: extensionId });

        if (!conn?.host?.field) {
          throw new Error("Host field API is unavailable.");
        }

        setConnection(conn);

        const modelData = await conn.host.field.getModel();
        setModel(modelData);

        const defaultValue = (await conn.host.field.getDefaultValue()) || "";
        setValue(defaultValue);
      } catch (err) {
        console.error("Extension init failed:", err?.message || JSON.stringify(err));
      }
    };

    init();
  }, []);

  if (!connection || !model) {
    return (
      <Provider theme={defaultTheme}>
        <View padding="size-200">Loading custom field…</View>
      </Provider>
    );
  }

  return (
    <Provider theme={defaultTheme}>
      <View padding="size-200" width="100%">
        <TextField
          label={model?.fieldLabel || "Custom Field"}
          value={value}
          onChange={handleChange}
          isRequired={model?.required || false}
          placeholder={model?.emptyText || "Enter a value"}
          validationState={isInvalid ? "invalid" : undefined}
          errorMessage={model?.customErrorMsg || customError}
          maxLength={model?.maxLength || undefined}
          width="100%"
        />
      </View>
    </Provider>
  );
};
export default CustomFieldValidation;

Now the custom validation Rules are executed


Sunday, March 9, 2025

Error response from daemon: Get "https://registry-1.docker.io/v2/": net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers)

While trying to pull a Docker image, the docker pull command was stuck forever without any progress or error.

System Details:

  • Windows 10
  • WSL 2 - Ubuntu
  • Docker Desktop 4.38.0

Issue Faced:


Running docker pull was stuck indefinitely.


Trying to log - docker login -u <username> in using the command prompt failed with this error:
"Error response from daemon: Get "https://registry-1.docker.io/v2/": net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers)" 

Even signing into Docker Desktop was not successful.

Login on Docker Hub via browser was working fine, but Docker Desktop was not picking up the login session.

I followed different forums and applied multiple configuration suggestions, including adjusting nameserver settings inside /etc/resolv.conf, but nothing worked.

Also, WSL 2 networking was working fine otherwise — only Docker commands were impacted.

Resolution:

Finally, the issue got resolved after upgrading Docker Desktop to the latest version (4.39.0).
(Older versions may also work — I tried with 4.35.1, and it worked as well).