Our AEM instance has multiple tenants (e.g. different departments that shouldn't be able to access each other's sites and/or assets), how do we manage the permissions so that the tenants cannot view each other's content.
To simplify managing permissions in a multi-tenant system, you can leverage rep:glob type ACLs. These permissions allow you to grant users access only to what you want them to see versus having to use deny permissions. They are defined with path patterns instead of being tied to the nodes they belong to.
To demonstrate how this is done, we will assume that we are securing a system where you have /content/siteA, /content/siteB, and /content/siteC and you want to secure it so users of siteA cannot view siteB or siteC, users of siteB cannot view A or C and C cannot view B or A.
A. Create a group for each site
The first step is to create a common group and a group for each site's users. For example, common-authors, siteA-authors, siteB-authors, siteC-authors. Use the user administration UI to add the groups.
B. Grant the common-authors group read access to the /content like this:
C. Add access to modify the desired branch of experience fragments without being able to delete them.