Restrict delivery of assets with Dynamic Media with OpenAPI capabilities restrict-access-to-assets
Central asset governance in Experience Manager allows the DAM Admin or Brand Managers to manage access to assets available through Dynamic Media with OpenAPI capabilities. They can restrict delivery of approved assets (down to an individual asset) to selected by configuring certain metadata on assets on their the AEM as a Cloud Service author service.
Once an asset is restricted through Dynamic Media with OpenAPIs, only the (ÃÛ¶¹ÊÓƵ IMS onboarded) users authorized to access the said asset are granted access. To access the asset, the user must leverage Search and Delivery capabilities of Dynamic Media with OpenAPI.
In Experience Manager Assets, restricted delivery via IMS involves two key stages:
- Authoring
- Delivery
Authoring authoring
Restricted delivery using an IMS Bearer token restrict-delivery-ims-token
You can restrict the delivery of assets within Experience Manager based on IMS User and Group Identities .
Restrict delivery of assets using On and Off date and time restrict-delivery-assets-date-time
DAM authors can also restrict the delivery of assets by defining an On or Off time for activation available in Asset properties.
If you define an On time for activation of an asset, a delivery URL gets generated for the asset at the defined time. The asset remains inactive before the defined time. Similarly, if you define an Off time for an asset, the asset is deactivated at the defined time and the delivery URL for the asset stops displaying the asset.
Execute the following steps to set the On and Off time for the asset:
-
Select the asset and click Properties.
-
In the Scheduled (de) activation section of the Basic tab, define the On Time or the Off Time based on your requirements.
Similarly, in Assets view, you can select the asset and click Details to view asset properties and define On time and Off time.
The field is available in the default metadata form. If your asset is not based on the default metadata schema and the On Time and Off Time fields are not available in the asset properties, execute the following steps in Admin view:
-
Navigate to Tools > Assets > Metadata Schemas.
-
Select the metadata schema and click Edit.
-
Add a Date field from the Build Form section in right side to Metadata section in the form.
-
Click the newly added field, and then do the following updates in the Settings panel:
- Change the Field Label to On Time or Off Time.
- Update the Map to property to ./jcr:content/onTime for On Time field and ./jcr:content/offTime for Off Time field.
-
Click Save.
Similarly, for Assets view, if your asset is not based on the default metadata schema and the On Time and Off Time fields are not available in the asset properties, execute the following steps:
- Click Metadata Forms in the Settings section.
- Select the metadata form and click Edit.
- Add a Date field from the Components section in left pane to the form.
- Click the newly added field and change the Label to On Time or Off Time.
- Update the Metadata property to ./jcr:content/onTime for On Time field and ./jcr:content/offTime for Off Time field.
- Click Save.
Delivery of restricted assets delivery-restricted-assets
The delivery of restricted assets is based on successful authorization to access assets. The authorization is either through (application for requests initiated from AEM Asset Selector), or a secure-cookie (if you have custom identity providers set up on your AEM Publish/Preview services, and have set up the cookie creation and inclusion on the pages).
Delivery for AEM author or Asset Selector requests delivery-aem-author-asset-selector
To enable the delivery of restricted assets in case the request is sent from AEM author service or AEM Asset Selector, a valid IMS Bearer token is essential.
On AEM Cloud Service author services as well as Asset Selector, the IMS Bearer Token is automatically generated and used for requests after a successful login.
-
For non-Asset Selector based experiences, AEM as a Cloud Service and Dynamic Media with OpenAPI capabilities currently support server-side-api integrations and can generate IMS Bearer tokens.
- Follow the instructions here to perform service-to-server API integrations that can retrieve the IMS Bearer tokens through AEM as a Cloud Service Developer Console
- For limited duration, local developer access (not meant for production use cases), short-lived IMS Bearer tokens for the user authenticated on AEM as a Cloud Service Developer Console can be generated by following the instructions here
-
While making Search and Delivery API requests, add the obtained IMS Bearer token to the Authorization header of the HTTP request (ensure that its value is prefixed with Bearer).
-
To validate the access restriction, initiate a Delivery API request with and without the Authorization header.
- The response will yield a
404
error status-code in cases where there is no IMS Bearer token, or the provided IMS Bearer token doesn’t belong to the user that was granted access to the asset (either directly, or through group membership). - The response will yield a
200
success status-code with the binary content of the asset if the IMS Bearer token is one of the user or groups that were granted access to the asset.
- The response will yield a
Delivery for custom identity providers on Publish service delivery-custom-identity-provider
AEM Sites, AEM Assets and Dynamic Media with OpenAPI licenses can be used together, allowing for restricted delivery of assets to be configured on websites hosted on AEM Publish or Preview service. The secure delivery flow leverages browser cookies to establish user’s access and having a custom domain for delivery tier that is subdomain of the publish domain is a pre-requisite for implementing this use case. In case AEM Sites’ Publish and Preview services are configured to use a custom identity provider (IdP), a new cookie called delivery-token
encapsulating user’s group membership must be set on publish domain post user’s authentication. The delivery tier extracts the authorization material from the secure-cookie and validates the access. Please log an enterprise support ticket for more details.