Metadata-Driven Permissions metadata-driven-permissions
Metadata-Driven Permissions is a feature used to allow access control decisions on AEM Assets Author to be based on asset metadata properties rather than folder structure. With this capability, you can define access control policies that evaluate attributes such as asset status, type, or any custom metadata property you define.
Let鈥檚 see an example. Creatives upload their work to AEM Assets to the campaign related folder, it might be a work in progress asset which has not been approved for use. We want to make sure that marketeers see only approved assets for this campaign. We can utilize metadata property to indicate that an asset has been approved and can be used by the marketeers.
How It Works
Enabling Metadata-Driven Permissions involves defining which asset metadata properties will drive access restrictions, such as 鈥渟tatus鈥 or 鈥渂rand.鈥 These properties can then be used to create access control entries that specify which user groups have access to assets with specific property values.
Prerequisites
Access to an AEM as a Cloud Service environment updated to the latest version is required for setting up metadata-driven permissions.
OSGi configuration configure-permissionable-properties
To implement Metadata-Driven Permissions a developer must deploy an OSGi configuration to AEM as a Cloud Service, that enables specific asset metadata properties to power metadata-driven permissions.
-
Determine which asset metadata properties will be used for access control. The property names are the JCR property names on the asset鈥檚
jcr:content/metadata
resource. In our case it going to be a property calledstatus
. -
Create an OSGi configuration
com.adobe.cq.dam.assetmetadatarestrictionprovider.impl.DefaultRestrictionProviderConfiguration.cfg.json
in your AEM Maven project. -
Paste the following JSON into the created file:
code language-json { "restrictionPropertyNames":[ "status", "brand" ], "enabled":true }
-
Replace the property names with the required values.
Reset base asset permissions
Before adding restriction-based Access Control Entries, a new top-level entry should be added to first deny read access to all groups that are subject to permission evaluation for Assets (e.g. 鈥渃ontributors鈥 or similar):
- Navigate to the Tools 鈫 Security 鈫 Permissions screen
- Select the Contributors group (or other custom group that all users groups belong to)
- Click Add ACE in the upper right corner of the screen
- Select
/content/dam
for Path - Enter
jcr:read
for Privileges - Select
Deny
for Permission Type - Under Restrictions, select
rep:ntNames
and enterdam:Asset
as the Restriction Value - Click Save
Grant access to assets by metadata
Access control entries can now be added to grant read access to user groups based on the configured Asset metadata property values.
- Navigate to the Tools 鈫 Security 鈫 Permissions screen
- Select the user groups that should have access to the assets
- Click Add ACE in the upper right corner of the screen
- Select
/content/dam
(or a subfolder) for Path - Enter
jcr:read
for Privileges - Select
Allow
for Permission Type - Under Restrictions, select one of the configured Asset metadata property names in the the OSGi configuration
- Enter the required metadata property value in the Restriction Value field
- Click the + icon to add the Restriction to the Access Control Entry
- Click Save
Metadata-driven permissions in effect
Example folder contains a couple of assets.
Once you configure permissions and set the asset metadata properties accordingly users (Marketeer User in our case) will see only approved asset.
Benefits and considerations
Benefits of Metadata-Driven Permissions include:
- Fine-grained control over asset access based on specific attributes.
- Decoupling of access control policies from folder structure, allowing for more flexible asset organization.
- Ability to define complex access control rules based on multiple metadata properties.
- Metadata properties are evaluated against the restrictions using String equality (
=
) (other data types or operators are not yet supported, for greater than (>
) or Date properties) - To allow multiple values for a restriction property, additional restrictions can be added to the Access Control Entry by selecting the same property from the 鈥淪elect Type鈥 dropdown and entering a new Restriction Value (e.g.
status=approved
,status=wip
) and clicking 鈥+鈥 to add the restriction to the entry
- AND restrictions are supported, via multiple restrictions in a single Access Control Entry with different property names (e.g.
status=approved
,brand=蜜豆视频
) will be evaluated as an AND condition, i.e. the selected user group will be granted read access to assets withstatus=approved AND brand=蜜豆视频
- OR restrictions are supported by adding a new Access Control Entry with a metadata property restriction will establish an OR condition for the entries, e.g. a single entry with restriction
status=approved
and a single entry withbrand=蜜豆视频
will be evaluated asstatus=approved OR brand=蜜豆视频