Attribute-based access control attribute-based-access-control
Attribute-based access control (ABAC) allows Content Hub Administrators to define metadata-based rules to define the level of access to assets available in Content Hub.
Administrators for an organization define rules for user groups, which are mapped to a Group ID. Rules are a mix of logical and comparison operators and Admins can define as many rules as they need to manage asset access within Content Hub.
The rules are based on metadata and if the conditions defined in the rule match the asset metadata, the asset gets displayed to the user group. Content Hub scans the asset metadata including the custom metadata for all assets available within All Assets and Collections to display the results to user groups.
For example, ALLOW access to user group with Group ID = 1011, when asset metadata matches “Brand = Brand X” AND “Region = EMEA OR Americas”. Content Hub displays only those assets to the user group with ID = 1011 where Brand = Brand X
and Region = EMEA
or Americas
.
Some of the key benefits of attribute-based access control include:
-
Eliminates the dependency on folder structure for permissions
-
Allows administrators to upload assets and retroactively determine permission structures
-
Reduces number of duplicates - improves asset integrity. Duplicates are needed in folder based permissions when same assets are shared with different groups.
How to enable Attribute-based access control? enable-attribute-based-access-control
As of now, you cannot create Attribute-based access control rules on your own using the Content Hub User Interface.
Click Download Spreadsheet to download and define rules in a spreadsheet. Create an Adobe support ticket and provide the rules defined in the spreadsheet to Adobe.
[Download Spreadsheet]{class="badge informative"}
Define rules in the spreadsheet using the guidelines defined in this article.
Example Attribute-based Access Control use case example-metadata-based-rules
To support a large-scale marketing rollout, various team members across regions and brands need access to digital assets. Each persona has a specific scope based on region and brand. ABAC enforces these rules automatically via asset metadata. The following table illustrates the different type of personas for this use case and the rules that are applied:
Using these rules, Content Hub administrators have:
-
Granular, rule-based access: Users see only the assets relevant to their region and brand — no manual permission assignments.
-
Seamless global collaboration: Regional and brand teams worked in parallel without access conflicts.
-
Scalable and future-proof permissions: As new regions or brands are added, rules can be updated based on metadata.
Supported rule constructs supported-rule-constructs
-
Logical operators:
- AND: All conditions must be true
- OR: At least one condition must be true
-
Comparison operators:
- Equals (=): Checks if a user or asset attribute matches a value
- Not Equals (!=): Checks if a user or asset attribute does not match a value
When asset metadata fields contain arrays (for example, multiple regions or tags), Equals
refers to contains
logic and Not Equals
refers to does not contain
logic.
This allows you to write simple and expressive rules, such as: ALLOW if region = emea AND assetType != prototype AND tags != confidential.
Guidelines guidelines-attribute-based-access-control
-
ABAC rules are applicable only for assets approved for Content Hub. For more information, see Approve Assets for Content Hub.
-
Do not give DENY rules, instead always convert DENY to ALLOW rule. For example,
ALLOW if region = <user-region> DENY if assetType = prototype AND confidential = yes
can be converted toALLOW if region = <user-region> AND (assetType != prototype OR confidential != yes)
. -
ABAC rules are applied to user groups using the IMS Group ID, which is available in the Admin Console.
-
You can set the Approval Target for assets using AEM as a Cloud Service author environment. ABAC rules are applied to assets approved with Approval Target =
Content Hub
, as Approval Target =Delivery
is for assets available forDelivery
+Content Hub
. Assets marked as Approval Target =Delivery
are visible to all in Content hub. -
Ensure that the metadata schemas used in ABAC rules are correctly defined and available in AEM. Provide full path of the metadata schema(s) in AEM that define properties referenced in ABAC rules. You can optionally create a test folder with a few sample assets with metadata values that match the ABAC conditions. This helps in verifying rule behaviour and evaluating access accurately.
-
Capture the business intent of the rule in comment, regardless of whether the condition is correctly written, as the intent helps us validate and correct the logic, if required.
-
The license PDF files, which are set for DRM need to be visible to all, so that users are able to see them when they are downloading the asset with license.