DocumentationAEM as a Cloud ServiceUser Guide

Attribute-based access control attribute-based-access-control

Last update: Wed Feb 04 2026 00:00:00 GMT+0000 (Coordinated Universal Time)
  • Applies to:
  • Experience Manager as a Cloud Service

CREATED FOR:

  • Admin

Attribute-based access control (ABAC) allows Content Hub Administrators to define metadata-based rules to define the level of access to assets available in Content Hub.

Administrators for an organization define rules for user groups, which are mapped to a Group ID. Rules are a mix of logical and comparison operators and Admins can define as many rules as they need to manage asset access within Content Hub.

The rules are based on metadata and if the conditions defined in the rule match the asset metadata, the asset gets displayed to the user group. Content Hub scans the asset metadata including the custom metadata for all assets available within All Assets and Collections to display the results to user groups.

For example, ALLOW access to user group with Group ID = 1011, when asset metadata matches “Brand = Brand X” AND “Region = EMEA OR Americas”. Content Hub displays only those assets to the user group with ID = 1011 where Brand = Brand X and Region = EMEA or Americas.

Some of the key benefits of attribute-based access control include:

  • Eliminates the dependency on folder structure for permissions

  • Allows administrators to upload assets and retroactively determine permission structures

  • Reduces number of duplicates - improves asset integrity. Duplicates are needed in folder based permissions when same assets are shared with different groups.

https://video.tv.adobe.com/v/3475413/?learn=on&enablevpops
Transcript

In this video, we’ll cover the Attribute-based access control, also known as ABAC, which allows Content Hub administrators to define metadata-based rules to manage more granular access to assets within Content Hub. To follow along and access the Adobe Admin Console, you must have administrator rights in your organization. Content Hub administrators can define rules to control which assets are visible to specific user groups within the portal. These rules use a combination of user-based access control and comparison operators. They’re based on asset metadata and linked to a specific user group ID. This can be useful in a number of use cases. For example, when you have a large team whose members need access to digital assets within a different scope, such as region or brand. Content Hub scans metadata, including custom metadata of all assets available within all assets and collections. If the conditions defined in the rule match the asset’s metadata, that asset becomes visible to the specified user group.

ABAC rules eliminate the dependency on folder structure for setting permissions.

They allow admins to upload assets and define permission structures retroactively. They also reduce the number of asset duplicates, something that’s typical for the folder-based permissions when the same assets need to be shared across multiple groups.

At the time of this recording, you cannot create attribute-based rules directly through the Content Hub interface. You need to work with the Adobe Support team to implement the rules for your organization. Let me walk you through this process. To get started, download the ABAC template from the Attribute-based Access Control page on the Adobe Experience League Documentation Portal. This template is a spreadsheet that lets you define as many metadata-based rules as needed. It also includes examples you can use as references when setting up rules for your organization. For example, Weeknd is a global brand with teams across various regions. The marketing team in the EMEA region should have access to all digital assets related to Weeknd activities in that region, except for certain confidential assets that aren’t yet available for marketing use. Start by creating a user group in the Adobe Admin Console. Navigate to the Users tab, then to User Groups, and click New User Group. In our case, we’ve already created the EMEA Marketing User Group. Go to the User Groups page and examine the URL. The numbers following user groups represent the numeric group ID, which you’ll need to link your rules to. Copy this ID and return to the spreadsheet. Open the Managed by Group tab. In the Group Name column, enter the paste the number you’ve copied into the Group ID column. In the Description column, specify what permissions the group should and shouldn’t have using plain language. The Conditions column is where you define your rules. It supports logical operators such as AND, AND, OR, as well as comparison operators such as equals and not equals. For our example, we want the Global Availability Metadata property to equal EMEA and Publishing Status to not equal confidential release. Make sure that the metadata properties referenced in your rule are correctly defined and available in the corresponding metadata schemas in AEM. You can use the Comments column to capture the business intent of your rule. This will help the Adobe team validate the logic and correct it if required. Once your first rule is created, go to the Metadata tab to add the metadata properties that correspond to the conditions you’ve just specified. Let’s start with the first property, Global Availability. Add the property type according to the corresponding metadata schema. It can be a text field, tags, dropdown, and so on. Enter the node name in the next column. This can be found in the Map to Property in the corresponding metadata schema. Next, list the titles of all values available for this property that are relevant to your rule. For example, these could be dropdown values or tags written in the human-friendly language. Finally, list the names of the values specified in the Title column. These should reflect how the values are stored in AEM. They’re usually lowercase and contain hyphens. Repeat the same process for the Publishing Status property. In the Content Hub Environment tab, provide the ID of your Content Hub Environment. Enter the full path to the metadata schema that defines the properties you’ve specified in your rules. You can now create an Adobe Support Ticket and share these rules with Adobe. By default, any user groups that are not specified with the rules in the spreadsheet are denied access. If a user isn’t part of a group with ABAC rules, they won’t be able to access any assets. If you need certain users, such as administrators, to have access to assets, you must include a group in the spreadsheet and specify that this group needs access to all assets. You should now know how to create a tribute-based access control rules for Content Hub. Thanks for watching.

How to enable Attribute-based access control? enable-attribute-based-access-control

As of now, you cannot create Attribute-based access control rules on your own using the Content Hub User Interface.

Click Download Spreadsheet to download and define rules in a spreadsheet. Create an Adobe support ticket and provide the rules defined in the spreadsheet to Adobe.

[Download Spreadsheet]{class="badge informative"}

Define rules in the spreadsheet using the guidelines defined in this article.

Example Attribute-based Access Control use case example-metadata-based-rules

To support a large-scale marketing rollout, various team members across regions and brands need access to digital assets. Each persona has a specific scope based on region and brand. ABAC enforces these rules automatically via asset metadata. The following table illustrates the different type of personas for this use case and the rules that are applied:

Persona
Role
Role Description
Group ID
ABAC Rule
John
EMEA Marketing Lead
Oversees marketing execution across all brands in EMEA. Needs access to approved assets for all brands intended for EMEA markets.
group-emea-marketing
region = “EMEA”
Mike
APAC Marketing Lead
Oversees marketing execution across all brands in APAC. Needs access to approved assets for all brands intended for APAC markets.
group-apac-marketing
region = “APAC”
Sophie
Brand X Manager (EMEA)
Manages Brand X identity in EMEA. Needs to see only Brand X approved content tailored to EMEA markets.
group-emea-brandx
region = “EMEA” && brand = “Brand X”
Tom
Brand Y Manager (APAC)
Manages Brand Y identity in APAC. Needs to see only Brand Y approved content tailored to APAC markets.
group-apac-brandy
region = “APAC” && brand = “Brand Y”

Using these rules, Content Hub administrators have:

  • Granular, rule-based access: Users see only the assets relevant to their region and brand — no manual permission assignments.

  • Seamless global collaboration: Regional and brand teams worked in parallel without access conflicts.

  • Scalable and future-proof permissions: As new regions or brands are added, rules can be updated based on metadata.

IMPORTANT
By default, all other user groups, which are not specified with any rules in the spreadsheet, are denied access. If a user is not part of any group for which ABAC rules are defined, they are not able to access any assets. If you need to have some users to have access to all assets (for example, Admins), a group with a group ID must be mentioned in the spreadsheet with the details that this particular group needs access to all assets and Adobe will configure it for you.

Supported rule constructs supported-rule-constructs

  • Logical operators:

    • AND: All conditions must be true
    • OR: At least one condition must be true

  • Comparison operators:

    • Equals (=): Checks if a user or asset attribute matches a value
    • Not Equals (!=): Checks if a user or asset attribute does not match a value

When asset metadata fields contain arrays (for example, multiple regions or tags), Equals refers to contains logic and Not Equals refers to does not contain logic.

This allows you to write simple and expressive rules, such as: ALLOW if region = emea AND assetType != prototype AND tags != confidential.

Guidelines guidelines-attribute-based-access-control

  • ABAC rules are applicable only for assets approved for Content Hub. For more information, see Approve Assets for Content Hub.

  • Do not give DENY rules, instead always convert DENY to ALLOW rule. For example, ALLOW if region = <user-region> DENY if assetType = prototype AND confidential = yes can be converted to ALLOW if region = <user-region> AND (assetType != prototype OR confidential != yes).

  • ABAC rules are applied to user groups using the IMS Group ID, which is available in the Admin Console.

  • You can set the Approval Target for assets using AEM as a Cloud Service author environment. ABAC rules are applied to assets approved with Approval Target = Content Hub, as Approval Target = Delivery is for assets available for Delivery + Content Hub. Assets marked as Approval Target = Delivery are visible to all in Content hub.

  • Ensure that the metadata schemas used in ABAC rules are correctly defined and available in AEM. Provide full path of the metadata schema(s) in AEM that define properties referenced in ABAC rules. You can optionally create a test folder with a few sample assets with metadata values that match the ABAC conditions. This helps in verifying rule behaviour and evaluating access accurately.

  • Capture the business intent of the rule in comment, regardless of whether the condition is correctly written, as the intent helps us validate and correct the logic, if required.

  • The license PDF files, which are set for DRM need to be visible to all, so that users are able to see them when they are downloading the asset with license.

recommendation-more-help
fbcff2a9-b6fe-4574-b04a-21e75df764ab