DocumentationAEM as a Cloud ServiceUser Guide

Restrict delivery of assets with Dynamic Media with OpenAPI capabilities restrict-access-to-assets

Last update: Tue Nov 19 2024 00:00:00 GMT+0000 (Coordinated Universal Time)

CREATED FOR:

  • User
Search Best Practices
Metadata Best Practices
Content Hub
Dynamic Media with OpenAPI capabilities
AEM Assets developer documentation
AVAILABILITY
Dynamic Media with OpenAPI capabilities guide is now available in PDF format. Download the entire guide and use Adobe Acrobat AI Assistant to answer your queries.
[Dynamic Media with OpenAPI capabilities Guide PDF]{class="badge informative"}

Central asset governance in Experience Manager allows the DAM Admin or Brand Managers to manage access to assets available through Dynamic Media with OpenAPI capabilities. They can restrict delivery of approved assets (down to an individual asset) to selected Adobe Identity Management System (IMS) User or Groups by configuring certain metadata on assets on their the AEM as a Cloud Service author service.

Once an asset is restricted through Dynamic Media with OpenAPIs, only the (Adobe IMS onboarded) users authorized to access the said asset are granted access. To access the asset, the user must leverage Search and Delivery capabilities of Dynamic Media with OpenAPI.

Restricted access to assets

In Experience Manager Assets, restricted delivery via IMS involves two key stages:

  • Authoring
  • Delivery

Authoring authoring

Restricted delivery using an IMS Bearer token restrict-delivery-ims-token

You can restrict the delivery of assets within Experience Manager based on IMS User and Group Identities .

NOTE
This capability is currently not self-service. To restrict asset delivery for IMS Users and Groups, reach out to your Enterprise Support team for guidance on how to retrieve the information required for restricting access from Adobe Admin Console portal and how to configure access in the AEM as a Cloud Service author service.

Restrict delivery of assets using On and Off date and time restrict-delivery-assets-date-time

DAM authors can also restrict the delivery of assets by defining an On or Off time for activation available in Asset properties.

If you define an On time for activation of an asset, a delivery URL gets generated for the asset at the defined time. The asset remains inactive before the defined time. Similarly, if you define an Off time for an asset, the asset is deactivated at the defined time and the delivery URL for the asset stops displaying the asset.

Execute the following steps to set the On and Off time for the asset:

  1. Select the asset and click Properties.

  2. In the Scheduled (de) activation section of the Basic tab, define the On Time or the Off Time based on your requirements.

Similarly, in Assets view, you can select the asset and click Details to view asset properties and define On time and Off time.

The field is available in the default metadata form. If your asset is not based on the default metadata schema and the On Time and Off Time fields are not available in the asset properties, execute the following steps in Admin view:

  1. Navigate to Tools > Assets > Metadata Schemas.

  2. Select the metadata schema and click Edit.

  3. Add a Date field from the Build Form section in right side to Metadata section in the form.

  4. Click the newly added field, and then do the following updates in the Settings panel:

    1. Change the Field Label to On Time or Off Time.
    2. Update the Map to property to ./jcr:content/onTime for On Time field and ./jcr:content/offTime for Off Time field.

  5. Click Save.

Similarly, for Assets view, if your asset is not based on the default metadata schema and the On Time and Off Time fields are not available in the asset properties, execute the following steps:

  1. Click Metadata Forms in the Settings section.
  2. Select the metadata form and click Edit.
  3. Add a Date field from the Components section in left pane to the form.
  4. Click the newly added field and change the Label to On Time or Off Time.
  5. Update the Metadata property to ./jcr:content/onTime for On Time field and ./jcr:content/offTime for Off Time field.
  6. Click Save.

Delivery of restricted assets delivery-restricted-assets

The delivery of restricted assets is based on successful authorization to access assets. The authorization is either through IMS Bearer Tokens (application for requests initiated from AEM Asset Selector), or a secure-cookie (if you have custom identity providers set up on your AEM Publish/Preview services, and have set up the cookie creation and inclusion on the pages).

Delivery for AEM author or Asset Selector requests delivery-aem-author-asset-selector

To enable the delivery of restricted assets in case the request is sent from AEM author service or AEM Asset Selector, a valid IMS Bearer token is essential.
On AEM Cloud Service author services as well as Asset Selector, the IMS Bearer Token is automatically generated and used for requests after a successful login.

NOTE
To get more information on how to enable IMS authentication on AEM Asset Selector based integrations, please reach out to Enterprise Support

  1. For non-Asset Selector based experiences, AEM as a Cloud Service and Dynamic Media with OpenAPI capabilities currently support server-side-api integrations and can generate IMS Bearer tokens.

  2. While making Search and Delivery API requests, add the obtained IMS Bearer token to the Authorization header of the HTTP request (ensure that its value is prefixed with Bearer).

  3. To validate the access restriction, initiate a Delivery API request with and without the Authorization header.

    • The response will yield a 404 error status-code in cases where there is no IMS Bearer token, or the provided IMS Bearer token doesn’t belong to the user that was granted access to the asset (either directly, or through group membership).
    • The response will yield a 200 success status-code with the binary content of the asset if the IMS Bearer token is one of the user or groups that were granted access to the asset.

Delivery for custom identity providers on Publish service delivery-custom-identity-provider

AEM Sites, AEM Assets and Dynamic Media with OpenAPI licenses can be used together, allowing for restricted delivery of assets to be configured on websites hosted on AEM Publish or Preview service. The secure delivery flow leverages browser cookies to establish user’s access and having a custom domain for delivery tier that is subdomain of the publish domain is a pre-requisite for implementing this use case. In case AEM Sites’ Publish and Preview services are configured to use a custom identity provider (IdP), a new cookie called delivery-token encapsulating user’s group membership must be set on publish domain post user’s authentication. The delivery tier extracts the authorization material from the secure-cookie and validates the access. Please log an enterprise support ticket for more details.

recommendation-more-help
fbcff2a9-b6fe-4574-b04a-21e75df764ab