Documentation AEM AEM Tutorials AEM Assets Tutorials

Metadata-Driven Permissions

Last update: March 23, 2025

Topics:
User and Groups

CREATED FOR:

Intermediate
Admin

Metadata-Driven Permissions is a feature used to allow access control decisions on AEM Assets Author to be based on asset content or metadata properties rather than folder structure. With this capability, you can define access control policies that evaluate attributes such as asset status, type, or any custom property you define.

Let’s see an example. Creatives upload their work to AEM Assets to the campaign related folder, it might be a work in progress asset which has not been approved for use. We want to make sure that marketeers see only approved assets for this campaign. We can utilize a metadata property to indicate that an asset has been approved and can be used by the marketeers.

How It Works

Enabling Metadata-Driven Permissions involves defining which asset content or metadata properties will drive access restrictions, such as “status” or “brand.” These properties can then be used to create access control entries that specify which user groups have access to assets with specific property values.

Prerequisites

Access to an AEM as a Cloud Service environment updated to the latest version is required for setting up metadata-driven permissions.

OSGi configuration

To implement Metadata-Driven Permissions a developer must deploy an OSGi configuration to AEM as a Cloud Service, that enables specific asset content or metadata properties to power metadata-driven permissions.

Determine which asset content or metadata properties will be used for access control. The property names are the JCR property names on the asset’s jcr:content or jcr:content/metadata resource. In our case it going to be a property called status.
Create an OSGi configuration com.adobe.cq.dam.assetmetadatarestrictionprovider.impl.DefaultRestrictionProviderConfiguration.cfg.json in your AEM Maven project.

Paste the following JSON into the created file:

{
  "restrictionPropertyNames":[
    "status",
    "brand"
  ],
  "restrictionContentPropertyNames":[],
  "enabled":true
}

Replace the property names with the required values. The restrictionContentPropertyNames configuration property is used to enable permissions on jcr:content resource properties, while the restrictionPropertyNames configuration property enables permissions on jcr:content/metadata resource properties for assets.

Reset base asset permissions

Before adding restriction-based Access Control Entries, a new top-level entry should be added to first deny read access to all groups that are subject to permission evaluation for Assets (e.g. “contributors” or similar):

Navigate to the Tools → Security → Permissions screen
Select the Contributors group (or other custom group that all users groups belong to)
Click Add ACE in the upper right corner of the screen
Select /content/dam for Path
Enter jcr:read for Privileges
Select Deny for Permission Type
Under Restrictions, select rep:ntNames and enter dam:Asset as the Restriction Value
Click Save

Deny Access

Grant access to assets by metadata

Access control entries can now be added to grant read access to user groups based on the configured Asset metadata property values.

Navigate to the Tools → Security → Permissions screen
Select the user groups that should have access to the assets
Click Add ACE in the upper right corner of the screen
Select /content/dam (or a subfolder) for Path
Enter jcr:read for Privileges
Select Allow for Permission Type
Under Restrictions, select one of the configured Asset metadata property names in the the OSGi configuration
Enter the required metadata property value in the Restriction Value field
Click the + icon to add the Restriction to the Access Control Entry
Click Save

Allow Access

Metadata-driven permissions in effect

Example folder contains a couple of assets.

Admin View

Once you configure permissions and set the asset metadata properties accordingly, users (Marketeer User in our case) will see only approved asset.

Marketeer View

Benefits and considerations

Benefits of Metadata-Driven Permissions include:

Fine-grained control over asset access based on specific attributes.
Decoupling of access control policies from folder structure, allowing for more flexible asset organization.
Ability to define complex access control rules based on multiple content or metadata properties.

NOTE

It’s important to note:

Properties are evaluated against the restrictions using String equality (=) (other data types or operators are not yet supported, for greater than (>) or Date properties)
To allow multiple values for a restriction property, additional restrictions can be added to the Access Control Entry by selecting the same property from the “Select Type” dropdown and entering a new Restriction Value (e.g. status=approved, status=wip) and clicking “+” to add the restriction to the entry
AND restrictions are supported, via multiple restrictions in a single Access Control Entry with different property names (e.g. status=approved, brand=Adobe) will be evaluated as an AND condition, i.e. the selected user group will be granted read access to assets with status=approved AND brand=Adobe
OR restrictions are supported by adding a new Access Control Entry with a metadata property restriction will establish an OR condition for the entries, e.g. a single entry with restriction status=approved and a single entry with brand=Adobe will be evaluated as status=approved OR brand=Adobe

recommendation-more-help