Attribute-based Access Control in Content Hub

In this video, we’ll cover the Attribute-based access control, also known as ABAC, which allows Content Hub administrators to define metadata-based rules to manage more granular access to assets within Content Hub. To follow along and access the Adobe Admin Console, you must have administrator rights in your organization. Content Hub administrators can define rules to control which assets are visible to specific user groups within the portal. These rules use a combination of user-based access control and comparison operators. They’re based on asset metadata and linked to a specific user group ID. This can be useful in a number of use cases. For example, when you have a large team whose members need access to digital assets within a different scope, such as region or brand. Content Hub scans metadata, including custom metadata of all assets available within all assets and collections. If the conditions defined in the rule match the asset’s metadata, that asset becomes visible to the specified user group.

ABAC rules eliminate the dependency on folder structure for setting permissions.

They allow admins to upload assets and define permission structures retroactively. They also reduce the number of asset duplicates, something that’s typical for the folder-based permissions when the same assets need to be shared across multiple groups.

At the time of this recording, you cannot create attribute-based rules directly through the Content Hub interface. You need to work with the Adobe Support team to implement the rules for your organization. Let me walk you through this process. To get started, download the ABAC template from the Attribute-based Access Control page on the Adobe Experience League Documentation Portal. This template is a spreadsheet that lets you define as many metadata-based rules as needed. It also includes examples you can use as references when setting up rules for your organization. For example, Weeknd is a global brand with teams across various regions. The marketing team in the EMEA region should have access to all digital assets related to Weeknd activities in that region, except for certain confidential assets that aren’t yet available for marketing use. Start by creating a user group in the Adobe Admin Console. Navigate to the Users tab, then to User Groups, and click New User Group. In our case, we’ve already created the EMEA Marketing User Group. Go to the User Groups page and examine the URL. The numbers following user groups represent the numeric group ID, which you’ll need to link your rules to. Copy this ID and return to the spreadsheet. Open the Managed by Group tab. In the Group Name column, enter the paste the number you’ve copied into the Group ID column. In the Description column, specify what permissions the group should and shouldn’t have using plain language. The Conditions column is where you define your rules. It supports logical operators such as AND, AND, OR, as well as comparison operators such as equals and not equals. For our example, we want the Global Availability Metadata property to equal EMEA and Publishing Status to not equal confidential release. Make sure that the metadata properties referenced in your rule are correctly defined and available in the corresponding metadata schemas in AEM. You can use the Comments column to capture the business intent of your rule. This will help the Adobe team validate the logic and correct it if required. Once your first rule is created, go to the Metadata tab to add the metadata properties that correspond to the conditions you’ve just specified. Let’s start with the first property, Global Availability. Add the property type according to the corresponding metadata schema. It can be a text field, tags, dropdown, and so on. Enter the node name in the next column. This can be found in the Map to Property in the corresponding metadata schema. Next, list the titles of all values available for this property that are relevant to your rule. For example, these could be dropdown values or tags written in the human-friendly language. Finally, list the names of the values specified in the Title column. These should reflect how the values are stored in AEM. They’re usually lowercase and contain hyphens. Repeat the same process for the Publishing Status property. In the Content Hub Environment tab, provide the ID of your Content Hub Environment. Enter the full path to the metadata schema that defines the properties you’ve specified in your rules. You can now create an Adobe Support Ticket and share these rules with Adobe. By default, any user groups that are not specified with the rules in the spreadsheet are denied access. If a user isn’t part of a group with ABAC rules, they won’t be able to access any assets. If you need certain users, such as administrators, to have access to assets, you must include a group in the spreadsheet and specify that this group needs access to all assets. You should now know how to create a tribute-based access control rules for Content Hub. Thanks for watching.