AEM CQ5 Tutorials AEM CQ5 Tutorials

Show Navigation Hide Navigation
  • Home
  • Tutorials
    • AEM/CQ5 Tutorials
    • Edge Delivery Services (EDS)
    • AEM Forms
  • Interview Questions
    • AEM/CQ5 Interview Questions
  • AEM Test Series
  • Contribute us

Implement Metadata Driven Permissions in AEM

Ankur Ahlawat December 3, 2024 Adobe AEM/CQ5 Tutorials, Tutorials

AEM offers two types of Permission model Folder based Permissioning and Metadata Driven Permissioning Model. Permissions driven through AEM asset metadata on AEM Author instances allow users to apply complex, robust and loosely coupled permissions based on AEM asset metadata properties.

In this tutorial we will learn:-

  • Difference Between Folder based Permissioning Model vs Metadata Driven Permissioning Model.
  • Implement Metadata Driven Permissioning Model.
  • Few important points to consider.

Difference Between Folder based Permissioning Model vs Metadata Driven Permissioning Model:-

Folder based Permissioning Model is traditional permissioning model which we usually use for all the scenarios. In order to leverage Folder based Permissioning Model your DAM folder structure should be well defined and permissions are then applied at folder level. It is not possible to have different permission for Assets within same folder, this makes this model very rigid and tightly coupled. Also folders should be logically broken down , So that any single folder should not have very huge number of assets, this impacts performance of system while traversing through the folder structure.

Metadata Driven Permissioning Model is introduced in AEM As Could Services. In order to resolve issue with unstructured DAM folder structure or having more flexible and robust Permissioning model Adobe has introduced Metadata Driven Permissioning Model in AEM As Could Services.

This is many benefits over the tradition Folder Structure Permissioning Model like :-

  • Fine-grained control: Users can have more control over access to assets.
  • Decoupled access control policies: Access control policies are decoupled from the folder structure.
  • Complex access control rules: Users can define complex access control rules.

Implement Metadata Driven Permissioning Model:-

AEM Metadata Driven Permissioning is available only in AEM Ss Cloud , As a pre requisite make sure you are woking on latest SDK of AEM As Cloud.

The first step is to create an OSGI configuration for enabling Metadata driven permission based on specific asset metadata properties.

OSGI Configuration:-

  • Determine which asset metadata properties will be used for access control. The property names are the JCR property names on the asset’s jcr:content/metadata resource. In our case it going to be a property called status and owner.
  • Create an OSGi configuration com.adobe.cq.dam.assetmetadatarestrictionprovider.impl.DefaultRestrictionProviderConfiguration.cfg.json  in your AEM Maven project under config.author or environment specific run modes.

    NOTE:- Because it needs to be consistent across all environment, so i always prefer it to be part of config.author run mode.
  • Paste the following JSON into the created file.
{
  "restrictionPropertyNames":[
    "status",
    "owner"
  ],
  "enabled":true
}
  • Replace the property names with the required values.
enable metadata permission config


Note:- New Metadata based restriction properties will be visible in AEM permissioning dropdown only if the above config is deployed via code deployment in your local SDK. If you make direct edit in crx/de it won’t work.

Reset Asset Permission:-

Before adding restriction-based Access Control Entries, a new top-level entry should be added to first deny read access to all groups that are subject to permission evaluation for Assets (e.g. “contributors” or similar) :-

  1. Navigate to the Tools → Security → Permissions screen
  2. Select the Contributors group (or other custom group that all users groups belong to)
  3. Click Add ACE in the upper right corner of the screen
  4. Select /content/dam for Path
  5. Enter jcr:read for Privileges
  6. Select Deny for Permission Type
  7. Under Restrictions, select rep:ntNames and enter dam:Asset as the Restriction Value
  8. Click Save
deny permission parent group

Grant access to assets by metadata

Access can now be granted to user groups based on configured asset metadata property names in the the OSGi configuration. Follow below steps to grant access based on metadata to specific user groups.

  1. Navigate to the Tools → Security → Permissions screen
  2. Select the user groups that should have access to the assets
  3. Click Add ACE in the upper right corner of the screen
  4. Select /content/dam (or a subfolder) for Path
  5. Enter jcr:read for Privileges
  6. Select Allow for Permission Type
  7. Under Restrictions, select one of the configured Asset metadata property names in the the OSGi configuration
  8. Enter the required metadata property value in the Restriction Value field
  9. Click the + icon to add the Restriction to the Access Control Entry
  10. Click Save

Note:- Make sure that your custom restrictions are getting displayed in the dropdown.

custom metadata property restriction

single property restriction

Few important points to note:-

  • Metadata properties are evaluated against the restrictions using String equality (=) (other data types or operators are not yet supported, for greater than (>) or Date properties)
  • To allow multiple values for a restriction property, additional restrictions can be added to the Access Control Entry by selecting the same property from the “Select Type” dropdown and entering a new Restriction Value (e.g. status=approved, status=wip) and clicking “+” to add the restriction to the entry

AND restrictions are supported, via multiple restrictions in a single Access Control Entry with different property names (e.g. status=approved, brand=Adobe) will be evaluated as an AND condition, i.e. the selected user group will be granted read access to assets with status=approved AND brand=Adobe

AND condition for metadata restriction

OR restrictions are supported by adding a new Access Control Entry with a metadata property restriction will establish an OR condition for the entries, e.g. a single entry with restriction status=approved and a single entry with brand=Adobe will be evaluated as status=approved OR brand=Adobe

OR condition for metadata restriction

Related

Spread the love
26    
AEMAsCloud Asset Metadata Metadata Restriction

Written by Ankur Ahlawat

I’m a AEM Solution Architect having 15+ years of industry experience and an active member of AEM community. Want to work together to help AEM community ? I’d love to hear from you. Just drop a mail at [email protected]

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Subscribe to AEM CQ5 Newsletter

RSS Recent Posts

  • Simplified Index Management in AEM as a Cloud Service Using Diff Index: Migrate or Create new Custom Indexes with Ease June 24, 2026 Ankur Ahlawat
  • Document Based Authoring vs Universal Editor in AEM EDS: Which One Should You Choose? June 15, 2026 Ankur Ahlawat
  • AEM Sites vs Edge Delivery Services (EDS): Complete Architecture, Authoring, Deployment & Migration Comparison June 8, 2026 Ankur Ahlawat
  • Explore AEM Cloud Migration MCP for AI-Assisted Code Migration to AEM as a Cloud Service June 2, 2026 Ankur Ahlawat
  • How to Set Up JetBrains with GitHub Copilot and AEM MCP: Complete Developer Guide June 1, 2026 Ankur Ahlawat
  • What is Adobe Edge Delivery Services (EDS)? May 26, 2026 Ankur Ahlawat
  • How Direct Counts Configuration Improves AEM Performance and Reduces Node Validation Overhead May 25, 2026 Ankur Ahlawat

Popular Tags

Adobe Adobe Experience Manager AEM AEM 6.1 AEM 6.3 AEM 6.4 AEM 6.5 AEM 6.x AEMAsCloud AEM Basics AEM Clientlibs AEM CQ5 Tutorials AEM Development AEM Plugin Archetype Asset Metadata Best Practices Cloud Service Component core components CQ5 cqDesign Custom Component Edge Delivery Services EDS Error Handler HTL Installation Integration Interview Questions Maven Multifield Multi Module OAK Index OSGI OSGI Bundles OSGI Configuration OSGI Services Query Performance Sightly Sling TarMK Template Touch UI User Permission

Trending Posts

Adobe Dumps
AEM Interview Questions
Sightly New Features
Create Website in AEM

Pages

  • About Us
  • AEM Discussion
  • Ask Question
  • Contribute us
  • Privacy Policy
  • Search
  • Terms and Conditions

RSS feed RSS - Posts

RSS feed RSS - Comments

© AEM CQ5 Tutorials | 2026 ALL RIGHTS RESERVED

Powered by Pinboard Theme and WordPress

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Cookie settingsACCEPT
Privacy & Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Non-necessary
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
SAVE & ACCEPT