AEM offers two types of Permission model Folder based Permissioning and Metadata Driven Permissioning Model. Permissions driven through AEM asset metadata on AEM Author instances allow users to apply complex, robust and loosely coupled permissions based on AEM asset metadata properties.

In this tutorial we will learn:-

• Difference Between Folder based Permissioning Model vs Metadata Driven Permissioning Model.
• Implement Metadata Driven Permissioning Model.
• Few important points to consider.

Difference Between Folder based Permissioning Model vs Metadata Driven Permissioning Model:-

Folder based Permissioning Model is traditional permissioning model which we usually use for all the scenarios. In order to leverage Folder based Permissioning Model your DAM folder structure should be well defined and permissions are then applied at folder level. It is not possible to have different permission for Assets within same folder, this makes this model very rigid and tightly coupled. Also folders should be logically broken down , So that any single folder should not have very huge number of assets, this impacts performance of system while traversing through the folder structure.

Metadata Driven Permissioning Model is introduced in AEM As Could Services. In order to resolve issue with unstructured DAM folder structure or having more flexible and robust Permissioning model Adobe has introduced Metadata Driven Permissioning Model in AEM As Could Services.

This is many benefits over the tradition Folder Structure Permissioning Model like :-

• Fine-grained control: Users can have more control over access to assets.
• Decoupled access control policies: Access control policies are decoupled from the folder structure.
• Complex access control rules: Users can define complex access control rules.

Implement Metadata Driven Permissioning Model:-

AEM Metadata Driven Permissioning is available only in AEM Ss Cloud , As a pre requisite make sure you are woking on latest SDK of AEM As Cloud.

The first step is to create an OSGI configuration for enabling Metadata driven permission based on specific asset metadata properties.

OSGI Configuration:-

• Determine which asset metadata properties will be used for access control. The property names are the JCR property names on the asset’s jcr:content/metadata resource. In our case it going to be a property called status and owner.
• Create an OSGi configuration com.adobe.cq.dam.assetmetadatarestrictionprovider.impl.DefaultRestrictionProviderConfiguration.cfg.json  in your AEM Maven project under config.author or environment specific run modes.
  
  NOTE:- Because it needs to be consistent across all environment, so i always prefer it to be part of config.author run mode.
  
• Paste the following JSON into the created file.
  

{
  "restrictionPropertyNames":[
    "status",
    "owner"
  ],
  "enabled":true
}

• Replace the property names with the required values.

Note:- New Metadata based restriction properties will be visible in AEM permissioning dropdown only if the above config is deployed via code deployment in your local SDK. If you make direct edit in crx/de it won’t work.

Reset Asset Permission:-

Before adding restriction-based Access Control Entries, a new top-level entry should be added to first deny read access to all groups that are subject to permission evaluation for Assets (e.g. “contributors” or similar) :-

1. Navigate to the Tools → Security → Permissions screen
2. Select the Contributors group (or other custom group that all users groups belong to)
3. Click Add ACE in the upper right corner of the screen
4. Select /content/dam for Path
5. Enter jcr:read for Privileges
6. Select Deny for Permission Type
7. Under Restrictions, select rep:ntNames and enter dam:Asset as the Restriction Value
8. Click Save

Grant access to assets by metadata

Access can now be granted to user groups based on configured asset metadata property names in the the OSGi configuration. Follow below steps to grant access based on metadata to specific user groups.

1. Navigate to the Tools → Security → Permissions screen
2. Select the user groups that should have access to the assets
3. Click Add ACE in the upper right corner of the screen
4. Select /content/dam (or a subfolder) for Path
5. Enter jcr:read for Privileges
6. Select Allow for Permission Type
7. Under Restrictions, select one of the configured Asset metadata property names in the the OSGi configuration
8. Enter the required metadata property value in the Restriction Value field
9. Click the + icon to add the Restriction to the Access Control Entry
10. Click Save

Note:- Make sure that your custom restrictions are getting displayed in the dropdown.

Few important points to note:-

• Metadata properties are evaluated against the restrictions using String equality (=) (other data types or operators are not yet supported, for greater than (>) or Date properties)
• To allow multiple values for a restriction property, additional restrictions can be added to the Access Control Entry by selecting the same property from the “Select Type” dropdown and entering a new Restriction Value (e.g. status=approved, status=wip) and clicking “+” to add the restriction to the entry

AND restrictions are supported, via multiple restrictions in a single Access Control Entry with different property names (e.g. status=approved, brand=Adobe) will be evaluated as an AND condition, i.e. the selected user group will be granted read access to assets with status=approved AND brand=Adobe

OR restrictions are supported by adding a new Access Control Entry with a metadata property restriction will establish an OR condition for the entries, e.g. a single entry with restriction status=approved and a single entry with brand=Adobe will be evaluated as status=approved OR brand=Adobe