Restricting to folder in ASSET API | Community
Skip to main content
C
cqbeginner
Level 2
December 5, 2020
Solved

Restricting to folder in ASSET API

  • December 5, 2020
  • 2 replies
  • 1574 views

Dear Community,

 

According to Adobe docs...

The Assets HTTP API allows for create-read-update-delete (CRUD) operations on digital assets, including on metadata, on renditions, and on comments, together with structured content using Experience Manager Content Fragments. It is exposed at /api/assets and is implemented as REST API. It includes support for Content Fragments

 

1. Does it mean that, a 3rd party application can view everything under asset folder?

2. How can I give restricted access to different business units under /api/assets/

 For example: content fragment created for specific business unit should be under /api/assets/bu1/. They should have access to assets under this folder only.

 

Any thoughts?

 

Thanks,

This post is no longer active and is closed to new replies. Need help? Start a new post to ask your question.
Best answer by BrianKasingli

@cqbeginner 

Well, firstly, the third-party application needs to get access to communicate with your author instance. And secondly, the default behavior to successfully make a call to the AEM OOTB asset's API is when you are an authenticated user. As a test, open API development tool such as POSTMAN and start making requests to https://[hostname]:[server]/api/assets.json, you'll realise there will be an authentication error; this can be easily fixed by including basic authentication values to the request:


Since we know that you must be a logged-in user, you can ensure that this specialAssetUser only have read and write methods to the folder structure of your choice in this case, /content/dam/my-project/public/bu1/*.

Just question answering your questions:

1. Does it mean that, a 3rd party application can view everything under asset folder?

The authenticated user with the correct access rights can only see specific assets and folders that are set in the ACL. (you can manage your user and groups in http://localhost:4502/useradmin)

2. How can I give restricted access to different business units under /api/assets

you can manage your user and groups in http://localhost:4502/useradmin

2 replies

BrianKasingli
Community Advisor and Adobe Champion
BrianKasingliCommunity Advisor and Adobe ChampionAccepted solution
Community Advisor and Adobe Champion
December 5, 2020

@cqbeginner 

Well, firstly, the third-party application needs to get access to communicate with your author instance. And secondly, the default behavior to successfully make a call to the AEM OOTB asset's API is when you are an authenticated user. As a test, open API development tool such as POSTMAN and start making requests to https://[hostname]:[server]/api/assets.json, you'll realise there will be an authentication error; this can be easily fixed by including basic authentication values to the request:


Since we know that you must be a logged-in user, you can ensure that this specialAssetUser only have read and write methods to the folder structure of your choice in this case, /content/dam/my-project/public/bu1/*.

Just question answering your questions:

1. Does it mean that, a 3rd party application can view everything under asset folder?

The authenticated user with the correct access rights can only see specific assets and folders that are set in the ACL. (you can manage your user and groups in http://localhost:4502/useradmin)

2. How can I give restricted access to different business units under /api/assets

you can manage your user and groups in http://localhost:4502/useradmin

    C
    cqbeginnerAuthor
    Level 2
    December 9, 2020
    Thanks Brian. It's very clear.
    G
    Gian74
    March 12, 2021

    Hi I have almost the same problem.

    But I noticed that in my environment, the api requests to the author instance require authentication, while requests exposed by the publish instance are served WITHOUT authentication.

    I need to expose the api though the dispatcher to the internet, but I would like it to be authentication-protected .

     

    Maybe it's an issue with my AEM version (6.2 - on premises) ?

     

    Thanks.

    Terms & ConditionsAccessibility statement

    Loading footer...