In the past we had quite a strict permission model where each author did only see what he/she was supposed to see. From an authoring point of view this was good as authors couldn't reuse content from other brands (or even countries of the same brand). From an admin point of view however this was a nightmare. We have different brands and a total of about 70 different country websites. Some of the roles were specific to a country of a single brand while others included multiple countries of the same brand (e.g. all German or French speaking countries) and then we had roles that spanned even across brand borders (e. g. the US website at all brands). Needless to say that this sometimes became really cumbersome to manage.
Now we relaunch our websites one by one and we thought we should give the "positive" permission model desribed at  and  a try. Basically everybody can see everything (in /content and /content/dam) and one can only edit those sites for which he/she has the corresponding role assigned. This works like a charm and is really easy to manage since it's quite modular (especially with tools like ACTool or APM). One problem with this approach however is that we have some assets (not all of them) that should only be available for use in certain brands. In the content finder (we use AEM 6.2 TouchUI) a regular author can now see assets from all brands and has no information from which brand the asset is coming from.
One idea was to overlay the content finder to either provide a dropdown box to select the brand for which assets should get displayed or even extend the CF search implicitly to only allow for assets to be displayed that are available in the same branch or in a common folder. The other approach would be to have a strict permission model for Assets (basically deny /content/dam for everyone and then allow /content/dam/common for everybody and /content/dam/brand1 for selected authors). However I'm afraid this might lead to the permission nightmare that we already had. Therefore I would favor a permissive permission model.
Has anyone already had this task and if so how did you solve this issue. If we go for the approach where we extend the CF query to only show certain assets are there any downsides we should keep in mind.
Any help is much appreciated.
I recommend going with what is stated in Best Practices - AEM Eng signed off on this and they feel it represents best practice.
Thank you for your response. Do I understand you correctly that what you suggest is that we should go for the CF overlay approach and keep the permission model permissive? That would be my favored approach however I'm concerned that it might have sight effects that we don't foresee at the moment.