Expand my Community achievements bar.

Don’t miss the AEM Skill Exchange in SF on Nov 14—hear from industry leaders, learn best practices, and enhance your AEM strategy with practical tips.
SOLVED

Asset Metadata Schema - Giving Access to Non-Admins

Avatar

Level 1

We've been working to separate all of our agency websites' permissions so that instead of the agencies coming to our team for creating Asset Metadata Schemas, they will be able to create these schemas themselves.

Currently, I had searched tooth and nail, and the closest I could get was via this Experience League article (https://experienceleague.adobe.com/docs/experience-manager-65/content/assets/administer/metadata-sch...) that specifies under the section "Grant access to metadata schemas":

"The Metadata Schema feature is available to administrators only. However, administrators can provide access to non-administrators by modifying some permissions. Provide the non-administrator users create, modify, and delete permissions on the /conf folder."

Setting the permissions as specified to our created Group does in fact allow the user to enter the schema after clicking "edit", but when the form opens, it has a "lock" across it, allowing no fields to be added, deleted, or updated/edited. I have found other articles mentioning combinations of read/write/create/delete access to other locations such as "/libs/dam/gui/content/assets" and "libs/wcm/core/content/damadmin", but came up empty with results. Our path "/conf/global/settings/dam/adminui-extension" also seems to consistently disallow the Modify here as "noneffective." Not sure if this could be a root issue but is the next step we are looking at.

Any help is greatly appreciated. I feel like we're just missing a couple extra access permissions to allow actual editing within the metadata schema form editor. My actual Admin account does no help, as I have all rights/permissions across the platform, making it impossible to deduce what exactly is needed or where. I figured this would be something that could be handled in a more standard fashion, but is honestly giving us some issues. Maybe a fresh set of eyes and ears can help.

Thank you in advance for anyone that jumps in!

 

RichardLo3_1-1704404453267.png

 

RichardLo3_0-1704404019176.png

 

1 Accepted Solution

Avatar

Correct answer by
Community Advisor

Only applying create, modify, and delete permissions on the /conf folder should work. I created a test user with above permission and adding dam user group default aem OOTB to the the test user and was able to edit existing the metadata and also able to create a new metadata schema. Check the group permission of which this user is assigned. May be group permission assigned to this user might be causing the issue 

View solution in original post

4 Replies

Avatar

Correct answer by
Community Advisor

Only applying create, modify, and delete permissions on the /conf folder should work. I created a test user with above permission and adding dam user group default aem OOTB to the the test user and was able to edit existing the metadata and also able to create a new metadata schema. Check the group permission of which this user is assigned. May be group permission assigned to this user might be causing the issue 

Avatar

Level 1

Thank you for the response. We are investigating the default group assignment for anything that may be overriding the defaults. I will reply once we have determined a root cause.

Avatar

Level 3

Hi @DPrakashRaj,

 

I am also trying to solve this permissions challenge with the custom metadata schema. 

So the default metadata schema is accessible to all users and groups no matter what permissions they have. 

I created a custom metadata schema based on the duplicated default metadata schema. When it is applied on folders - I get access issues. Some users get locked out of the folders with assets, some users don't see the customised metadata schema. This is the path to custom schema in my case: /conf/global/settings/dam/adminui-extension/metadataschema/default-incoming-images

 

I am thinking - is there a way to move custom "default-incoming-images" schema to the location of the default metadata schema (where does it live within folder structure)? If that was possible all users/groups will see it and will be able to fill in the metadata fields and save.

 

Or - is it enough to give create, modify and delete permissions direct in this level : /conf/global/settings/dam/adminui-extension/metadataschema/? Will it override the access restrictions to top level /conf folder? Or do the access restrictions to the top level /conf trickle down through all below levels of folders?

What is the risk if all user groups get access to /conf? Will user groups with permissions be able to modify the metadata schema through tools? I only need them to be allowed to see the schema and to be able to enter the required metadata. 

 

Many thanks

Avatar

Community Advisor

I believe only admins can modify the metadata schema. There is no harm in testing with updating the user create, modify and delete permission to /conf/global/settings/dam/adminui-extension/metadataschema/