Adobe Experience Manager Sites & More

cqbeginner · 12/5/20

Dear Community,

According to Adobe docs...

The Assets HTTP API allows for create-read-update-delete (CRUD) operations on digital assets, including on metadata, on renditions, and on comments, together with structured content using Experience Manager Content Fragments. It is exposed at /api/assets and is implemented as REST API. It includes support for Content Fragments

1. Does it mean that, a 3rd party application can view everything under asset folder?

2. How can I give restricted access to different business units under /api/assets/

For example: content fragment created for specific business unit should be under /api/assets/bu1/. They should have access to assets under this folder only.

Any thoughts?

Thanks,

BrianKasingli · 12/5/20

@cqbeginner

Well, firstly, the third-party application needs to get access to communicate with your author instance. And secondly, the default behavior to successfully make a call to the AEM OOTB asset's API is when you are an authenticated user. As a test, open API development tool such as POSTMAN and start making requests to https://[hostname]:[server]/api/assets.json, you'll realise there will be an authentication error; this can be easily fixed by including basic authentication values to the request:

Since we know that you must be a logged-in user, you can ensure that this specialAssetUser only have read and write methods to the folder structure of your choice in this case, /content/dam/my-project/public/bu1/*.

Just question answering your questions:

1. Does it mean that, a 3rd party application can view everything under asset folder?

The authenticated user with the correct access rights can only see specific assets and folders that are set in the ACL. (you can manage your user and groups in http://localhost:4502/useradmin)

2. How can I give restricted access to different business units under /api/assets

you can manage your user and groups in http://localhost:4502/useradmin

View solution in original post

BrianKasingli · 12/5/20

@cqbeginner

Well, firstly, the third-party application needs to get access to communicate with your author instance. And secondly, the default behavior to successfully make a call to the AEM OOTB asset's API is when you are an authenticated user. As a test, open API development tool such as POSTMAN and start making requests to https://[hostname]:[server]/api/assets.json, you'll realise there will be an authentication error; this can be easily fixed by including basic authentication values to the request:

Since we know that you must be a logged-in user, you can ensure that this specialAssetUser only have read and write methods to the folder structure of your choice in this case, /content/dam/my-project/public/bu1/*.

Just question answering your questions:

1. Does it mean that, a 3rd party application can view everything under asset folder?

The authenticated user with the correct access rights can only see specific assets and folders that are set in the ACL. (you can manage your user and groups in http://localhost:4502/useradmin)

2. How can I give restricted access to different business units under /api/assets

you can manage your user and groups in http://localhost:4502/useradmin

cqbeginner · 12/9/20

Thanks Brian. It's very clear.

BrianKasingli · 12/12/20

The pleasure is mine

Gian74 · 3/12/21

Hi I have almost the same problem.

But I noticed that in my environment, the api requests to the author instance require authentication, while requests exposed by the publish instance are served WITHOUT authentication.

I need to expose the api though the dispatcher to the internet, but I would like it to be authentication-protected .

Maybe it's an issue with my AEM version (6.2 - on premises) ?

Thanks.

Adobe Experience Manager Sites & More

Restricting to folder in ASSET API

Learn

Documentation

Community

Support

Resources

Adobe account

Adobe