While I have seen some suggestions related to using metadata values to restrict download while still allowing the group to view (read) assets, but I do not quite understand the approach. I would be interested in any approach that would provide this restriction effectively.
Solved! Go to Solution.
Topics help categorize Community content and increase your ability to discover relevant content.
Views
Replies
Total Likes
Thank you all for your input. I will be attempting a combination of approaches as I have a few use cases which will be serve best by a metadata approach and one which using the Render Condition may be more appropriate.
Views
Replies
Total Likes
Hi @JamesMa43,
So, in AEM as a Cloud Service (AEMaaCS) Assets, you can’t directly deny download using permissions.
You can allow users to view/read assets easily by giving them jcr:read
, but there’s no separate "deny download" button out of the box.
May be you can use metadata and download profile trick:
Create a custom metadata property, like allowDownload = false
.
Then, you set up a Download Profile that checks this property - and hides or disables the download button if allowDownload
is false.
So when the users from that specific group open an asset, they can see it, preview it, but can’t download it easily.
Hope that helps!
Hi @JamesMa43 ,
You can try below things to restrict any group/user to download any asset:-
1. Define an ACE which allows permission like this to any asset:-
path: /content/dam/project/asset.jpg
privileges: ["jcr:read"]
allow
2. Allow access to renditions (other than the original):
path: /content/dam/project/jcr:content/renditions/*
privileges: ["jcr:read"]
allow
2. Create a ACE which denies permission for original so it will ensure that file will not be downloaded
path: /content/dam/project
privileges: ["jcr:read"]
deny
glob: "*/jcr:content/renditions/original"
Let me know it it works.
Thanks.
Hello @JamesMa43
AEM’s permissions do not have a separate “download” privilege.
If a user has read access to the original rendition of an asset file, they can also download it - download is fundamentally tied to read permissions.
This means any user or group that can read the /jcr:content/renditions/original node of an asset can download the original file.
Path: /content/dam/wknd/en/site
Principal: [your group or user]
Type: Deny
Privilege: jcr:read
Restriction: rep:glob = */jcr:content/renditions/original
The download button may still appear in the UI, but any attempt to actually download the original asset will fail due to denied permissions.
@JamesMa43 Did you find the suggestions helpful? Please let us know if you require more information. Otherwise, please mark the answer as correct for posterity. If you've discovered a solution yourself, we would appreciate it if you could share it with the community. Thank you!
Views
Replies
Total Likes
Thank you all for your input. I will be attempting a combination of approaches as I have a few use cases which will be serve best by a metadata approach and one which using the Render Condition may be more appropriate.
Views
Replies
Total Likes
Views
Likes
Replies