Adobe Experience Manager Sites & More

JamesMa43 · 4/28/25

While I have seen some suggestions related to using metadata values to restrict download while still allowing the group to view (read) assets, but I do not quite understand the approach. I would be interested in any approach that would provide this restriction effectively.

JamesMa43 · 5/8/25

Thank you all for your input. I will be attempting a combination of approaches as I have a few use cases which will be serve best by a metadata approach and one which using the Render Condition may be more appropriate.

View solution in original post

SantoshSai · 4/28/25

Hi @JamesMa43,

So, in AEM as a Cloud Service (AEMaaCS) Assets, you can’t directly deny download using permissions.
You can allow users to view/read assets easily by giving them jcr:read, but there’s no separate "deny download" button out of the box.

May be you can use metadata and download profile trick:

Create a custom metadata property, like allowDownload = false.
Then, you set up a Download Profile that checks this property - and hides or disables the download button if allowDownload is false.

So when the users from that specific group open an asset, they can see it, preview it, but can’t download it easily.

Hope that helps!

Santosh Sai

ShivamKumar · 4/28/25

Hi @JamesMa43 ,

You can try below things to restrict any group/user to download any asset:-

1. Define an ACE which allows permission like this to any asset:-

path: /content/dam/project/asset.jpg
privileges: ["jcr:read"]
allow

2. Allow access to renditions (other than the original):

path: /content/dam/project/jcr:content/renditions/*
privileges: ["jcr:read"]
allow

2. Create a ACE which denies permission for original so it will ensure that file will not be downloaded

path: /content/dam/project
privileges: ["jcr:read"]
deny
glob: "*/jcr:content/renditions/original"

Let me know it it works.

Thanks.

muskaanchandwani · 4/28/25

Hello @JamesMa43

AEM’s permissions do not have a separate “download” privilege.
If a user has read access to the original rendition of an asset file, they can also download it - download is fundamentally tied to read permissions.
This means any user or group that can read the /jcr:content/renditions/original node of an asset can download the original file.

You can use a Render Condition to hide the download button for certain groups.
You can also deny read access to /jcr:content/renditions/original for your restricted group.
They’ll still see thumbnails but won’t be able to fetch full-quality downloads.

Path: /content/dam/wknd/en/site
Principal: [your group or user]
Type: Deny
Privilege: jcr:read
Restriction: rep:glob = */jcr:content/renditions/original

The download button may still appear in the UI, but any attempt to actually download the original asset will fail due to denied permissions.

aanchal-sikka · 5/5/25

@JamesMa43 Did you find the suggestions helpful? Please let us know if you require more information. Otherwise, please mark the answer as correct for posterity. If you've discovered a solution yourself, we would appreciate it if you could share it with the community. Thank you!

Aanchal Sikka

JamesMa43 · 5/8/25

Thank you all for your input. I will be attempting a combination of approaches as I have a few use cases which will be serve best by a metadata approach and one which using the Render Condition may be more appropriate.