Expand my Community achievements bar.

Submissions are now open for the 2026 Adobe Experience Maker Awards.
SOLVED

Using AEMaaCS Assets, I need to Deny Download while Allowing Read for a specific Group

Avatar

Level 1

While I have seen some suggestions related to using metadata values to restrict download while still allowing the group to view (read) assets, but I do not quite understand the approach. I would be interested in any approach that would provide this restriction effectively.

Topics

Topics help categorize Community content and increase your ability to discover relevant content.

1 Accepted Solution

Avatar

Correct answer by
Level 1

Thank you all for your input. I will be attempting a combination of approaches as I have a few use cases which will be serve best by a metadata approach and one which using the Render Condition may be more appropriate.

View solution in original post

5 Replies

Avatar

Community Advisor

Hi @JamesMa43,

So, in AEM as a Cloud Service (AEMaaCS) Assets, you can’t directly deny download using permissions.
You can allow users to view/read assets easily by giving them jcr:read, but there’s no separate "deny download" button out of the box.

May be you can use metadata and download profile trick:

  • Create a custom metadata property, like allowDownload = false.

  • Then, you set up a Download Profile that checks this property - and hides or disables the download button if allowDownload is false.

So when the users from that specific group open an asset, they can see it, preview it, but can’t download it easily.

Hope that helps!


Santosh Sai

AEM BlogsLinkedIn


Avatar

Level 5

Hi @JamesMa43 ,

 

You can try below things to restrict any group/user to download any asset:-

 

1. Define an ACE which allows permission like this to any asset:-

path: /content/dam/project/asset.jpg
privileges: ["jcr:read"]
allow

 

2. Allow access to renditions (other than the original):

path: /content/dam/project/jcr:content/renditions/*
privileges: ["jcr:read"]
allow


2. Create a ACE which denies permission for original so it will ensure that file will not be downloaded

path: /content/dam/project
privileges: ["jcr:read"]
deny
glob: "*/jcr:content/renditions/original"

 

Let me know it it works.

 

Thanks.

Avatar

Employee

Hello @JamesMa43 

AEM’s permissions do not have a separate “download” privilege.
If a user has read access to the original rendition of an asset file, they can also download it - download is fundamentally tied to read permissions.
This means any user or group that can read the /jcr:content/renditions/original node of an asset can download the original file.

  • You can use a Render Condition to hide the download button for certain groups.
  • You can also deny read access to /jcr:content/renditions/original for your restricted group.
    They’ll still see thumbnails but won’t be able to fetch full-quality downloads.
Path: /content/dam/wknd/en/site
Principal: [your group or user]
Type: Deny
Privilege: jcr:read
Restriction: rep:glob = */jcr:content/renditions/original

The download button may still appear in the UI, but any attempt to actually download the original asset will fail due to denied permissions.

Avatar

Community Advisor

@JamesMa43 Did you find the suggestions helpful? Please let us know if you require more information. Otherwise, please mark the answer as correct for posterity. If you've discovered a solution yourself, we would appreciate it if you could share it with the community. Thank you!


Aanchal Sikka

Avatar

Correct answer by
Level 1

Thank you all for your input. I will be attempting a combination of approaches as I have a few use cases which will be serve best by a metadata approach and one which using the Render Condition may be more appropriate.