Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 8 Next »

General information

Roles can be added to users in three ways:

  1. Directly on the user (Role→User)

  2. Inherited via a group which the user is a part of (Role→Group→User)

  3. Inherited via a group that has the role inherited from another group (Role→Group→Group→User) (Technically, you can have unlimited groups in groups - but the groups must never create a circular reference)

Users can simultaneously have roles added directly and roles inherited via groups - having the same role added twice (or multiple times) doesn't have an impact. Removing e.g. a group with a duplicate role - will still leave your user with the role.

Roles and groups that have been inherited, will be greyed out. (You also inherit download qualities, but our current implementation does not make them show up. In a perfect world, the inherited download qualities would show up as greyed out)

If you have duplicate roles then the role will have a (+) appended

List of roles

id

Role

Description

2

Uploader

Gives access to create and upload new assets

25

Editor_SystemTools_Profiles

This role is obsolete

27

Editor_SystemTools_UserManager_Users

Gives access to see and edit users in DAM administration view

29

Editor_Catalogs

This role is obsolete

30

Viewer_Catalogs

This role is obsolete

36

Editor_SystemTools_UserManager_Groups

Gives access to see and edit groups in DAM administration view

37

Editor_SystemTools_Metadata

Gives access to see and edit metadata definitions

38

Administrator

Administrator role used for all administration APIs

41

Editor_SystemTools_Destinations

This role is obsolete

42

Editor_SystemTools_Dam

This role is obsolete

43

Editor_SystemTools_DigizuiteConfig

Gives access to see and edit service configurations in DAM administration view

44

Editor_SystemTools_MediaFormat

Gives access to see and edit connector settings.

45

Editor_SystemTools_TranscodeSetting

Gives access to see and edit transcodes in DAM administration view

46

Editor_Portal

This role is obsolete

50

Editor_Portal_Admin

This role is obsolete

52

RunningJobs_View

Gives access to see your own upload progress

54

RunningJobs_ViewAll

Gives access to see all upload progress

55

RunningJobs_EditOwn

This role is obsolete

57

RunningJobs_EditAll

This role is obsolete

58

RunningJobs_ChangePriority

This role is obsolete

59

RunningJobs_AdminViewSubmitXML

This role is obsolete

60

Uploader_ShowFolderSelector

This role is obsolete

61

Uploader_ReplaceWithArchive

This role is obsolete

62

Uploader_ReplaceWithoutArchive

This role is obsolete

65

Editor_SystemTools_Config

This role gives access to product configuration including searches, labels, and configuration

67

VP3_Portal_Admin_StartScreen

This role is obsolete

68

VP3_Portal_Admin_VideoSlides

This role is obsolete

72

ItemControlAdmin

This role is obsolete

74

Editor_SystemTools_AlwaysAllowItemSecurityEdit

This role ignores all item security - use carefully!

76

MediaPortal_Admin_StartScreen

Allows editing of the start screen in Media Manager

77

MediaPortal_Admin_Users

This role is obsolete

78

MediaPortal_Admin_Log

This role is obsolete

79

MediaPortal_Admin_Trash

This role is obsolete

80

MediaPortal_User

Basic user role that gives access to login into MediaManager

81

MediaPortal_Collection

Gives access to collections

82

MediaPortal_Uploader

Gives access to upload from MediaManager

83

MediaPortal_Downloader

This role is obsolete

84

Editor_SystemTools_PlayerTemplate

This role is obsolete

85

Editor_SystemTools_Stopwords

This role is obsolete

86

Editor_SystemTools_License

This role is obsolete

87

Editor_SystemTools_Status

This role is obsolete

88

Editor_SystemTools_Workflow

This role is obsolete

90

Editor_SystemTools_MediaFormatType

This role is obsolete

91

Editor_SystemTools_MetaDataLanguage

This role gives access to managing languages

92

MediaPortal_Asset_Replacer

This role is obsolete

93

MediaPortal_Asset_Unpublisher

This role is obsolete

94

Upload_Only

This role is obsolete

95

Member_Viewer

This role allows users to see information about other users

103

Comments_CRUD

Gives access to see, add, delete and edit own comments

104

Comments_View

Gives access to see comments

105

Comments_Admin_Delete

Gives access to delete all comments

106

Asset_Can_Download

Gives access to download assets - Please note that download is controlled by a set of roles and download qualities

107

Asset_Can_Download_Custom_Quality

Gives access to download custom renditions if enabled by configuration

108

Asset_Can_Replace

Allows users to replace assets

109

Asset_Can_Revise

Allows users to replace an asset with a trim or crop

110

Asset_Can_Crop

Allows users to crop and trim assets

111

AuditTrail_View

Allows users to view audit trail for assets

112

Ai_Add

Allows users to use AI capabilities if enabled and configured

113

Can_Change_Styling_And_Theming

Allows users to change the styling and theming when Brand portal is not enabled

114

WorkStages_View

This role allows the user to see the statuses of tasks they're assigned to

115

WorkStages_Edit_Others

This role allows editing of asset status' they are not assigned to

116

WorkStages_View_Others

This role allows users to always see asset status

117

GDPR_Admin

Allows users to do GDPR actions

121

Saved_Searches_CRUD

Gives access to saved searches

122

Ai_Translate

Gives access to use metadata translation APIs

123

Integration_Endpoints_View

Allows users to see integration endpoints

124

Integration_Endpoints_CRUD

Allows users to edit integration endpoints

125

Asset_Can_Delete_Permanently

Allows users to permanently delete assets

126

Can_Edit_Automation_Workflow

Allows editing of automations

127

Can_View_Logs

Allows users to see system logs

128

Can_View_Automation_Workflow_Status

Allows users to see the status of automations 

129

Can_Live_Export_Assets_And_Metadata

Full access for downloading and exporting assets and its metadata

130

Can_Live_Export_Asset_Only

Gives access to download assets

131

Can_Live_Export_Metadata_Only

Gives access to export metadata for assets

132

Business_Workflow_View

Gives access to see the workflow definitions

133

Business_Workflow_CRUD

Gives access to edit the workflow definitions

134

Download_Approval_Bypass

If download approval is enabled, this role bypasses it

135

Download_Approval_Admin

Gives access to configure download approval

136

Copyright_Notification_Bypass

If copyright notification is enabled, this role bypasses it

138

Youtube_Admin

Gives access to configure Youtube integrations

139

Business_Workflow_Instance_View_Others

This role allows the users to see tasks in Workflows they are not assigned to

140

Asset_Can_Download_Any

Bypasses all download rules

141

Can_See_Grafana_Shortcut

Gives access to system monitoring

142

Comments_Admin_Update

Gives access to edit all comments

143

Business_Workflow_General_Transition_Executor

Allows users to do transitions in workflow tasks that have no user constraints on transition

144

Business_Workflow_Instance_Delete

Allows users to delete workflow tasks

147

Business_Workflow_Instance_View

Allows users to see workflow tasks they are assigned to

148

Business_Workflow_Instance_Transition

Allows users to see transitions

149

Business_Workflow_Instance_Assign

Allows assigning workflow tasks to other people

150

EditSso

Allows editing of SSO settings

151

CanImpersonate

Allows a user to create access keys for other users. Be careful with this role as it allows bumping user access. Should only be used for System user

152

FileRepository_Read

Used for files in workflows. This gives the users access to see attached files

153

FileRepository_Read_Secret

Used for files in workflows. This gives the users access to see secret attached files

154

FileRepository_Upload

Used for files in workflows. This gives the users access to see uploaded files

155

FileRepository_Delete

Used for files in workflows. This gives the users access to see delete uploaded files

156

MailTemplates_CRUD

Allows users to edit mail templates

157

Can_Force_Job_Status_Change

Allows users to change job status, for example restarting a failed job

158

Can_Configure_Members

Used in MediaManager to allow editing users. This is behind a feature flag in the current version. Will be available in the future

159

Can_Rerun_Workflows

This allows users to run automations with a manual trigger

160

ItemCheckInOut_CRUD

This gives access to check-in and check-out

161

ChannelFolder_CRUD

Allows the user to edit Channel folders. As of this release, this is a new API not being used in any UI and therefore this role is not needed by users

162

ChannelFolder_View

Allows the user to see Channel folders. As of this release, this is a new API not being used in any UI and therefore this role is not needed by users

163

ConfigManagement_Admin

Allows users to edit the configuration for products. This is a new API and is not available through UI yet.

170

Creative_Cloud_Connector

Allows users access to the Creative Cloud Connector

171

Can_See_Generic_Job_Status

Allows users to see generic job status - for instance elastic re-indexing 

172

Can_Admin_Accelerated_Search

Allows users to see the status for search administration in Media Manager

173

Smart_Asset_Picker_Connector

Allows users to use the embedded Media Manager UI

174

Can_configure_portals

Allows editing of Digizuite portals. Requires FileRepository_Upload and FileRepository_Delete to work

175

Can_view_portals

Allows users to see Digizuite portals

176

Can_view_metadata_tab

Allows users to see the metadata tab on asset details

177

Can_view_related_assets

Allows users to see the related assets tab on asset details

178

Can_manage_filters_and_fields

Allows users to set up filters and free text searching. Requires Editor_systemTools_config to work

179

Can_configure_external_sharing

Allow users to configure external sharing. Requires Editor_systemTools_config to work

180

Can_view_service_health

Allows users to see the health status of the DigizuiteCore services

181

Asset_Can_Archive

Allows users to archive (soft delete) assets

182

Can_view_rabbit_health

Allows users to see the RabbitMQ queues

183

Can_crud_rabbit_health

Allows users to perform move and pruge messages also create and delete temp queues in RabbitMQ

184

Collection_Super_Administrator

Allows the user to access the apis defined under "DigizuiteCore/CollaborationService/api/collection/admin". These are currently only used by AW. So only the System user really needs this role, though by default it is given to the Super Administrator group. 

186

Upload_with_required_metadata

Limits the user to fill in all required metadata fields before an asset upload can be performed

187

Can_crop_email

Allows the user to make a crop and e-mail it to someone

191

Collection_can_share_mail

Allows the user to share with an external e-mail (available from 5.6.1, but not enabled before 5.6.2) can be turned on through Media Manager Settings → collections → Enable external collection sharing

192

Collection_can_share_zip

Allows the user to share asset(s) as a zip (available from 5.6.1, but not enabled before 5.6.2) can be turned on through Media Manager Settings → collections → Enable external collection sharing

193

Collection_can_share_user

Allows the user to share collections with other users (available from 5.6.1, but not enabled before 5.6.2) can be turned on through Media Manager Settings → collections → Enable external collection sharing

194

Collection_can_share_group

Allows the user to share with groups (available from 5.6.1) can be turned on through Media Manager Settings → collections → Enable external collection sharing

195

Collection_can_share_link

Allows the user to share a collection as a link (available from 5.6.1, but not enabled before 5.6.2) can be turned on through Media Manager Settings → collections → Enable external collection sharing

196

Can_Configure_Importer

Allows the user to configure the importer

197

Can_change_password

Allows the user to change it's own password

198

Can_embed_assets

Allows the user to use the embed video feature

199

Can_embed_assets_admin

Allows the user to manage active embeds

200

Can_edit_combo_nodes

Instead of granting access individually per CV, this gives you write rights to all combo values. This role functions as an OR; adding this changes nothing if you already have write rights.

201

Can_edit_tree_nodes

Instead of granting access individually per tree, this gives you write rights to all tree nodes. This role functions as an OR; adding this changes nothing if you already have write rights. However, even if you have write rights to the MM folders, this is still required for users to edit MM folders via brand portal. 

203

Analytics_viewer

Allows the user to view analytics.

204

Analytics_writer

Allows the user to create, update, and delete dashboards.

205

Formats_CRUD

Allows the user to create, read, update, and delete formats. NB: Since users with this role can define image formats with custom ImageMagick commands, the role must only be given to very trusted users to avoid command injection attacks.

206

SystemAdministrationAuditTrail_View

Allows the user to watch audit trail information on system configs.

207

Can_Switch_To_Database_Mode

Allows the user to switch to "Database Mode" in the advanced search UI in the Media Manager.

NB: This only affect the visibility of the "Database Mode" button in the UI. The user can still use database mode by calling the API manually.

208

AssetCategories_reader

Allows the user to view the asset category definitions in the system.

209

AssetCategories_writer

Allows the user to create, update and delete asset category definitions.

210

Analytics_exporter

Allows exporting data from the analytics service via the api. 

211

MediaPortal_Audio_Embed

Allow user to embed audio

Features

The other way around - what roles and rights need to be added to enable a feature

MediaPortal_User is needed to access MM - so for all MM features below, it's given that MediaPortal_User is already enabled.

In a lot of instances, you also need read access to assets. I only scarcely add this as a right sometimes. Usually, it's self-evident that one should have read access to an asset to add it to a collection.

The Upload folder (46) is the default folder for uploading. This can be changed - and if changed, use this other folder instead.

For Keywords - Keywords (10192) is the default. This can of course also be changed - where you should use this new metadata field instead.

All users must have read rights to the following metafields:

  • .../Media Manager/is Public

  • .../Asset Info/Media Manager Menu

  • .../Tasks/Status

  • .../Tasks/Owner

  • .../Tasks/Message

Without these, recipients of shares can experience assets not loading.

Features in MM

Roles

Rights

ConfigManager

Upload assets via MM + see "Your uploads".

MediaPortal_Upload 

Write access to the "Upload" folder (Usually granted through the "Trusted" group)

Enable users to change their profile information

Enable users to see and edit their account information = True

Upload/change profile image via MM

MediaPortal_Upload 

Enable profile images = True

Enable users to see and edit their account information = True

Restore old asset version via MM

Asset_Can_Replace

Write access to the "Upload" folder (Usually granted through the "Trusted" group) (Having write access to Content does nothing)

Replace asset + See "Asset History" (Not audit trail)

Asset_Can_Replace

Write access to the asset

See asset statuses + Enable the "My tasks" view

WorkStages_View

Read access to the asset

Enable the "All tasks" view

WorkStages_View

WorkStages_View_Others

Read access to the asset

Change/set assets' statuses (on assets not already assigned to other users - Meaning only assets where you or none is assigned)

Member_Viewer

WorkStages_View

Write access to the asset

Write rights to the combo options in "Metadata → Asset → Shared → Tasks → Status" and then "Metadata field label → Edit combo values" (usually granted via trusted)

Change/set assets' statuses (regardless of who they're assigned to)

Member_Viewer

WorkStages_View

WorkStages_Edit_Others

Write access to the asset

Write rights to the combo options in "Metadata → Asset → Shared → Tasks → Status" and then "Metadata field label → Edit combo values" (usually granted via trusted)

Printing

Asset_Can_Download

The asset is "public" (no padlock)

Enable (single- and multi-) download of an asset's predefined qualities

Enable (single- and multi-) download of assets and metadata

Enable download of collections as a zip

Asset_Can_Download

Can_Live_Export_Assets_And_Metadata

The asset is "public" (no padlock)

Should be added to a group with download qualities: "Guest", "Light Users", "Content Creators", "Administrators", or "Super Administrators"

Enable (single- and multi-) download of an asset's predefined qualities

Enable (single- and multi-) download of metadata

Enable download of collections as a zip

Asset_Can_Download

Can_Live_Export_Metadata_Only

The asset is "public" (no padlock)

Should be added to a group with download qualities: "Guest", "Light Users", "Content Creators", "Administrators", or "Super Administrators"

Enable (single- and multi-) download of an asset's predefined qualities

Enable (single- and multi-) download of assets

Enable download of collections as a zip

Asset_Can_Download

Can_Live_Export_Asset_Only

The asset is "public" (no padlock)

Should be added to a group with download qualities: "Guest", "Light Users", "Content Creators", "Administrators", or "Super Administrators"

Download custom qualities

Asset_Can_Download

Asset_Can_Download_Custom_Quality

The asset is "public" (no padlock)

Custom quality color spaces = must have content

Custom quality image types = must have content

Enable custom quality download = true

Enable embed as a sharing option for videos

MediaPortal_Video_Embed

MediaPortal_Share

The "Embed player user" has read rights to the video assets

Choose available embed video sizes = must have content

Choose available embed video qualities = must have content

Embed player user = must have content (usually "Guest")

Enable sharing assets to/via collections (Create new, Add to existing)

MediaPortal_Share

MediaPortal_Collection

The asset is "public" (no padlock)

Add asset to own collection.

MediaPortal_Collection

The asset is "public" (no padlock)

Enable the ability to CRUD own collections

MediaPortal_Collection

Enable ability to CRUD own collections + CRUD collections shared to oneself/Others

MediaPortal_Collection

Give new recipients of non-social collections (e.g. not Facebook collections) access to manipulate collections = true

Enable non-pre-existing users to read collections on an SSO site

MediaPortal_Collection

Allow shared collection users to bypass login required screen = true

Enable users to use AI Tagging + your site has external access

Ai_Add

Write access to the asset (only images)

Enable AI tagging functionality for metadata field = Keywords(10192) (Keywords must be autotranslate = true)

If you want AI tagging but don't have external access

Ai_Add

Write access to the asset (only images)

Enable AI tagging functionality for metadata field = Keywords(10192) (Keywords must be autotranslate = true)

Use local analysis for AI services = true

Enable CRUD of own saved searches

Saved_Searches_CRUD

Enable crop/trim (share it via email)

Asset_Can_Crop

Enable crop/trim + Replace original asset with crop/trim + Restore to an older version of an asset

Asset_Can_Crop

Asset_Can_Replace

Write access to the asset

Write access to the Uploads folder OR the Content folder (The option to restore requires "write access" to the Uploads folder)

Enable crop/trim + Make new child asset with crop/trim

Asset_Can_Crop

Asset_Can_Revise

Write access to the asset

Write access to the Uploads folder OR the Content folder

Have the filter open every time you access the MM

Automatically expand filter pane in asset list = true

Make all filters be expanded every time you access MM

Automatically expand filter pane in asset list = true

Automatically expand individual filters in asset list = true

Make asset ID shown

Show asset ID in asset list = true

Enable password reset

Enable the option to reset one's password = true

Enable self sign-up

where users can choose their own password

Enable self sign up = true

Template user for self sign up users = A user with all the rights, roles, and groups your users should have (User must be enabled)

Allow users to choose a password on signup = true

Auto-created user folder ID = the ID of the folder where you want your users to go.

Enable email verification for self-sign-up (when self-sign-up already is enabled)

where users can choose their own password

Enable self sign up = true

Template user for self sign up users = A user with all the rights, roles, and groups your users should have (User must be disabled)

Allow users to choose a password on signup = true

Verification when a user is created using self sign up = Email verification

Enable admin verification for self-sign-up (when self-sign-up already is enabled)

where users can choose their own password

Enable self sign up = true

Template user for self sign up users = A user with all the rights, roles, and groups your users should have (User must be disabled)

Allow users to choose a password on signup = true

Verification when a user is created using self sign up = Admin verification

Administrative verification email = the admin's email

Enable that refreshing MM will log one out

Enable persistent login = false

Enable reading other peoples' comments and annotations

Comment_View

Enable commenting and annotating

Comment_View

Comment_CRUD

Enable commenting and annotating + tagging other users

Comment_View

Comment_CRUD

Member_Viewer

Access the task list

Business_Workflow_Instance_View

Edit workflows

Business_Workflow_CRUD

Business_Workflow_View

Request download of an asset's predefined formats.

Can single download approved assets.

Can single download if bypassed with a bit field.

Business_Workflow_Instance_Transition

Business_Workflow_Instance_View

Asset_Can_Download

Download approval must be set up

The asset is "public" (no padlock)

Request download of an asset's predefined formats.

Can single download approved assets.

Can single and multi download if bypassed with a bit field.

Business_Workflow_Instance_Transition

Business_Workflow_Instance_View

Asset_Can_Download

Can_Live_Export_Asset_Only

Download approval must be set up

The asset is "public" (no padlock)

Request a custom-quality download

Business_Workflow_Instance_Transition

Business_Workflow_Instance_View

Asset_Can_Download_Custom_Quality

Download approval must be set up

The asset is "public" (no padlock)

Circumvent the download approval process

Download_Approval_Bypass

Download approval must be set up

Have enabled either standard or custom download

Approve or deny download requests

Business_Workflow_Instance_View

Business_Workflow_Instance_Transition

Download_Approval_Admin

You must be auto-assigned via the accompanying workflow as per the documentation

Enable copyright notification

Follow the documentation: In short, you need to set it up via the config manager settings + metadata settings

Circumvent the copyright notification

Copyright_Notification_Bypass

Have copyright notifications enabled

Upload both insecure and secure attachments on tasks.

Required for upload file constraints

FileRepository_Upload

View own and others' insecure attachments on tasks

FileRepository_Read

View insecure and own secure attachments on tasks

FileRepository_Read

The upload constraint you upload with must have the "secret" bit set to true

View own and others' secure attachments on tasks + insecure attachments

FileRepository_Read

FileRepository_Read_Secret

Enable intro screen

Choose intro screen mode: Splashscreen or Disclaimer

Enable configuration of the brand portals + styles

FileRepository_Upload

FileRepository_Delete

Can_configure_portals

Enable configuration of the brand portals + styles + folders

Warning: This allows for editing all tree nodes via the api.

FileRepository_Upload

FileRepository_Delete

Can_configure_portals

Can_edit_tree_nodes

Enable viewing of the brand portals

Can_view_portals

See other users in notifications.

Member_Viewer

Remove access to upload without setting upload required metadata fields

Upload_with_required_metadata

The metadata field has "Upload required" = enabled

The CCC (DACCC or Digizuite Adobe Creative Cloud Connector) requires all its users to have read access to assets + the following roles.

  • Creative_Cloud_Connector

  • Asset_Can_Download

  • Uploader

Features in CCC

Roles

Rights

ConfigManager

Check-out assets + check-in assets you've checked out yourself (This does not make sense if you do not have the replace role)

ItemCheckInOut_CRUD

Write access to the asset

Enable check-in/out = true

See who has checked out assets (both own and others')

Member_Viewer (OR Administrator)

Check-in assets that other people have checked out

Administrator

Member_Viewer

Upload active documents or, e.g., image files

MediaPortal_Upload

Write access to the "Upload" folder (Usually granted through the "Trusted" group)

Replace (INDD, PSD, AI, AEP, PRPROJ)

Asset_Can_Replace

Write access to the "Upload" folder (Usually granted through the "Trusted" group) (?)

Write access to the asset

Features in OC

Roles

Rights

ConfigManager

Insert asset

Asset_Can_Download

Image download qualities

Features in DC

Roles

Rights

ConfigManager

Upload only (e.g. for photographers)

Upload_Only

Write access to the Uploads folder

SuperAdministrator rights

Editor_SystemTools_AllwaysAllowItemSecurityEdit

  • No labels