DC 5.10 Roles

General information

Roles can be added to users in three ways:

  1. Directly on the user (Role→User)
  2. Inherited via a group which the user is a part of (Role→GroupUser)
  3. Inherited via a group that has the role inherited from another group (Role→Group→Group→User) (Technically, you can have unlimited groups in groups - but the groups must never create a circular reference)

Users can simultaneously have roles added directly and roles inherited via groups - having the same role added twice (or multiple times) doesn't have an impact. Removing e.g. a group with a duplicate role - will still leave your user with the role.

Roles and groups that have been inherited, will be greyed out. (You also inherit download qualities, but our current implementation does not make them show up. In a perfect world, the inherited download qualities would show up as greyed out)

If you have duplicate roles then the role will have a (+) appended


List of roles

idRoleDescription
2UploaderThis role is obsolete
25Editor_SystemTools_ProfilesGives access to see and edit profiles in DAM administration view
27Editor_SystemTools_UserManager_UsersGives access to see and edit users in DAM administration view
29Editor_CatalogsGives access to edit catalog folders in DAM administration view
30Viewer_CatalogsGives access to see catalog folders in DAM administration view
36Editor_SystemTools_UserManager_GroupsGives access to see and edit groups in DAM administration view
37Editor_SystemTools_MetadataGives access to see and edit metadata definitions
38AdministratorAdministrator role used for all administration APIs
41Editor_SystemTools_DestinationsGives access to see and edit destinations in DAM administration view
42Editor_SystemTools_DamGives access to read catalog folders via the Digizuite Core API. Required to see automation definitions.
43Editor_SystemTools_DigizuiteConfigGives access to see and edit Digizuite constants in DAM administration view
44Editor_SystemTools_MediaFormatGives access to see and edit media formats in DAM administration view
45Editor_SystemTools_TranscodeSettingGives access to see and edit transcodes in DAM administration view
46Editor_PortalThis role is deprecated, but in use for the old API when editing channel folders. Only used in the DAM Administration view
50Editor_Portal_AdminSame as above (Editor_portal)
52RunningJobs_ViewGives access to see your own upload progress
54RunningJobs_ViewAllGives access to see all upload progress
55RunningJobs_EditOwnThis role is obsolete
57RunningJobs_EditAllThis role is obsolete
58RunningJobs_ChangePriorityThis role is obsolete
59RunningJobs_AdminViewSubmitXMLThis role is obsolete
60Uploader_ShowFolderSelectorThis role is obsolete
61Uploader_ReplaceWithArchiveThis role is obsolete
62Uploader_ReplaceWithoutArchiveThis role is obsolete
65Editor_SystemTools_ConfigThis role gives access to product configuration including searches, labels, and configuration
67VP3_Portal_Admin_StartScreenThis role is obsolete
68VP3_Portal_Admin_VideoSlidesThis role is obsolete
72ItemControlAdminThis role is obsolete
74Editor_SystemTools_AlwaysAllowItemSecurityEditThis role ignores all item security - use carefully!
76MediaPortal_Admin_StartScreenAllows editing of the start screen in Media Manager
77MediaPortal_Admin_UsersThis role is obsolete
78MediaPortal_Admin_LogThis role is obsolete
79MediaPortal_Admin_TrashThis role is obsolete
80MediaPortal_UserBasic user role that gives access to login into MediaManager
81MediaPortal_CollectionGives access to collections
82MediaPortal_UploaderGives access to upload from MediaManager
83MediaPortal_DownloaderThis role is obsolete
84Editor_SystemTools_PlayerTemplateThis role is obsolete
85Editor_SystemTools_StopwordsThis role gives access to edit stopwords for Search2
86Editor_SystemTools_LicenseThis role gives access to edit Digizuite licenses
87Editor_SystemTools_StatusThis role is obsolete
88Editor_SystemTools_WorkflowThis role is obsolete
90Editor_SystemTools_MediaFormatTypeThis role gives access to edit media format type setup
91Editor_SystemTools_MetaDataLanguageThis role gives access to managing languages
92MediaPortal_Asset_ReplacerThis role is obsolete
93MediaPortal_Asset_UnpublisherThis role is obsolete
94Upload_OnlyThis role is deprecated, but used in the Digizuite administration to restrict users to only see the upload dialog
95Member_ViewerThis role allows users to see information about other users
103Comments_CRUDGives access to see, add, delete and edit own comments
104Comments_ViewGives access to see comments
105Comments_Admin_DeleteGives access to delete all comments
106Asset_Can_DownloadGives access to download assets - Please note that download is controlled by a set of roles and download qualities
107Asset_Can_Download_Custom_QualityGives access to download custom download qualities if enabled by configuration
108Asset_Can_ReplaceAllows users to replace assets
109Asset_Can_ReviseAllows users to replace an asset with a trim or crop
110Asset_Can_CropAllows users to crop and trim assets
111AuditTrail_ViewAllows users to view audit trail for assets
112Ai_AddAllows users to use AI capabilities if enabled and configured
113Can_Change_Styling_And_ThemingAllows users to change the styling and theming when Brand portal is not enabled
114WorkStages_ViewThis role allows the user to see the statuses of tasks they're assigned to
115WorkStages_Edit_OthersThis role allows editing of asset status' they are not assigned to
116WorkStages_View_OthersThis role allows users to always see asset status
117GDPR_AdminAllows users to do GDPR actions
121Saved_Searches_CRUDGives access to saved searches
122Ai_TranslateGives access to use metadata translation APIs
123Integration_Endpoints_ViewAllows users to see integration endpoints
124Integration_Endpoints_CRUDAllows users to edit integration endpoints
125Asset_Can_Delete_PermanentlyAllows users to permanently delete assets
126Can_Edit_Automation_WorkflowAllows editing of automations
127Can_View_LogsAllows users to see system logs
128Can_View_Automation_Workflow_StatusAllows users to see the status of automations 
129Can_Live_Export_Assets_And_MetadataFull access for downloading and exporting assets and its metadata
130Can_Live_Export_Asset_OnlyGives access to download assets
131Can_Live_Export_Metadata_OnlyGives access to export metadata for assets
132Business_Workflow_ViewGives access to see the workflow definitions
133Business_Workflow_CRUDGives access to edit the workflow definitions
134Download_Approval_BypassIf download approval is enabled, this role bypasses it
135Download_Approval_AdminGives access to configure download approval
136Copyright_Notification_BypassIf copyright notification is enabled, this role bypasses it
138Youtube_AdminGives access to configure Youtube integrations
139Business_Workflow_Instance_View_OthersThis role allows the users to see tasks in Workflows they are not assigned to
140Asset_Can_Download_AnyBypasses all download rules
141Can_See_Grafana_ShortcutGives access to system monitoring
142Comments_Admin_UpdateGives access to edit all comments
143Business_Workflow_General_Transition_ExecutorAllows users to do transitions in workflow tasks that have no user constraints on transition
144Business_Workflow_Instance_DeleteAllows users to delete workflow tasks
147Business_Workflow_Instance_ViewAllows users to see workflow tasks they are assigned to
148Business_Workflow_Instance_TransitionAllows users to see transitions
149Business_Workflow_Instance_AssignAllows assigning workflow tasks to other people
150EditSsoAllows editing of SSO settings
151CanImpersonateAllows a user to create access keys for other users. Be careful with this role as it allows bumping user access. Should only be used for System user
152FileRepository_ReadUsed for files in workflows. This gives the users access to see attached files
153FileRepository_Read_SecretUsed for files in workflows. This gives the users access to see secret attached files
154FileRepository_UploadUsed for files in workflows. This gives the users access to see uploaded files
155FileRepository_DeleteUsed for files in workflows. This gives the users access to see delete uploaded files
156MailTemplates_CRUDAllows users to edit mail templates
157Can_Force_Job_Status_ChangeAllows users to change job status, for example restarting a failed job
158Can_Configure_MembersUsed in MediaManager to allow editing users. This is behind a feature flag in the current version. Will be available in the future
159Can_Rerun_WorkflowsThis allows users to run automations with a manual trigger
160ItemCheckInOut_CRUDThis gives access to check-in and check-out
161ChannelFolder_CRUDAllows the user to edit Channel folders. As of this release, this is a new API not being used in any UI and therefore this role is not needed by users
162ChannelFolder_ViewAllows the user to see Channel folders. As of this release, this is a new API not being used in any UI and therefore this role is not needed by users
163ConfigManagement_AdminAllows users to edit the configuration for products. This is a new API and is not available through UI yet.
170Creative_Cloud_ConnectorAllows users access to the Creative Cloud Connector
171Can_See_Generic_Job_StatusAllows users to see generic job status - for instance elastic re-indexing 
172Can_Admin_Accelerated_SearchAllows users to see the status for search administration in Media Manager
173Smart_Asset_Picker_ConnectorAllows users to use the embedded Media Manager UI
174Can_configure_portalsAllows editing of Digizuite portals. Requires FileRepository_Upload and FileRepository_Delete to work
175Can_view_portalsAllows users to see Digizuite portals
176Can_view_metadata_tabAllows users to see the metadata tab on asset details
177Can_view_related_assetsAllows users to see the related assets tab on asset details
178Can_manage_filters_and_fieldsAllows users to set up filters and free text searching. Requires Editor_systemTools_config to work
179Can_configure_external_sharingAllow users to configure external sharing. Requires Editor_systemTools_config to work
180Can_view_service_healthAllows users to see the health status of the DigizuiteCore services
181Asset_Can_ArchiveAllows users to archive (soft delete) assets
182Can_view_rabbit_healthAllows users to see the RabbitMQ queues
183Can_crud_rabbit_healthAllows users to perform move and pruge messages also create and delete temp queues in RabbitMQ
184Collection_Super_Administrator

Allows the user to access the apis defined under "DigizuiteCore/CollaborationService/api/collection/admin". These are currently only used by AW. So only the System user really needs this role, though by default it is given to the Super Administrator group. 

186Upload_with_required_metadataLimits the user to fill in all required metadata fields before an asset upload can be performed
187Can_crop_emailAllows the user to make a crop and e-mail it to someone
191Collection_can_share_mailAllows the user to share with an external e-mail (available from 5.6.1, but not enabled before 5.6.2) can be turned on through Media Manager Settings → collections → Enable external collection sharing
192Collection_can_share_zipAllows the user to share asset(s) as a zip (available from 5.6.1, but not enabled before 5.6.2) can be turned on through Media Manager Settings → collections → Enable external collection sharing
193Collection_can_share_userAllows the user to share collections with other users (available from 5.6.1, but not enabled before 5.6.2) can be turned on through Media Manager Settings → collections → Enable external collection sharing
194Collection_can_share_groupAllows the user to share with groups (available from 5.6.1) can be turned on through Media Manager Settings → collections → Enable external collection sharing
195Collection_can_share_linkAllows the user to share a collection as a link (available from 5.6.1, but not enabled before 5.6.2) can be turned on through Media Manager Settings → collections → Enable external collection sharing
196Can_Configure_ImporterAllows the user to configure the importer
197Can_change_passwordAllows the user to change it's own password
198Can_embed_assetsAllows the user to use the embed video feature
199Can_embed_assets_adminAllows the user to manage active embeds
200Can_edit_combo_nodesInstead of granting access individually per CV, this gives you write rights to all combo values. This role functions as an OR; adding this changes nothing if you already have write rights.
201Can_edit_tree_nodesInstead of granting access individually per tree, this gives you write rights to all tree nodes. This role functions as an OR; adding this changes nothing if you already have write rights. However, even if you have write rights to the MM folders, this is still required for users to edit MM folders via brand portal. 
203Analytics_viewerAllows the user to view analytics.
204Analytics_writerAllows the user to create, update, and delete dashboards.
205Formats_CRUDAllows the user to create, read, update, and delete formats. NB: Since users with this role can define image formats with custom ImageMagick commands, the role must only be given to very trusted users to avoid command injection attacks.


Features

The other way around - what roles and rights need to be added to enable a feature

MediaPortal_User is needed to access MM - so for all MM features below, it's given that MediaPortal_User is already enabled.

In a lot of instances, you also need read access to assets. I only scarcely add this as a right sometimes. Usually, it's self-evident that one should have read access to an asset to add it to a collection.

The Upload folder (46) is the default folder for uploading. This can be changed - and if changed, use this other folder instead.

For Keywords - Keywords (10192) is the default. This can of course also be changed - where you should use this new metadata field instead.

All users must have read rights to the following metafields:

  • .../Media Manager/is Public
  • .../Asset Info/Media Manager Menu
  • .../Tasks/Status
  • .../Tasks/Owner
  • .../Tasks/Message

Without these, recipients of shares can experience assets not loading.


Features in MM

RolesRightsConfigManager
Upload assets via MM + see "Your uploads".MediaPortal_Upload Write access to the "Upload" folder (Usually granted through the "Trusted" group)


Enable users to change their profile information

Enable users to see and edit their account information = True
Upload/change profile image via MMMediaPortal_Upload 

Enable profile images = True

Enable users to see and edit their account information = True

Restore old asset version via MMAsset_Can_ReplaceWrite access to the "Upload" folder (Usually granted through the "Trusted" group) (Having write access to Content does nothing)
Replace asset + See "Asset History" (Not audit trail)Asset_Can_ReplaceWrite access to the asset
See asset statuses + Enable the "My tasks" viewWorkStages_ViewRead access to the asset
Enable the "All tasks" view

WorkStages_View

WorkStages_View_Others

Read access to the asset
Change/set assets' statuses (on assets not already assigned to other users - Meaning only assets where you or none is assigned)

Member_Viewer

WorkStages_View

Write access to the asset

Write rights to the combo options in "Metadata → Asset → Shared → Tasks → Status" and then "Metadata field label → Edit combo values" (usually granted via trusted)


Change/set assets' statuses (regardless of who they're assigned to)

Member_Viewer

WorkStages_View

WorkStages_Edit_Others

Write access to the asset

Write rights to the combo options in "Metadata → Asset → Shared → Tasks → Status" and then "Metadata field label → Edit combo values" (usually granted via trusted)


PrintingAsset_Can_DownloadThe asset is "public" (no padlock)

Enable (single- and multi-) download of an asset's predefined qualities

Enable (single- and multi-) download of assets and metadata

Enable download of collections as a zip

Asset_Can_Download

Can_Live_Export_Assets_And_Metadata


The asset is "public" (no padlock)

Should be added to a group with download qualities: "Guest", "Light Users", "Content Creators", "Administrators", or "Super Administrators"


Enable (single- and multi-) download of an asset's predefined qualities

Enable (single- and multi-) download of metadata

Enable download of collections as a zip

Asset_Can_Download

Can_Live_Export_Metadata_Only


The asset is "public" (no padlock)

Should be added to a group with download qualities: "Guest", "Light Users", "Content Creators", "Administrators", or "Super Administrators"


Enable (single- and multi-) download of an asset's predefined qualities

Enable (single- and multi-) download of assets

Enable download of collections as a zip

Asset_Can_Download

Can_Live_Export_Asset_Only


The asset is "public" (no padlock)

Should be added to a group with download qualities: "Guest", "Light Users", "Content Creators", "Administrators", or "Super Administrators"


Download custom qualities

Asset_Can_Download

Asset_Can_Download_Custom_Quality

The asset is "public" (no padlock)

Custom quality color spaces = must have content

Custom quality image types = must have content

Enable custom quality download = true

Enable embed as a sharing option for videos

MediaPortal_Video_Embed

MediaPortal_Share

The "Embed player user" has read rights to the video assets

Choose available embed video sizes = must have content

Choose available embed video qualities = must have content

Embed player user = must have content (usually "Guest")

Enable sharing assets to/via collections (Create new, Add to existing)

MediaPortal_Share

MediaPortal_Collection

The asset is "public" (no padlock)
Add asset to own collection.MediaPortal_CollectionThe asset is "public" (no padlock)
Enable the ability to CRUD own collectionsMediaPortal_Collection

Enable ability to CRUD own collections + CRUD collections shared to oneself/OthersMediaPortal_Collection
Give new recipients of non-social collections (e.g. not Facebook collections) access to manipulate collections = true
Enable non-pre-existing users to read collections on an SSO siteMediaPortal_Collection
Allow shared collection users to bypass login required screen = true
Enable users to use AI Tagging + your site has external accessAi_Add

Write access to the asset (only images)

Enable AI tagging functionality for metadata field = Keywords(10192) (Keywords must be autotranslate = true)
If you want AI tagging but don't have external accessAi_Add

Write access to the asset (only images)

Enable AI tagging functionality for metadata field = Keywords(10192) (Keywords must be autotranslate = true)

Use local analysis for AI services = true

Enable CRUD of own saved searchesSaved_Searches_CRUD

Enable crop/trim (share it via email)

Asset_Can_Crop



Enable crop/trim + Replace original asset with crop/trim + Restore to an older version of an asset

Asset_Can_Crop

Asset_Can_Replace

Write access to the asset

Write access to the Uploads folder OR the Content folder (The option to restore requires "write access" to the Uploads folder)


Enable crop/trim + Make new child asset with crop/trim

Asset_Can_Crop

Asset_Can_Revise

Write access to the asset

Write access to the Uploads folder OR the Content folder


Have the filter open every time you access the MM

Automatically expand filter pane in asset list = true
Make all filters be expanded every time you access MM

Automatically expand filter pane in asset list = true

Automatically expand individual filters in asset list = true

Make asset ID shown

Show asset ID in asset list = true
Enable password reset

Enable the option to reset one's password = true

Enable self sign-up

where users can choose their own password



Enable self sign up = true

Template user for self sign up users = A user with all the rights, roles, and groups your users should have (User must be enabled)

Allow users to choose a password on signup = true

Auto-created user folder ID = the ID of the folder where you want your users to go.

Enable email verification for self-sign-up (when self-sign-up already is enabled)

where users can choose their own password



Enable self sign up = true

Template user for self sign up users = A user with all the rights, roles, and groups your users should have (User must be disabled)

Allow users to choose a password on signup = true

Verification when a user is created using self sign up = Email verification

Enable admin verification for self-sign-up (when self-sign-up already is enabled)

where users can choose their own password



Enable self sign up = true

Template user for self sign up users = A user with all the rights, roles, and groups your users should have (User must be disabled)

Allow users to choose a password on signup = true

Verification when a user is created using self sign up = Admin verification

Administrative verification email = the admin's email

Enable that refreshing MM will log one out

Enable persistent login = false
Enable reading other peoples' comments and annotationsComment_View

Enable commenting and annotating

Comment_View

Comment_CRUD



Enable commenting and annotating + tagging other users

Comment_View

Comment_CRUD

Member_Viewer



Access the task list

Business_Workflow_Instance_View



Edit workflows

Business_Workflow_CRUD

Business_Workflow_View



Request download of an asset's predefined formats.

Can single download approved assets.

Can single download if bypassed with a bit field.

Business_Workflow_Instance_Transition

Business_Workflow_Instance_View

Asset_Can_Download

Download approval must be set up

The asset is "public" (no padlock)


Request download of an asset's predefined formats.

Can single download approved assets.

Can single and multi download if bypassed with a bit field.

Business_Workflow_Instance_Transition

Business_Workflow_Instance_View

Asset_Can_Download

Can_Live_Export_Asset_Only

Download approval must be set up

The asset is "public" (no padlock)


Request a custom-quality download

Business_Workflow_Instance_Transition

Business_Workflow_Instance_View

Asset_Can_Download_Custom_Quality

Download approval must be set up

The asset is "public" (no padlock)


Circumvent the download approval processDownload_Approval_Bypass

Download approval must be set up

Have enabled either standard or custom download


Approve or deny download requests

Business_Workflow_Instance_View

Business_Workflow_Instance_Transition

Download_Approval_Admin

You must be auto-assigned via the accompanying workflow as per the documentation
Enable copyright notification
Follow the documentation: In short, you need to set it up via the config manager settings + metadata settings



Circumvent the copyright notificationCopyright_Notification_BypassHave copyright notifications enabled

Upload both insecure and secure attachments on tasks.

Required for upload file constraints

FileRepository_Upload



View own and others' insecure attachments on tasks

FileRepository_Read



View insecure and own secure attachments on tasks

FileRepository_Read

The upload constraint you upload with must have the "secret" bit set to true


View own and others' secure attachments on tasks + insecure attachments

FileRepository_Read

FileRepository_Read_Secret



Enable intro screen

Choose intro screen mode: Splashscreen or Disclaimer
Enable configuration of the brand portals + styles

FileRepository_Upload

FileRepository_Delete

Can_configure_portals



Enable configuration of the brand portals + styles + folders

Warning: This allows for editing all tree nodes via the api.


FileRepository_Upload

FileRepository_Delete

Can_configure_portals

Can_edit_tree_nodes



Enable viewing of the brand portalsCan_view_portals

See other users in notifications.Member_Viewer

Remove access to upload without setting upload required metadata fieldsUpload_with_required_metadataThe metadata field has "Upload required" = enabled



The CCC (DACCC or Digizuite Adobe Creative Cloud Connector) requires all its users to have read access to assets + the following roles.

  • Creative_Cloud_Connector
  • Asset_Can_Download
  • Uploader


Features in CCC

RolesRightsConfigManager
Check-out assets + check-in assets you've checked out yourself (This does not make sense if you do not have the replace role)ItemCheckInOut_CRUDWrite access to the assetEnable check-in/out = true
See who has checked out assets (both own and others')Member_Viewer (OR Administrator)

Check-in assets that other people have checked out

Administrator

Member_Viewer



Upload active documents or, e.g., image filesMediaPortal_UploadWrite access to the "Upload" folder (Usually granted through the "Trusted" group)
Replace (INDD, PSD, AI, AEP, PRPROJ)Asset_Can_Replace

Write access to the "Upload" folder (Usually granted through the "Trusted" group) (?)

Write access to the asset


Features in OC

RolesRightsConfigManager
Insert assetAsset_Can_DownloadImage download qualities

Features in DC

RolesRightsConfigManager
Upload only (e.g. for photographers)Upload_OnlyWrite access to the Uploads folder
SuperAdministrator rightsEditor_SystemTools_AllwaysAllowItemSecurityEdit