DC 5.2.0 3.9 Roles


Roles can be added to users in two ways:

  1. Directly on the user
  2. Inherited via a group which the user is a part of

As of 5.2.0, groups can also inherit roles via other groups, meaning that users can also inherit their roles (and rights for that matter) via a group that inherits from another group.

Users can simultaneously have roles added directly and roles inherited via groups.

✓✗


CRUD
CreateMake new things
ReadRetrieve existing things
UpdateChange existing things
DeleteDelete existing things
#

Roles

DCMMMarked for deletion by:Description
1AdministratorLSNot implemented - to be deleted
2Ai_Add

Enables you to use AI tagging on images. Requires additional setup if you don't want to use Digizuite's Azure account for it. Requires an EditMultiComboVlaue to be defined in MM's config manager.

3Ai_Translate
Not yet implemented
4Asset_Can_Crop
Is the gateway to use crop. On its own, it only supports sending out "crops" via email. This role can be combined with "Asset_Can_Revise" to make an asset have crops as children - and "Asset_Can_Replace" which enables the crop to supersede the asset being cropped-
5Asset_Can_Delete_Permanently
Enables one to remove an asset + all its metadata from all places (storage, Azure storage, database)
6Asset_Can_Download

Enables one to download an asset and print published assets (assets without a lock).

You need to have download qualities added, to be able to download assets. These are assigned via groups. Groups with download qualities are: "Guest", "Light Users", "Content Creators", "Administrators", and "Super Administrators"

7Asset_Can_Download_Custom_Quality
Gives one the option to download an asset in either another colorspace (e.g. sRGB, greyscale) or another filetype (jpg, png)
8Asset_Can_Replace
Enables assets to be replaced via the MM. It requires "write rights" to the asset to work. It also allows for assets to be replaced by crops + it enables restoring older versions of the asset via the "Asset history" (Effectively reverting a replace)
9Asset_Can_Revise
Enables one to make crops into child assets
10AuditTrail_View
Enables one to look at all assets' audit trail (basically metadata history). Please be aware that very few things are "audited" out of the box
11Can_Change_Styling_And_Theming
Gives one the ability to change the channel's logo and color (theming/styling) via the MM
12Can_Edit_Automation_Workflow
Allows the user to edit automation workflows
13Can_Live_Export_Asset_Only
Allows the user to create an export that contains only assets
14Can_Live_Export_Assets_And_Metadata
Allows the user to create an export that contains both assets and metadata
15Can_Live_Export_Metadata_Only
Allows the user to create an export that contains only metadata
16Can_View_Automation_Workflow_Status
Allows the user to view the status of running workflows
17Can_View_Logs
Allows the user to view some logs directly in the MM UI
18Can_Force_Unlock_Office_Document (Added with OC)
Enables one to remove a lock off of a locked Office document. If an Office asset is locked, then opening it via the Office Connector will not enable one to update/replace the asset via the connector. If the asset is unlocked, one can update/replace an asset.
19Can_Open_Office_Documents (Added with OC)
Enables one to open Office documents in the Office Connector via the MM. Supports PowerPoints, Word, and Excel formats (incl. macros and templates) 
20Comments_Admin_Delete
Enables one to Delete other peoples' comments - e.g. to remove spam
21Comments_CRUD
Enables one to Create, Read (all), Update (your own), Delete (your own) comments
22Comment_View
Enables one to Read all comments
23

Editor_Catalogs


Enables "Catalog" in the left side menu
24

Editor_Portal


Enables "Channels" in the left side menu
25Editor_Portal_AdminLSDoes nothing beyond what "Editor_Portal" already does. Deprecated.
26

Editor_SystemTools_AllwaysAllowItemSecurityEdit


Gives you read access to everything you've added - e.g. makes all Catalog and Channel folders appear if you've added "Editor_Catalogs" and "Editor_Portal".

It only in the DC - It does not give you read access to the added assets in the MM, even though you seemingly have read access to them when you look at it Channels in DC.

With this, you can give yourself (and others) write access to folders you don't have write access to.

It also adds "System Tools" to the left side menu - but it is blank - meaning that there are not any system tools in it.

It opens up for access to content in Media Manager. Here this role gives you high-level access.

27

Editor_SystemTools_Config


Enables System Tools → ConfigManager
28

Editor_SystemTools_Dam


Enables one to select all catalog and channel folders in System tools → Workflow → AssetSyncFolder → "Sync rootfolder"/"Destination folder". Without this role, one can only select folders that you have read-access to.

29

Editor_SystemTools_Destinations


Enables System Tools → Destinations
30

Editor_SystemTools_DigizuiteConfig


Enables System Tools → Digizuite™ configuration AND Enables System Tools → Asset type configuration
31

Editor_SystemTools_License


Enables System Tools → License
32

Editor_SystemTools_MediaFormat


Enables System Tools → Formats
33

Editor_SystemTools_MediaFormatType


Enables System Tools → Format types
34

Editor_SystemTools_Metadata


Enables System Tools → Metadata
35

Editor_SystemTools_MetaDataLanguage


Enables System Tools → Language
36

Editor_SystemTools_PlayerTemplate

LSDeprecated with the deprecation of player templates. There is a cleanup task already for player template.
37

Editor_SystemTools_Profiles


Enables System Tools → Profiles
38

Editor_SystemTools_Status


Enables System Tools → Status
39

Editor_SystemTools_Stopwords


Enables System Tools → Search stop words
40

Editor_SystemTools_TranscodeSetting


Enables System Tools → Transcode settings
41

Editor_SystemTools_UserManager_Groups


Enables System Tools → Users and groups → Groups
42

Editor_SystemTools_UserManager_Users


Enables System Tools → Users and groups → Users
43

Editor_SystemTools_Workflow


Enables System Tools → Workflow
44GDPR_Admin
It gives you the right to Read and Delete other users' data. There is no UI for this.
45Integration_Endpoints_CRUD
Gives one the ability to Create, Read, Update, Delete integration endpoints
46Integration_Endpoints_View
Gives one the ability to Read existing integration endpoints
47ItemControlAdminLSUnused.
48MediaPortal_Admin_LogSFNot implemented - to be deleted
49

MediaPortal_Admin_StartScreen


Enables one to change the start screen from the MM
50MediaPortal_Admin_TrashSFNot implemented - to be deleted
51MediaPortal_Admin_UsersSFNot implemented - to be deleted
52

MediaPortal_Asset_Replacer

SFNot implemented - to be deleted - Use "Asset_Can_Replace" instead
53

MediaPortal_Asset_Unpublisher

SFNot implemented - to be deleted
54MediaPortal_Can_Preview_Office
Enables one to use Online Office to preview Office documents. This requires the site to be accessible from the outside (i.e. only works on sites where VPN isn't needed to access the site). It can be accessed by previewing, the same way you would an image.
55

MediaPortal_Collection


Enables users to Create, Update (their own), and Delete (their own) collections. All users can Read collections - though they have to be accessed via mail
56MediaPortal_CustomQualitySFNot implemented - to be deleted - Use "Asset_Can_Download_Custom_Quality" instead
57MediaPortal_DownloaderSFNot implemented - to be deleted - Use "Asset_Can_Download" instead
58MediaPortal_Edit_AccountSFNot implemented - to be deleted
59

MediaPortal_Member_Viewer


Allows the user to see other members of the portal (e.g. during the "asset status", "comment", and "sharing" processes, where it's needed to see internal users)
60MediaPortal_See_Asset_Info_DefaultSFNot implemented - to be deleted
61MediaPortal_See_Profile_ImagesSFNot implemented - to be deleted - Use config manager instead
62MediaPortal_See_Uploader_NameSFNot implemented - to be deleted - Use config manager instead
63MediaPortal_Share

Enables one to share via the MM UI. Enabling this gives you the ability to share assets via: URL, Zip (email), social media - and if collections are enabled one can also share assets via: New collection (create new), and Existing collection (add to existing).

If collections are enabled, one can share them via: Zip (a package over mail), Social media, and Collection (give people rights to preview the collection from MM)

If the following is enabled "Give new recipients of non-social collections (e.g. not Facebook collections) access to manipulate collections:" via config manager, the recipient will be able to CRUD the collection, else the recipient will only be able to Read the collection.

Sharing over social media makes the shared asset publicly available. One needs to manually revoke the read rights on the asset level, to make it internal again.

64

MediaPortal_Uploader


Gives one the ability to upload via the MM (one still needs "write rights" to the Upload folder though - the "Trusted" role will give you this) + shows the "your uploads"
65

MediaPortal_User


Required to access to MM
66MediaPortal_Video_Embed

Requires "MediaPortal_Share" + some settings in CondigManager to work (See the table in the bottom of this page - ctrl+f "embed")

Adds embed as a sharing option. It only works with videos.

67

RunningJobs_AdminViewSubmitXML


Makes "Create XML" show in the "Info" tab. Requires at least
68

RunningJobs_ChangePriority


Might be reintroduced in the future
69

RunningJobs_EditAll


Gives you Write rights to all jobs in "Running jobs". It gives you the ability to press "Upload again" and "Retry". It does not require "RunningJobs_EditOwn" in order to work.

Requires "RunningJobs_View" - else you won't see any jobs. 

70

RunningJobs_EditOwn


Gives you Write rights to all jobs in "Running jobs" → "[Your user]". It gives you the ability to press "Upload again" and "Retry".

Requires "RunningJobs_ViewAll" - else you won't see any jobs.

71

RunningJobs_View


It gives you the ability to see your own running jobs. With this, you'll also be able to see how many jobs are failed/waiting/running - just now which jobs it is and who's jobs it is. Only gives Read access.
72

RunningJobs_ViewAll


Gives you Read access to all running jobs. Meaning that you cannot e.g. restart them if you've failed. Doesn't require "RunningJobs_View" in order to work.
73Saved_Searches_CRUD
Enables one to CRUD one's own saved searches. One can also share them without having the "share role" enabled
74Upload_Only
If this is enabled, accessing the DC will put you into a "write-only" mode - e.g. for photographers, who should not have read access but write access. Requires "write access" to the Uploads folder in order to work.
75UploaderLSUnused.
76Uploader_ReplaceWithArchiveLSUnused.
77Uploader_ReplaceWithoutArchive
It enables a user to replace assets without archiving the old version. Cannot be accessed via the UI
78

Uploader_ShowFolderSelector


Only implemented in DFS. Is used to give users access to upload to the catalog area while using the embedded upload component

79Viewer_CatalogsLSDoes nothing beyond what Editor_Catalogs already does. Deprecated.
80VP3_Portal_Admin_StartScreenSFNot implemented - to be deleted
81VP3_Portal_Admin_VideoSlidesSFNot implemented - to be deleted
82WorkStages_Edit_Others
Enables you to change statuses on assets that are assigned to other users than yours.
83WorkStages_View
Enables you to get the "Asset Status --> My tasks"
84WorkStages_View_Others
Enables you to get the "Asset Status --> All tasks". It requires that "WorkStages_View" is also set to work.

Note: If both Uploader_ReplaceWithArchive and Uploader_ReplaceWithoutArchive are enabled the user will be asked what he wants to do with the old asset: archive it or delete it.

Features

The other way around - what roles and rights need to be added to enable a feature

MediaPortal_User is needed to access MM - so for all MM features below, it's given that MediaPortal_User is already enabled.

In a lot of instances, you also need read access to assets. I only scarcely add this as a right sometimes. Usually, it's self-evident that one should have read access to an asset to add it to a collection.

The Upload folder (46) is the default folder for uploading. This can be changed - and if changed, use this other folder instead.

For Keywords - Keywords (10192) is default. This can of course also be changed - where you should use this new metadata field instead.

Green = Done

Features in MMRolesRightsConfigManager
Upload assets via MM + see "Your uploads"MediaPortal_Upload Write access to "Upload" folder (Usually granted through the "Trusted" group)


Enable users to change their profile information

Enable users to see and edit their account information = True
Upload/change profile image via MMMediaPortal_Upload 

Enable profile images = True

Enable users to see and edit their account information = True

Restore old asset version via MMAsset_Can_ReplaceWrite access to "Upload" folder (Usually granted through the "Trusted" group) (Having write access to Content does nothing)
Replace asset + See "Asset History" (Not audit trail)Asset_Can_ReplaceWrite access to the asset
See asset statuses + Enable the "My tasks" viewWorkStages_ViewRead access to the asset
Enable the "All tasks" view

WorkStages_View

WorkStages_View_Others

Read access to the asset
Change/set assets' statuses (on assets not already assigned to other users - Meaning only assets where you or none is assigned)

MediaPortal_Member_Viewer

WorkStages_View

Write access to the asset

Write rights to the metadata fields in "Metadata > Asset > Shared > Tasks" (usually granted via trusted)


Change/set assets' statuses (regardless of who they're assigned to)

MediaPortal_Member_Viewer

WorkStages_View

WorkStages_Edit_Others

Write access to the asset

Write rights to the metadata fields in "Metadata > Asset > Shared > Tasks" (usually granted via trusted)


PrintingAsset_Can_DownloadThe asset is "public" (no padlock)
Download predefined qualitiesAsset_Can_Download

The asset is "public" (no padlock)

Should be added to a group with download qualities: "Guest", "Light Users", "Content Creators", "Administrators", or "Super Administrators"

Custom quality color spaces = must have content

Custom quality image types = must have content

Enable custom quality download = true

Download custom qualities

Asset_Can_Download

Asset_Can_Download_Custom_Quality

The asset is "public" (no padlock)
Enable sharing (URL, ZIP, Social)MediaPortal_SharingThe asset is "public" (no padlock)
Enable embed as a sharing option for videos

MediaPortal_Video_Embed

MediaPortal_Sharing


Choose available embed video sizes = must have content

Choose available embed video qualities = must have content

Embed player user = must have content (usually "Guest")

Enable sharing assets to/via collections (Create new, Add to existing)

MediaPortal_Sharing

MediaPortal_Collection

The asset is "public" (no padlock)
Add asset to own collectionMediaPortal_CollectionThe asset is "public" (no padlock)
Enable ability to CRUD own collectionsMediaPortal_Collection

Enable ability to CRUD own collections + CRUD collections shared to oneself/OthersMediaPortal_Collection
Give new recipients of non-social collections (e.g. not Facebook collections) access to manipulate collections = true
Enable non-preexisting users to read collections on an SSO siteMediaPortal_Collection
Allow shared collection users to bypass login required screen = true
Enable user to use AI Tagging + your site has external accessAi_Add

Write access to the asset (only images)

Enable AI tagging functionality for metadata field = Keywords(10192) (Keywords must be autotranslate = true)
If you want AI tagging but don't have external accessAi_Add

Write access to the asset (only images)

Enable AI tagging functionality for metadata field = Keywords(10192) (Keywords must be autotranslate = true)

Use local analysis for AI services = true

Enable CRUD of own saved searchesSaved_Searches_CRUD

Enable crop/trim (share it via email)

Asset_Can_Crop

Asset_Can_Replace OR Asset_Can_Revise




Enable crop/trim + Replace original asset with crop/trim

Asset_Can_Crop

Asset_Can_Replace

Write access to the asset

Write access to the Uploads folder OR the Content folder (The option to restore requires "write access" to the Uploads folder)


Enable crop/trim + Make new child asset with crop/trim

Asset_Can_Crop

Asset_Can_Revise

Write access to the asset

Write access to the Uploads folder OR the Content folder


Have filter open every time you access the MM

Automatically expand filter pane in asset list = true
Make all filters be expanded every time you access MM

Automatically expand filter pane in asset list = true

Automatically expand individual filters in asset list = true

Make asset ID shown

Show asset ID in asset list = true
Enable password reset

Enable the option to reset one's password = true

Enable self sign-up

where users can choose their own password



Enable self sign up = true

Template user for self sign up users = A user with all the rights, roles, and groups your users should have (User must be enabled)

Allow users to chose a password on signup = true

Auto created user folder ID = the ID of the folder where you want your users to go.

Enable email verification for self-sign up (when self sign-up already is enabled)

where users can choose their own password



Enable self sign up = true

Template user for self sign up users = A user with all the rights, roles, and groups your users should have (User must be disabled)

Allow users to chose a password on signup = true

Verification when a user is created using self sign up = Email verification

Enable admin verification for self-sign up (when self sign-up already is enabled)

where users can choose their own password



Enable self sign up = true

Template user for self sign up users = A user with all the rights, roles, and groups your users should have (User must be disabled)

Allow users to chose a password on signup = true

Verification when a user is created using self sign up = Admin verification

Administrative verification email = the admin's email

Enable that refreshing MM will log one out

Enable persistent login = false
Enable multi-download of assets

Asset_Can_Download

Can_Live_Export_Asset_Only

Should be added to a group with download qualities: "Guest", "Light Users", "Content Creators", "Administrators", or "Super Administrators"
Enable multi-download of metadata

Asset_Can_Download

Can_Live_Export_Metadata_Only

Should be added to a group with download qualities: "Guest", "Light Users", "Content Creators", "Administrators", or "Super Administrators"
Enable multi-download of assets and metadata

Asset_Can_Download

Can_Live_Export_Assets_And_Metadata

Should be added to a group with download qualities: "Guest", "Light Users", "Content Creators", "Administrators", or "Super Administrators"
Features in DCRolesRightsConfigManager
Upload only (e.g. for photographers)Upload_OnlyWrite access to the Uploads folder
SuperAdministrator rightsEditor_SystemTools_AllwaysAllowItemSecurityEdit