By default, NetX's Permission system allows for adding permission entries based on a target (folder or asset) and a principal (all, group, or user). Enhanced ACL mode allows Administrators to further restrict the actions that built-in User Levels can carry out.
Once Enhanced ACL mode is enabled, the Permission type dropdown list will contain the following options:
- Read
- Download
- Add
- Edit
- Delete
- Standard
These types are used to limit the functionality of existing user levels within the context of a certain target (folder or individual asset). Each of the permission types is cumulative, meaning that for each type, the lower-level functions are included. For example, the ability to "edit" implies the ability to "add", etc.
For example, let's say that you have a Producer level user in the system, but you don't want that user to be able to edit assets within a certain folder. To do this, you can create a Download permission for the folder and assign it to the Producer level user, thus restricting their abilities so that they are only able to view and/or download the asset. Note that while these special permission types can be used to restrict user levels, they cannot be used to add functionality to a lower user level. For example, if you create an Edit permission and assign it to a Browser level user, the Browser user will not be able to see or execute Edit-level (Producer-level) actions.
Permission types
Listed below is a brief summary of how each permission type will interact with a given user level. Some unpermitted actions may be visible in the UI, but will fail—sometimes silently—if an attempt is made to execute them.
Read
-
Access is unchanged for Browser level users.
-
Access for users levels Consumer and higher are restricted to read-only (browse).
-
Creating saved searches and collections will be permitted.
-
Actions that will not be possible:
-
Will not be able to Download the asset Original, View or any version.
-
Will not be able to Create PDF.
-
Will not be able to alter the asset by any method.
-
Will not be able to repurpose assets.
-
Will not be able to edit Attribute values through Asset Detail, Quick Edit, Grid Edit.
-
Uploading to a folder with Read-only ACL will not be permitted for the target group or user.
-
Will not be able to add Versions, Views or create Relationships.
-
Will not be able to Move or Add asset to new folders (but Collections will be allowed, so long as permissions remain intact).
Download
-
Access is unchanged for Browser and Consumer level users.
-
Importer level or higher can:
-
Read
-
Download
-
Repurpose
-
Save searches
-
Create collections
-
Actions that will NOT be possible:
-
Will not be able to alter the asset by any method (exception is creating a repurposed derivative)
-
Will not be able to edit Attribute values through Asset Detail, Quick Edit, Grid Edit, or even on upload (the act of uploading will also be blocked).
-
Will not be able to add Versions, Views or create Relationships (Links).
-
Will not be able to Move or Add asset to new folders.
Add
-
Access is unchanged for Browser, Consumer, and Importer level users
-
Manager level or higher can:
-
Read
-
Download
-
Repurpose
-
Import
-
-
Actions that will not be possible:
-
Will not be able to alter the asset by any method.
-
Will not be able to edit Attribute values through Asset Detail, Quick Edit, Grid Edit, or even on upload.
-
Will not be able to add Versions, Views or create Relationships (Links).
-
Will not be able to organize assets between folders.
-
Edit
-
Access is unchanged for Browser, Consumer, Importer and Producer level users
-
Manager level or higher can:
-
Read
-
Download
-
Repurpose
-
Import
-
Update data
-
Add/Move assets to/from this folder
-
Add/Move folder
-
Add/Move/Create subfolder but not Delete.
-
Actions that will NOT be possible:
-
Should not be able to Delete asset (however, users will be able to Move the asset to a folder the does allow delete)
Delete
-
All users have unchanged functionality
Standard
-
All users have unchanged functionality
Creating and editing enhanced ACL permissions
Setup
The following property is required to enable the enhanced ACL system:
Property | Description |
---|---|
image.aclEnhanced |
If the value of this property is true, the ACL permission system is enabled. If the value of this property is false, the standard permission system is used. Value options: true / false Requires restart? No |
Usage
- To create an Enhanced ACL permission, log on as an Administrator.
- Navigate to Systems (gear icon) and click Permissions.
- Click the Add Permission button to create a new permission.
-
Define your permission settings:
- Type: Read, Download, Add, Edit, Delete, Standard (see above for detailed descriptions of permission types).
- Principal: Everyone (All users in the system), or a specific group or user.
- Target: Specific name of the Folder or Asset that will be affected by the setting.
- Recursive: When the Target is a folder, this determines whether the subfolder(s) of the Folder would also be affected by this permission setting.
- Once you have finished choosing your settings, click Submit.
Permissions order
When using enhanced ACLs, pay attention to the permission order — permissions higher up in the list take precedence over those below. For example, let's say there are two permissions that apply to a certain user and target; one is a Delete permission and one is a Read permission. If the Read permission is higher up on the list, it will take precedence over the Delete permission and the user will only have Read permissions to the target. For this reason, it's best practice to order your permissions from least restrictive to most restrictive — start with a wide funnel that gets narrower as it goes down the list.