Access Control (ACLs)
Access control defines whether a single User or a user in a User Group has the rights to view, change or delete an entity such as an Asset, Collection, Storage or Metadata View.
Admins can always change who has access and if a user has the correct roles or Access Control themselves, they can also change the Access Control for other Users or User Groups.
Access control is defined using the Access Control Lists for entities such as Assets, Metadata Views, Storage, Transcoders, Export Location and Collections and it is usually changed where you manage those entities, such as the Admin page for Storage, Transcoders, Export Locations or the Asset/Collection page for the Assets/Collections.
Access Control Lists can also be grouped together into ACL Templates, which can then be used to provide a set of permissions to incoming Assets from a storage, or entities that a User in a Group creates.
ACL Templates group together Access Control Lists so that Access can be easily defined and applied to Assets and other entities being created by users in a user group, or Assets and Collections that are created from files coming in from Storages such as Cloud Storage or the iconik Storage Gateway.
The Permission Template is used when an Asset or Collection is created, retro-actively editing or removing a Permission Template doesn't change any Permission or ACL of any Asset or Collection or other entity that had it's ACLs set by the Template.
Up to 1000 Collections in your system can have Access Control Lists that automatically propagate to content that is added to that collection. We call this Inherited ACLs - because the Assets or Sub-Collections inherit the ACLs from the "parent" collection.
The Assets or Sub-Collections can also have their own ACLs as well, to define further access on who is allowed to view.
iconik's Access Controls always define who has access and what level of access, and are never removing access, so this design should be taken into consideration when building up a collection tree of access to collections and sub-collections. You should start with the minimal amount of access needed on the parent collections to be able to perform the work needed - you can always add more permissions further down the tree.
iconik doesn't implement negative ACLs - ACLs which disallow access, as this design can quickly become hard to manage with thousands of collections and millions of assets, particularly when serving up search results to users and having to take into account which assets and collections a particular user is allowed to view.