Roles are used to define who is allowed to do what in iconik.

Each API endpoint has a role that is needed to be able to perform an action on it. User Groups are then given these roles to be able to use those API endpoints.


Deleting an Asset requires having the specific role _delete_asset to be able to perform this. When a user uses the API, they must have this role on a Group that they are a member of. Without it they will not be able to make a successful request.

In the iconik web frontend, the roles that user's have from their User Group membership are checked. If they do not have the role for deleting assets iconik do not show the Delete functionality as they would not be able to perform it anyway.

Roles Tips

To give the user's groups the relevant permissions on what they should be able to download, change the roles on that group as needed:

  • Download any assets format: canreadasset + canreadformats + canreadfiles.
  • Download assets proxies only: canreadasset + canreadformats.
  • Disable ability to download: canreadasset.

Learn more