Is it possible to restrict what a user can do with an asset?
Yes, it is possible as an Administrator using a combination of Roles and Access Control on assets and collections.
Only allow view of assets
For example if you have a user, Jenny, and you would like Jenny to be able to see an asset but not download, edit metadata or delete an asset you can put Jenny in to a User Group that has restricted roles. Jenny should not be in any other group that has more roles, as Jenny will inherit all the roles from all the groups that she is in.
So if we create a User Group “Restricted Users", and then for the Roles we would pick:
- can read approval request
- can read assets
- can read assets history
- can read asset relations
- can read asset subtitles
- can read collections
- can read custom actions
- can read discovery entities
- can read files
- can read formats
- can read metadata categories
- can read metadata fields
- can read metadata values
- can read metadata views
- can read notifications
- can read notification settings
- can read proxies
- can read saved searches
- can read search history
- can read segments
- can read shares
- can read users
- can search
We then save the group, and go to the user Jenny and add this group to her. We could set it as the primary group if she doesn't have any other groups. Do the same for the other users that require the same restrictions.
Finally, we want to let her have access to content. For the assets that you want her to see you set an Access Control on the asset that gives the User Group "Restricted Users" READ permission. You can learn how to do this on assets and collections.
Allowing commenting
If you would like the above plus to enable commenting, you need to enable the extra following roles in addition to above. This could be in another group that you apply to the user.
- can create segments
Allowing upload
If you want to allow the user to upload add the following role in addition to the main roles above.
- can write assets
- can create assets
- can create formats
- can create transcode jobs
- can write formats
- can write files
- can write jobs
- can read storages
- web can upload
If you have setup the system so that it requires metadata upon upload then you also need to add the roles listed for "Allow editing metadata".
Restricting upload locations
You can restrict users from uploading using a combination of Roles and ACLs.
Restricting uploading to top level of a storage.
If you want your users to only upload to collections you can make sure that the users don't have the roles "Web can top level upload".
Restricting upload to certain storages
If you have multiple storages you can use ACLs on the storage level to restrict who is allowed to access storage, and upload to those storages.