Understanding User Group Roles
Most actions in the iconik user interface make calls to the iconik API. So when you wish to enter metadata, make a comment or perform an upload that will send commands to the API, the rights to be able to make these actions are controlled with Roles.
The User Interface makes sure that only the options for which your role allows you to have are available. So if you don't have the roles which allow upload you will not see the upload functionality.
When using iconik and comparing to the documentation please be aware that certain functionality is only available to users with the correct role.
The type of user also restricts the available roles, as described below. Note that Standard Users can have all Browse Only user roles, and Power Users can have all roles.
If you give a user a can_create role, make sure you also give the corresponding can_write role. Also
giving write access does not automatically give read access, so that also needs to be added.
Note that the user also requires ACL access to the Assets, Collections etc., that they are trying to interact with, it is not enough to only have the role.
How to edit roles on a User Group is covered under Roles Admin.
Browse Only User Roles
| Role | Description |
|---|---|
can_create_segments |
Allows creating comments |
can_delete_approval_status |
Allows to delete its own approvals |
can_delete_saved_searches |
Allows deleting saved searches that you have access to |
can_delete_search_history |
Allows deleting your search history |
can_delete_segments |
Allows deleting your own comments |
can_read_acls |
Required for getting access to anything |
can_read_approval_request |
Allows being part of an approval workflow |
can_read_asset_relations |
Allows reading relations |
can_read_asset_subtitles |
Allows reading subtitles |
can_read_assets |
Allows reading assets |
can_read_collections |
Allows reading collections |
can_read_custom_actions |
Allows seeing custom actions |
can_read_discovery_entities |
Allow seeing the discovery view |
can_read_files |
Allows seeing files |
can_read_formats |
Allows seeing formats |
can_read_group_mappings |
Allows reading groups (Required for SAML) |
can_read_identity_providers |
Allows reading identity providers for SAML (Required for SAML) |
can_read_jobs |
Allows seeing jobs |
can_read_metadata_categories |
Allows seeing metadata categories (Required for metadata) |
can_read_metadata_values |
Allows seeing metadata values |
can_read_metadata_views |
Allows seeing metadata views |
can_read_notifications |
Allows seeing notifications |
can_read_notification_settings |
Allows seeing notification settings |
can_read_proxies |
Allows viewing proxies |
can_read_saved_searches |
Allows access to saved searches |
can_read_search_history |
Allows access to search history |
can_read_segments |
Allows access to comments and times metadata |
can_read_subscriptions |
Allows seeing notification subscriptions |
can_read_shares |
Allows access to shares |
can_read_transcode_jobs |
Allows access to transcode jobs |
can_read_transcriptions |
Allows access to transcriptions |
can_read_transfers |
Allows seeing ongoing transfers |
can_search |
Allows searching |
can_write_approval_status |
Allows setting approval status (If part of an approval workflow) |
can_write_metadata_values |
Allows editing metadata |
can_write_saved_searches |
Allows saving searches |
can_write_segments |
Allows editing (your own) comments |
can_write_subscriptions |
Allows editing your notification subscriptions |
can_list_all_users |
Allows seeing all users when listing users or querying for users |
can_list_group_users |
Only allows seeing users from groups you are a member of |
can_list_all_groups |
Allows seeing the all groups when listing groups. Otherwise only groups you are a member of is shown. |
web_can_download_original |
Allows the user to download the original file from an asset |
web_can_download_proxy |
Allows the user to download the proxy file from an asset |
web_can_list_users |
Allows seeing the user list when sharing (And other places you can list users) |
web_can_view_versions |
Allows viewing the different versions of assets |
Standard User Roles
| Role | Description |
|---|---|
can_archive_formats |
Allows archiving of formats |
can_analyze_content |
Allows access to the Analyze function |
can_approve_without_request |
Allows approval of an asset without going through the request stage |
can_create_asset_relations |
Allows creating asset relations |
can_create_assets |
Allows creating new assets |
can_create_collections |
Allows creating new collections |
can_create_formats |
Allows uploading files |
can_create_poster |
Allows creating poster images |
can_create_subclips |
Allows creating Subclips |
can_create_shares_to_upload |
Allows creating shares for upload |
can_create_transcode_jobs |
Allows creating transcode jobs |
can_create_root_collections |
Allows creating collections in the root of the collection tree |
can_delete_acls |
Allows removing ACLs |
can_delete_approval_request |
Allows to delete an approval request |
can_delete_asset_relations |
Allows removing asset relations |
can_delete_assets |
Allows deleting assets |
can_delete_collections |
Allows deleting collections |
can_delete_discovery_entities |
Allows deleting Discovery view items |
can_delete_favorites |
Allows deleting favorites |
can_delete_files |
Allows deleting files |
can_delete_formats |
Allows deleting formats |
can_delete_object_shares |
Allows deleting shares |
can_delete_proxies |
Allows deleting proxies |
can_delete_saved_search_groups |
Allows deleting Saved Search Groups |
can_delete_transcriptions |
Allows deleting transcriptions |
can_delete_versions |
Allows deleting versions of an asset |
can_edit_other_users_comments |
Allows for users to delete other users comments |
can_manage_shares |
Allows for users to see their own shares |
can_manage_all_shares |
Allows for users to see other users shares |
can_purge_assets |
Allows to purge assets from the recycle bin |
can_purge_collections |
Allows to purge collections for the recycle bin |
can_read_storages |
Allows access to the Storage list |
can_reindex_assets |
Allows explicit reindex of assets |
can_reindex_collections |
Allows explicit reindex of collections |
can_reindex_segments |
Allows explicit reindex of segments (Comments and Time based metadata) |
can_reindex_shares |
Allows explicit reindex of shares |
can_restore_archived_formats |
Allows restoring an archived format |
can_see_all_jobs |
Allows this user to see all jobs regardless of ACLs |
can_transcribe_content |
Allows this user to transcribe assets |
can_use_adobe_panel |
Allows using the Adobe panels |
can_write_acls |
Allows setting ACLs |
can_write_approval_request |
Allows making Approval requests |
can_write_approval_status_in_bulk |
Allows doing bulk approvals |
can_write_asset_relation_types |
Allows adding relation types |
can_write_asset_subtitles |
Allows adding subtitle files |
can_write_assets |
Allows editing assets |
can_write_collections |
Allows editing collections |
can_write_discovery_entities |
Allows editing the discovery view |
can_write_exports |
Allows creating exports |
can_write_favorites |
Allows users to create favorites |
can_write_files |
Allows updating file entries |
can_write_formats |
Allows updating format entries |
can_write_jobs |
Allows updating jobs |
can_write_keyframes |
Allows creating posters and setting keyframes (In combination with web_enable_posters and can_create_posters) |
can_write_proxies |
Allows updating proxies |
can_write_shares |
Allows updating shares |
can_write_saved_search_groups |
Allows creating and updating Saved Search Groups |
can_write_transcode_jobs |
Allows updating transcode jobs |
can_write_transcriptions |
Allows creating and editing transcriptions |
can_write_transfers |
Allows updating transfers |
can_write_versions |
Allows creating new versions of assets |
is_storage_worker |
Special role for users that acts as an Iconik Storage Gateway |
web_can_create_placeholder |
Allows the user to create a placeholder from the Web UI |
web_can_create_link_asset |
Allows the user to create Link assets from the Web UI |
web_can_top_level_upload |
Allows users to upload to the top level of a storage |
web_can_upload |
Allows the user to Upload using the web interface |
web_can_upload_legacy |
Allows the user to Upload using the web interface without write ACL on the storage (Legacy behaviour) |
web_enable_posters |
Allows the user to see the Poster tab. To create posters, can_write_keyframes and can_create_posters is also required |
Power User Roles
| Role | Description |
|---|---|
can_act_as_user |
Can switch to another user. |
can_create_users |
Gives access to create users |
can_delete_acl_templates |
Allows deleting ACL templates |
can_delete_analysis_profiles |
Allows deleting AI analysis profiles |
can_delete_analysis_service_accounts |
Allows deleting AI analysis service accounts |
can_delete_apps |
Allows deleting applications and tokens |
can_delete_archived_formats |
Allows deleting an archived format |
can_delete_asset_relation_types |
Allows deleting asset relation types |
can_delete_assets_history |
Allows deleting an asset history entry |
can_delete_cors_hosts |
Allows deleting an CORS entries for the API (API only) |
can_delete_export_locations |
Allows deleting export locations |
can_delete_group_mappings |
Allows deleting group mappings (For SAML only) |
can_delete_groups |
Allows deleting groups |
can_delete_identity_providers |
Allows deleting SAML identity providers |
can_delete_jobs |
Allows deleting jobs |
can_delete_logs_recipients |
Allows logs recipients |
can_delete_metadata_categories |
Allows deleting metadata categories |
can_delete_metadata_fields |
Allows deleting metadata fields |
can_delete_metadata_views |
Allows deleting metadata views |
can_delete_notifications |
Allows deleting notifications |
can_delete_storages |
Allows deleting storages |
can_delete_transcode_jobs |
Allows aborting a transcode job |
can_delete_transcoders |
Allows deleting a Transcoder |
can_delete_users |
Allows deleting users |
can_delete_webhooks |
Allows deleting a Webhook definition |
can_purge_files |
Allows purging files |
can_purge_formats |
Allows purging formats |
can_read_acl_templates |
Gives access to the ACL templates in the Admin view |
can_read_analysis_service_accounts |
Gives access to the AI accounts in the Admin view |
can_read_apps |
Gives access to the Applications panel in the Admin view |
can_read_assets_history |
Gives access to Asset history |
can_read_billing |
Gives access to billing |
can_read_cors_hosts |
Allows listing CORS entries for API |
can_read_export_locations |
Gives access to the Export location list. |
can_read_groups |
Gives access to the group list in the Admin view |
can_read_logs_recipients |
Read access to Shield log recipients |
can_read_metadata_fields |
Gives access to the metadata fields in the Admin view |
can_read_stats |
Gives access to the Stats page |
can_read_system_domains |
Gives access to read the system domain info (Only current domain, unless given access by a super admin) |
can_read_transcoders |
Gives access to the Transcoder list in the Admin view |
can_read_users |
Gives access to the User list in the Admin view |
can_read_webhooks |
Gives access to the Webhooks in the Admin view |
can_reindex_assets_history |
Allows reindex operations using API |
can_reindex_export_locations |
Allows reindex operations using API |
can_reindex_groups |
Allows reindex operations using API |
can_reindex_saved_searches |
Allows reindex operations using API |
can_reindex_storages |
Allows reindex operations using API |
can_reindex_transcoders |
Allows reindex operations using API |
can_reindex_users |
Allows reindex operations using API |
can_scan_bucket |
Allows scanning a cloud bucket for new content |
can_see_all_jobs |
Allows the user to see all jobs on the system |
can_write_acl_templates |
Allows editing ACL templates |
can_write_analysis_profiles |
Allows editing AI analysis profiles |
can_write_analysis_service_accounts |
Allows editing AI analysis service accounts |
can_write_apps |
Allows creating new Applications and tokens |
can_write_assets_history |
Allows updating Asset History entries |
can_write_billing |
Allows updating billing information |
can_write_cors_hosts |
Allows editing CORS entries for API |
can_write_export_locations |
Allows creating and editing Export Locations |
can_write_group_mappings |
Allows editing group mappings (For SAML) |
can_write_groups |
Allows editing and creating groups |
can_write_identity_providers |
Allows editing the identity provider (For SAML) |
can_write_logs_recipients |
Allows editing the Shield logs recipients |
can_write_metadata_categories |
Allows editing Metadata Categories |
can_write_metadata_fields |
Allows editing and creating Metadata Fields |
can_write_metadata_views |
Allows editing and creating Metadata View |
can_write_storages |
Allows editing and creating Storages |
can_write_transcoders |
Allows creating and editing Transcoders |
can_write_users |
Allows editing Users |
can_write_webhooks |
Allows creating and editing Webhooks |
can_edit_all_users |
Allows to edit all users, regardless of ACLs |
can_edit_all_groups |
Allows to edit all groups, and add users to all groups, regardless of ACLs (The user can not add roles they don't have themselves to a group though) |
Administrator Role
The Administrator Role is a special role which gives increased capabilities over the system. Administrators have access to all functions and content in the system regardless of roles and ACLs.