Users access the files that are stored in Assets Server by making use of any of the client applications such as Assets, the Brand portal, or Assets for InDesign.
Before they can do this, they need to be given access to these clients and the stored files. This is done by adding the users or user groups to Assets Server and subsequently defining Permissions for these users or user groups. Such Permissions control access to:
- Client applications and their features
- Folders and files in Assets Server
- Metadata fields
- Presets for downloading images
This article describes how to control user access to folders and files.
Rules
Access to folders and/or files and controlling the actions that can be performed on them is done through 'Rules'.
The process of managing Rules comes in two parts:
- Setting up a Rule. Here you will define the folders and/or files that should be given access to.
- Assigning a Rule to users or user groups. Here you will define which actions can be performed on the folders and/or files.
Managing Rules
Managing Rules is done on the User page or the User Groups pages of the Management Console.
Step 1. Access the Management Console by doing one of the following:
- Access the following URL and log in using system administrator credentials (a 'Super user' account):
<Assets Server URL>/console
- In Assets, access the Avatar menu and choose Management Console.
Step 2. In the menu on the left of the page, choose Permissions followed by User Groups or Users.
Figure: The Users page in the Management Console.
Setting up a Rule
Before you can assign a Rule, it needs to be set up.
This can be done in the following ways:
- By specifying a folder within the Assets Server structure. Access will then be granted to the contents of the folder. This can be a file, Collection, or folder1 respectively to the selected rule type in Step 3 below.
1 For Assets Server 6.62 or lower the rule applies to all contents of the folder and the selected folder itself.
- By constructing a metadata query. (Not available for Folder rules) This is a way of fine-tuning access, for instance by only allowing access to files that have a status of 'Production'.
- By specifying an object and constructing a metadata query. Similar to the separate rules above, but now combined into one rule.
Setting up a Rule can be done either on the User Groups page or the Users page. Any Rule that is created on one page is also available on the other page.
Step 1. Access the User page or the User Group page.
Step 2. Select Rules from the menu.
Step 3. (Assets Server 6.63 or higher) Select File rules, Collection rules, or Folder rules, depending on the object for which the rule needs to be created.
Step 4. Do one of the following:
- Create a new Rule by clicking the + sign at the bottom of the lists of presets.
- Edit an existing Rule by clicking it in the list.
The Rule window appears.
Step 5. Make sure that the Rule information tab is selected.
Note: When setting up a Folder rule, the Metadata query section is not available.
Step 6. Set up your Rule by entering a descriptive name, setting up a folder restriction, setting up a query restriction, or setting up a combined folder and query restriction.
Step 6a. Click the + sign.
The Folder browser appears.
Step 6b. Do one of the following:
- Browse to an existing folder that you want to give access to.
- Create a new folder by doing one of the following:
- Select a folder in which you want to create the new folder (or select no folder to make it the root folder), click New folder at the top and enter the name of the folder.
- In the Folder path field at the bottom of the dialog, enter the full path to the new folder, optionally by using wild cards. (This method requires Assets Server 6.63 or higher.)
|
About using wild cards It is possible to create a Rule containing a wildcard that matches all folders on a certain level. This can be done by replacing a folder in the selected folder path with an asterisk *.
Notes:
|
Step 6c. Click Select to close the Folder browser.
Step 6d. (Optional) Add additional folder locations.
Step 6e. Enter your query in the Metadata query box.
Note: The Metadata query section is not available when setting up a Folder rule.
Tip: Quickly locate metadata fields to include by searching for them in the Fields overview list. Clicking a found field will automatically add it to the Query box.
For information about constructing queries, see The Assets Server query syntax.
Note: Using wildcard queries in a query restriction is not supported; these slow down searches too much and will affect every search done on the system.
|
Example: To restrict access only to files that have a status of 'production', add the following query: status:production |
Step 7. (Optional) Test your Rule by clicking Test query.
Step 8. Click Next.
The Permissions tab appears for assigning the Rule to users or user groups.
Step 9. Continue by following the Assigning a Rule section below.
Assigning a Rule
Rules are assigned to users and user groups as part of assigning Permissions. This is done in the User Groups or Users page in the Management console.
Note: Applying rules to users affects the time it takes to do searches and get search results. Assigning many or complex rules to a single user or user group will negatively impact search performance for that user or user group.
Assigning a Rule can be done manually or as part of copying Permissions from an existing user or user group.
Assigning a Rule manually
Step 1. On the Users page or on the User Groups page, click a Rule that you want to assign to a user or user group.
Tip: Use the Filter to quickly find a user or user group.
|
Troubleshooting: "LDAP search failed" error appears In certain scenarios, the following error can appear: LDAP search failed: The number of search results exceeds the Active Directory limit. Modify your search to limit the number of results. For more information, see LDAP search failed" error when searching for users in Assets Server. |
The Rule window is shown with the Permissions tab opened, showing all users and user groups (if any) to which the Rule is currently assigned.
Step 2. Click the + sign.
The Select users and groups window appears.
Step 3. Select one or more users or user groups and click Add.
Step 4. For each user or user group that was added, define what they are allowed to do by selecting or clearing the available check boxes. For an explanation of each option, see Permission types below.
Tip: Hover the mouse over an icon to see a short explanation about that option.
Step 5. When done, do one of the following:
- Click Save to save the changes and close the dialog.
- Click Save & copy to save the changes and reopen the dialog to use the current settings as the basis for creating a new rule.1
- Click Save & new to save the changes and reopen the dialog to create a new rule from scratch.1
1 Requires Assets Server 6.63 or higher.
Step 6. Test the setup by logging in to Assets as a user with a specific role to see if the permissions are set correctly.
Copying Permissions
Copying Permissions is an efficient way of quickly assigning an existing set of Permissions to a user or group.
Warning: When copying, all existing Permissions for that user or user group will be replaced.
Step 1. From the list of users or user groups, choose the user or group from which you want to copy the assigned Permissions.
Step 2. At the bottom of the list, click the Copy button.
The 'Copy Permissions To' window appears.
Step 3. From the list of users or groups, choose the user or group to which you want to copy the Permissions.
Step 4. In the list of Permissions, select which type of Permissions should be copied.
Step 5. Click Copy.
The Permissions are copied.
Permission types
The following table shows general information about the available permissions that can be set and what they do.
| Icon | Option | Details |
|---|---|---|
| View |
Allows users to view content. Note: Be careful assigning View permissions to Rules that only contain a query restriction (and not a folder restriction). Doing so allows users to view all files, including those in other users' zones (a long as the files match the query). |
|
| View preview | Allows user to view content in ‘preview’ size. | |
| Hide Watermark | (Only available when applying watermarks to images is enabled in Assets Server). Allows users to see images without a watermark. | |
| Use original |
(Can only be set when 'Hide watermarks' is also set, see above.) Allows the user to perform the following tasks:
1 Also requires the 'Edit' permission to be set. |
|
| Edit metadata |
Allows the user to edit metadata of files, such as modifying data in metadata fields. Note: Which metadata fields can be edited is controlled by assigning Edit permission for each field. |
|
| Edit |
Allows the user to perform the following tasks:
1 Also requires the 'Use original' permission to be set. |
|
| Rename |
Allows user to rename files or Collections. Note: To rename folders users need 'Move' permission because it changes the location of all the files within the folder. |
|
| Move |
Allows user to move files or folders. Note: The user needs to have permission on the source folder and the destination folder. |
|
| Create |
Allows the user to perform the following tasks:
|
|
| Delete | Allows the user to permanently delete content, versions of files or Collections by using the Delete command in the context menu of the file.1 |
1 The Delete Permission is closely related to the Delete Capability which controls the availability of the Delete command in the context menu.
Observe the following differences in behavior when setting both options:
| Scenario | Delete Capability | Delete Permission | Behavior |
|---|---|---|---|
| 1 | Enabled | Enabled | The Delete command is available and enabled in the context menu; files can be permanently deleted. |
| 2 | Enabled | Disabled | The Delete command is available in the context menu but grayed out; users can see the command but cannot use it. |
| 3 | Disabled | Enabled | The Delete command is hidden from the context menu; users are unable to see and use it. Files still have the delete permission assigned, which can be useful for the requiredPermissionMask setting (the D permission) of Action plug-ins. |
| 4 | Disabled | Disabled | The Delete command is hidden from the context menu and the delete permission is removed for all files; files cannot be deleted by users or Action plug-ins. |
Permissions per file type
Info: This information applies to Assets Server 6.63 or higher.
The following table shows the permissions that can be set for a File rule, Collection rule, and Folder rule.
| Permission | File | Collection | Folder |
|---|---|---|---|
| View | X | X | - |
| Preview | X | X | - |
| Hide watermarks | X | - | - |
| Download & Copy (use original) | X | X | X |
| Edit metadata | X | X | - |
| Edit file / contents | X | X | - |
| Create | X | X | X |
| Rename | X | X | X |
| Move | X | X | X |
| Delete | X | X | X |
The following sections explain each permission in more detail for File rules, Collection rules, and Folder rules:
View
- When a file has View permissions assigned it will appear in the search results. When the rule is based on a folder or zone, this folder and its parent structure will appear in the Folder browser.
Note: Be careful assigning View permissions to Rules that only contain a query restriction (and not a folder restriction). Doing so allows users to view all files, including those in other users' zones (a long as the files match the query).
- When a Collection has View permissions assigned it will appear in the search results and in the Folder browser. If a nested Collection has View permission, the parent structure will also be shown in the Folder browser.
- When a Collection with View permission contains files or other Collections, these files and Collections are not shown unless they too have View permission assigned.
- A folder cannot have View permissions directly assigned; instead, this is derived from View permissions on selected folders on the file or Collection rules. This reduces the need to set up Folder rules.
|
Example: When setting View permissions on the 'January Issue' folder, only its direct parent folders are accessible together with all its sub folders: |
Preview
- Preview permissions can be assigned to a file and make it possible to view and download a downsized JPG rendition and custom renditions.
- For Collections, an equivalent Download Preview permission is available. A download can be performed for the available previews within the Collection; the individual files require preview permission to be set.
- Users can always see previews when Download & Copy (use original) is assigned.
- To preview Digital articles, the Download & Copy (use original) permission is required.
Hide watermarks
- Allows users to see file previews without a watermark when watermarks are enabled.
- Watermarks are always hidden when the user has the Download & Copy (use original) permission assigned.
Download & Copy
- Allows users to download the file data, Collection contents, or folder structure with contents.
- Allows users to copy the files to other folders in the system for which they have Create permissions assigned.
- Allows users to preview Digital articles.
Edit metadata
- Allows metadata to be edited on files and Collections.
Edit
- For files this means that the file data can be updated through replace or check-in actions.
- For Collections it allows adding and removing files from Collections and creating nested Collections (requires Create to also be enabled).
Create
- For files this makes it possible to upload to the specified folder.
- For Collections this makes it possible to create Collections in the specified folder.
- For folders this makes it possible create new folders within the specified folder.
Rename
- Makes it possible to rename a folder, file, or Collection within the specified folder.
- Only applies to the contents of the folder, the selected folder itself will not receive the permission.
-
A folder can only be renamed when all contained files and Collections have Move permissions.
Move
- Makes it possible to move a folder, file or Collection within the specified folder.
- The specified folder itself is not allowed to be moved.
- When it is allowed to move a folder, file, or Collection from a specific zone, it is also allowed to move a folder, file or Collection to that zone.
- A folder can only be moved when all contained files and Collections have Move permissions.
Delete
- Makes it possible to delete a folder, file, or Collection within the specified zone.
- The specified zone folder itself is not allowed to be deleted.
-
A folder can only be deleted when all contained files and Collections have Delete permissions.
Examples
In the following examples, 4 Rules have been set up:
- A query restriction based on Status = 'Production'
- A folder restriction on the Archive folder
- A folder restriction on the Images & Video folder
- A folder restriction on the Documents folder
Consider that we have the following user groups to assign permissions to:
- Designers
- Editors
- Photographers
During our preparation it was decided that these groups should have the following permissions:
- All groups should be able to view content in the Archive folder.
- Designers should be able to view, preview, create, rename and move content in the Images & Videos folder.
- Photographers should be able to view, preview, create and rename content in the Images & Videos folder. They should also be able to edit the metadata of their files.
- Editors should be able to view, preview and create content in the Documents folder.
- Designers and editors should be able to preview, download, copy, check-out and restore versions of all files that have the status 'Production' assigned. They should also be able to edit the metadata of these files.
This results in the following setup:
Designers:
Editors:
Photographers:
Comments
0 comments
Please sign in to leave a comment.