It is possible as a Domain Owner using a combination of Roles and Access Control on assets and collections to restrict access.
Roles
These are the roles that are needed:
- Owner
- can read acls
- can write acls
- can write groups OR can role groups
Only allow view of assets
For example if you have a user, Jenny, and you would like Jenny to be able to see an asset but not download, edit metadata or delete an asset you can put Jenny in to a Group (legacy) or Role Group that has restricted roles. Jenny should not be in any other group that has more roles, as Jenny will inherit all the roles from all the groups that she is in.
So if we create a Group (legacy) or Role Group called “Restricted Users”, and then for the Roles we would pick:
- can read approval request
- can read assets
- can read assets history
- can read asset relations
- can read asset subtitles
- can read collections
- can read custom actions
- can read files
- can read formats
- can read metadata categories
- can read metadata fields
- can read metadata values
- can read metadata views
- can read notifications
- can read notification settings
- can read proxies
- can read saved searches
- can read search history
- can read segments
- can read shares
- can read users
- can search
We then save the Group/Role Group, and add the user Jenny to the Group/Role Group. Do the same for the other users that require the same restrictions.
Finally, we want to let her have access to content. For the assets that you want her to see you set an Access Control on the asset that gives the Group/Role Group “Restricted Users” READ permission. You can learn how to do this on assets and collections.
Allowing commenting
If you would like the above plus to enable commenting, you need to enable the extra following roles in addition to above. This could be in another Group (legacy) or Role Group that you apply to the user.
- can create segments
Allowing upload
If you want to allow the user to upload add the following role in addition to the main roles above.
- can write assets
- can create assets
- can create formats
- can create transcode jobs
- can write formats
- can write files
- can write jobs
- can read storages
- web can upload
If you have setup the system so that it requires metadata upon upload then you also need to add the roles listed for “Allow editing metadata”.
Restricting upload locations
You can restrict users from uploading using a combination of Roles and ACLs.
Restricting uploading to top level of a storage.
If you want your users to only upload to collections you can make sure that the users don’t have the roles “Web can top level upload”.
Restricting upload to certain storages
If you have multiple storages you can use ACLs on the storage level to restrict who is allowed to access storage, and upload to those storages.