By default, NetX's Permission system allows for adding permission entries based on a target (folder or asset) and a principal (all, group, or user). However, more complex granularity can be added if you enable the "enhanced" ACL mode. This allows Administrators to further restrict the actions that built-in User Levels can carry out.

Once Enhanced ACL mode is enabled, the Permission type dropdown list will contain the following options:

  • Read
  • Download
  • Add
  • Edit
  • Delete
  • Standard

These types are used to limit the functionality of existing User Levels within the context of a certain target (folder or individual asset). Each of the permission types are cumulative, meaning that for each type, the user is assumed to have the lower-level functions. For example, the ability to "edit" implies the ability to "add", etc.

For example, let's say that you have a Producer level user in the system, but you don't want that user to be able to edit assets within a certain folder. To do this, you can create a Download permission for the folder and assign it to the Producer level user, thus restricting their abilities so that they are only able to view and/or download the asset. (see permission type details below). It's important to note that while these special permission types can be used to restrict user levels, they cannot be used to add functionality to a lower User Level. For example, if you create a Edit permission and assign it to a Browser level user, the Browser user will not be able to see or execute Edit level (Producer-level) actions.

Permission types

Listed below is a brief summary of how each permission type will interact with a given User Level. Keep in mind that some unpermitted actions may be visible in the UI, but will fail—sometimes silently—if an attempt is made to execute them.

Read

  • Access is unchanged for Browser level users.
  • Access for users levels Consumer and higher are restricted to read-only (browse).
  • Creating saved searches and collections will be permitted.
  • Actions that will not be possible:
    • Will not be able to Download the asset Original, View or any version.
    • Will not be able to Create PDF.
    • Will not be able to alter the asset by any method.
    • Will not be able to repurpose assets.
    • Will not be able to edit Attribute values through Asset Detail, Quick Edit, Grid Edit.
    • Uploading to a folder with Download-only ACL will not be permitted for the target group or user.
    • Will not be able to add Versions, Views or create Relationships.
    • Will not be able to Move or Add asset to new folders (but Collections will be allowed, so long as permissions remain intact).

Download

  • Access is unchanged for Browser and Consumer level users.
  • Importer level or higher can:
    • Read
    • Download
    • Repurpose
    • Save searches
    • Create collections
  • Actions that will NOT be possible:
    • Will not be able to alter the asset by any method (exception is creating a repurposed derivative)
    • Will not be able to edit Attribute values through Asset Detail, Quick Edit, Grid Edit, or even on upload (the act of uploading will also be blocked).
    • Will not be able to add Versions, Views or create Relationships (Links).
    • Will not be able to Move or Add asset to new folders.

Add

  • Access is unchanged for Browser, Consumer, and Importer level users
  • Producer level or higher can:
    • Read
    • Download
    • Repurpose
    • Import
    • Create subfolder
  • Actions that will not be possible:
    • Will not be able to alter the asset by any method.
    • Will not be able to edit Attribute values through Asset Detail, Quick Edit, Grid Edit, or even on upload.
    • Will not be able to add Versions, Views or create Relationships (Links).
    • Will not be able to Move asset to new folders (but can add to folder if user level allows). 

Edit

  • Access is unchanged for Browser, Consumer, Importer and Producer level users
  • Manager level or higher can:
    • Read
    • Download
    • Repurpose
    • Import
    • Update data
    • Add/Move assets to/from this folder
    • Add/Move folder
    • Add/Move/Create subfolder but not Delete.
  • Actions that will NOT be possible:
    • Should not be able to Delete asset (however, users will be able to Move the asset to a folder the does allow delete)

Delete

  • all users have unchanged functionality 

Standard

  • All users have unchanged functionality

Creating and editing enhanced ACL permissions

Setup

The following property is required to enable the enhanced ACL system:

PropertyValuesDescriptionRequires Restart?
image.aclEnhanced
True / FalseIf the value of this property is true, the ACL permission system is enabled. If the value of this property is false, the standard permission system is used.No

Usage

  1. To create an Enhanced ACL permission, first log on as an Administrator.
  2. Navigate to Systems (gear icon) and click Permissions.
  3. Click the Add Permission button to create a new permission.
  4. The following information needs to be defined:

    • Permission Type: Read, Download, Add, Edit, Delete, Standard (see above for detailed descriptions of permission types).
    • Principal Type: Everyone (All users in the system), Group or User.
    • Principal field: Specific name of the User or Group who will be affected by the setting.
    • Target Type: Folder or Asset.
    • Target field: Specific name of the Folder or Asset that will be affected by the setting.
    • Recursive: When the Target is a Folder, this determines whether the subfolder(s) of the Folder would also be affected by this permission setting.
  5. Once you have finished choosing your settings, click Submit.

Permissions order

When using enhanced ACLs, pay attention to the permission order — permissions higher up in the list take precedence over those below. For example, let's say there are two permissions that apply to a certain user and target; one is a Delete permission and one is a Read permission. If the Read permission is higher up on the list, it will take precedence over the Delete permission and the user will only have Read permissions to the target. For this reason, it's best practice to order your permissions from least restrictive to most restrictive — start with a wide funnel that gets narrower as it goes down the list.

  1. To reorder permissions, log on as an Administrator and and click on Systems > Permissions.
  2. Hover over the drag button until the cursor changes to a hand, then click to drag the permission entry up or down the list.