Permissions
A user group policy contains rules that consist of:
-
Permissions, which define access at the data level (on assets, content, or any data from another entity definition) or at the interface level (pages). They determine what a user can see or do. Permissions are defined on a target entity definition and are always positive. You cannot deny permissions using user group policies.
-
Conditions, which determine how the permissions are applied and on which entities. Using conditions, you can apply permissions to specific entities in the entity definition instead of to the entire entity definition.
For further advice about assigning user permissions, refer to the Security best practices.
Permissions
The following table describes permissions. Which permissions are available depends on the entity you select when you define the rule.
Permission |
Description |
---|---|
Read |
View any entity in the defined entity definition that fulfills the specified conditions. A user who does not have Read access on an entity is not able to see it in the user interface or in the API. For page content (asset, content, product, or any other entity) to be visible, a user must also have Read permission on these entities; otherwise, an empty page is displayed. Enabling this permission for a portal page allows the user to open the page. For content items, the Read permission must be granted for both M.ContentVersion and M.Content. |
Create |
Create new entities that correspond to the defined entity definition and fulfill the specified conditions. |
Update |
Modify existing entities that correspond to the defined entity definition and fulfill the specified conditions. |
Delete |
Delete existing entities that correspond to the defined entity definition and fulfill the specified conditions. |
Lock |
Lock the original version of an asset when a draft version is created. |
UnlockAlways |
Unlock the original asset after the changes are published and the draft is deleted. |
Submit |
Submit assets that fulfill the specified conditions for review. This permission does not grant state flow permissions when transitioning from one state to another. |
DirectPublish |
Submit assets that fulfill the specified conditions directly and skip the approval workflow steps. |
Approve |
Approve assets that are under review and fulfill the specified conditions. |
DownloadOriginal |
Download the original rendition file for assets that fulfill the specified conditions. |
DownloadPreview |
Download a preview rendition file for assets that fulfill the specified conditions. |
RequestRestricted |
Download restricted assets. Restricted assets are assets that are protected by digital rights management (DRM). A download is only permitted for users who are assigned this permission and only after verifying that the intended use of the asset that the user declares matches with the usage right of the asset. |
Order |
Create a download order from any search result set. |
OrderRestricted |
Download restricted assets, including when the intended use is not approved. Restricted assets are those assets protected by DRM. A download is only permitted for users with this permission even if the intended use of the asset that the user declares does not match with the usage right of the asset. |
CreatePublicLinks |
Create public links for assets that fulfill the specified conditions. |
ReadPublicLinks |
View asset public links. |
ContentPublishing |
Publish content to the delivery API. |
AddVersion |
Create a new version of an asset by uploading a new file. |
CreateAnnotations |
Add annotations to entities. |
ReadAnnotations |
Read annotations on entities. |
CreateDraft |
Create a draft of an approved entity in order to apply changes. This is useful, for example, when a user does not have Update permissions on entities but needs to be able to create a draft with changes to be validated and implemented. CreateDraft applies to digital content and not digital assets. Applies only to entity definitions that have the draft functionality enabled. |
Archive |
Archive assets that fulfill the specified conditions. This permission does not give access to the archived assets. For this, you must assign Read permission on the FinalLifeCycleStatus entity definition. |
ViewNotWatermarked |
See any rendition of an asset that fulfills the specified conditions without watermarks. |
ViewFileHistory |
View asset alternative files. Requires the ReadAudit privilege. |
ViewDataHistory |
View modifications made on asset properties. Requires the ReadAudit privilege. |
CreateDiscussion |
Create comments on entity details pages. |
Reassign |
Reassign project tasks. |
EntityPrint |
Generate a PDF from single or multiple entities based on a predefined print template. |
CreateUserRendition |
Create and configure renditions for an asset. |
DownloadUserRendition |
Download asset renditions. |
ShareViaEmail |
Share assets using emails. |
ContentVersionHistoryConfiguration |
Use the View version history operation for content. |
AllowEmptyOnDirectLinksUpdate |
Controls whether Write permissions are matched when entity links are empty. By default, this flag is set to true, meaning that Write permissions will not be granted if the links are empty. Users with the ModifyPolicies privilege can disable this flag for specific policy rules via the REST API if needed. |
You do not need specific permissions to download preview and thumbnail renditions.