Permissions

A user group policy contains rules that consist of:

  • Permissions, which define access at the data level (on assets, content, or any data from another entity definition) or at the interface level (pages). They determine what a user can see or do. Permissions are defined on a target entity definition and are always positive. You cannot deny permissions using user group policies.

  • Conditions, which determine how the permissions are applied and on which entities. Using conditions, you can apply permissions to specific entities in the entity definition instead of to the entire entity definition.

Note

For further advice about assigning user permissions, refer to the Security best practices.

Permissions list

The following table describes permissions. Which permissions are available depends on the entity you select when you define the rule.

Permission

Description

Read

View any entity in the defined entity definition that fulfills the specified conditions. A user who does not have Read access on an entity is not able to see it in the user interface or in the API. For page content (asset, content, product, or any other entity) to be visible, a user must also have Read permission on these entities; otherwise, an empty page is displayed. Enabling this permission for a portal page allows the user to open the page. For content items, the Read permission must be granted for both M.ContentVersion and M.Content.

Create

Create new entities that correspond to the defined entity definition and fulfill the specified conditions.

Update

Modify existing entities that correspond to the defined entity definition and fulfill the specified conditions. The Update permission is validated against the current and future state of an asset. This means, for example, that if a user has the Update permission for the condition M.AssetType: Poster but not for M.AssetType: Artwork when they try to update the asset from Poster to Artwork, it will not be possible. The Update permission must be granted for both conditions.

Delete

Delete existing entities that correspond to the defined entity definition and fulfill the specified conditions.

Lock

Lock the original version of an asset when a draft version is created.

UnlockAlways

Unlock the original asset after the changes are published and the draft is deleted.

Submit

Submit assets that fulfill the specified conditions for review. This permission does not grant state flow permissions when transitioning from one state to another.

DirectPublish

Submit assets that fulfill the specified conditions directly and skip the approval workflow steps.

Approve

Approve assets that are under review and fulfill the specified conditions.

DownloadOriginal

Download the original rendition file for assets that fulfill the specified conditions.

DownloadPreview

Download a preview rendition file for assets that fulfill the specified conditions.

RequestRestricted

Download restricted assets. Restricted assets are assets that are protected by digital rights management (DRM). A download is only permitted for users who are assigned this permission and only after verifying that the intended use of the asset that the user declares matches with the usage right of the asset.

Order

Create a download order from any search result set.

OrderRestricted

Download restricted assets, including when the intended use is not approved. Restricted assets are those assets protected by DRM. A download is only permitted for users with this permission even if the intended use of the asset that the user declares does not match with the usage right of the asset.

CreatePublicLinks

Create public links for assets that fulfill the specified conditions.

ReadPublicLinks

View asset public links.

ContentPublishing

Publish content to the delivery API.

CreateAnnotations

Add annotations to entities.

ReadAnnotations

Read annotations on entities.

CreateDraft

Create a draft of an approved entity in order to apply changes. This is useful, for example, when a user does not have Update permissions on entities but needs to be able to create a draft with changes to be validated and implemented. CreateDraft applies to digital content and not digital assets. Applies only to entity definitions that have the draft functionality enabled.

Archive

Archive assets that fulfill the specified conditions. This permission does not give access to the archived assets. For this, you must assign Read permission on the FinalLifeCycleStatus entity definition.

ViewNotWatermarked

See any rendition of an asset that fulfills the specified conditions without watermarks.

ViewFileHistory

View asset alternative files.

ViewDataHistory

View the Technical log of the Entity History component.

CreateDiscussion

Create comments on entity details pages.

Reassign

Reassign project tasks.

EntityPrint

Generate a PDF from single or multiple entities based on a predefined print template.

CreateUserRendition

Create and configure renditions for an asset.

DownloadUserRendition

Download asset renditions.

ShareViaEmail

Share assets using emails.

ContentVersionHistoryConfiguration

Use the View version history operation for content. Available as an M.Setting entity in the M.Builtin.CMP.Everyone user group policies.

AllowEmptyOnDirectLinksUpdate

Controls whether Write permissions are matched when entity links are empty. By default, this flag is set to true, meaning that Write permissions will not be granted if the links are empty. Users with the ModifyPolicies privilege can disable this flag for specific policy rules via the REST API if needed.

Note

You do not need specific permissions to download preview and thumbnail renditions.

Permissions by operation

The following table lists Content Hub operations with the permissions required to use them.

Operation

Permissions required

Add new version button to upload new file or new thumbnail

  • Read

  • Create

  • Update

To have a new version button and to be able to upload a new version or an alternative thumbnail, these permissions must be configured on the M.Asset and the M.File entity definitions.

Annotations

  • CreateAnnotations

  • ReadAnnotations

Custom renditions

  • DownloadOriginal

  • CreateUserRenditions

Delete

  • Delete

Detach from original

  • Update to save a variant as a standalone entity.

Downloads

  • DownloadOriginal

  • DownloadPreview

Drafts

  • CreateDrafts

  • Delete to discard a draft

Duplicate

  • Create

Localize

  • Create to adapt content or campaigns to a defined language.

Preview (without watermark)

  • DownloadPreview

  • ViewNotWatermarked

Restore archived asset

  • Update for assets in the Approved lifecycle state.

  • Archive

Save as new

  • Update

  • CreateDraft to save an entity as a new version.

Share (through email)

  • ShareViaEmail

Stateflows

  • Update on the target entity.

  • Reassign for task assignment.

User renditions

  • CreateUserRendition

  • DownloadUserRendition

Do you have some feedback for us?

If you have suggestions for improving this article,