Access rights management defines how users can interact with content and folders.
Referring to content there are three different access rights (acl):
- Read: user can view content
- Write: user can edit and delete content
- Share: user can distribute content
Those rights can be assigned both to users and groups.
“Read” is mandatory to provide write or share access: there can be no write nor share access level if there is no read access level.
Content owner will always have full access rights (read+write+share).
Common actions associated to access rights:
- Read: user can view content in lists and can access to content’s Information tab
- Write: user can update content metadata, delete content, re-upload content, change thumbnail and other minor edits.
- Share: user can update content’s shareboard and can download the source file.
Access to content's "History" can be performed only having full access rights (r+w+s).
NOTE: If the specific property "Allow users to download this content" (which can be found in the "Attachments" tab of each content) is enabled, read access right will be sufficient in order to download the original file, since it will be available in the attachments section. Please remember that, due to security reasons, the original file can be downloaded as an attachment only within THRON Dashboard. If you wish to distribute the original file outside THRON Dashboard (which is not recommended), you will have to use a specific web service, as illustrated in this article.
A specific content can be “flagged” (by setting to "true" a specific flag located in content's Shareboard) to make sure that it can be linked to other content. Please be aware that this is a very specific access right since when a content is linked to another it can be opened from “recommended content” or “attachments” sections which are part of THRON player. Currently, Playlists cannot be linked to other content since they already represent an aggregation of different content.
Folders' access rights are structured on two different levels. The first level is about access rights that will be applied to content within the folder, a second level is about access rights on the folder itself, hence the ability to manage it.
The following scheme summarises the different access rights that can be managed on a folder.
Content (published in folder) access rights:
- Read: Users, groups or applications can see the content within the folder. This access right implies the visibility of the folder itself and of all its parent folders (but not necessarily their content).
- Write: Users and groups can edit content within the specific folder. This access right does not allow users to publish content within the folder.
- Share: Users and groups can share content which have been published within the specific folder. It is worth reminding that content sharing on different modes (as indicated here) is subject to the specific user's permissions.
Folder access rights:
- Folder management:
- Users and groups with such access right will be able to edit the folder's basic information (title and prettyId).
- Users with such access right combined with the permission to create public folders will be able to create subfolders on any level within the folder's tree.
- Users with such access right and with the permission to publish content into folders will be able to publish content within the specific folder and to remove content from the folder itself.
- Users management:
- Users and groups with such access right will be able to add new users/groups to the folder's access list and set their access rights.
- Each user can not give more access rights than those he owns on the folder.
- The owner always has full rights on its folders and can never be removed.
- It is not possible to edit rights of those users for which you do not have visibility.
Some behaviors to be considered are:
All access rights illustrated above are always inherited by the subfolders, but it is still possible to add access rights (never remove) starting from a certain level in the folder's tree: such rights will be propagated to all subfolders starting from that specific level. For example you can have a department manager who accesses the content of the main folder "Departments" in read-only, while he accesses the content of the subfolder related to its department with full access rights. It is worth reminding that, if access rights are modified on a folder (regardless its position on the folder's tree), such rights will be inherited by ALL its subfolders, regardless the set of access right up to that moment.
As described before, a user/group or an application which has been added to a subfolder will automatically see its parent folders too, but not the content therein published, unless it has been specifically provided with the proper access right on each folder.