One of the more sophisticated features of Asset Bank is its concept of user groups and permissions. The idea is that you can set up groups of users in the system and define a number of permissions rules and other settings specifically for that group.
One of the most powerful elements of this is using folders to define permissions. For example you could define a user group that is allowed to both upload and download assets in the system intended for internal members of staff in your organisation. Additionally you can create a user group that can only view assets in the system (i.e. they have no download or upload permissions), which could be intended for external clients or members of the public.
The scope of this functionality goes further, you can define which categories a user group can edit and also which attributes a user can see against the asset.
Working with Groups
To view the Groups page, click on the 'Groups' link in the Admin menu.
Every Asset Bank starts by default with two groups already set up:
- *Logged-in users - Any user that logs into the application falls into this group, be they an admin user or normal user.
- *Public - Any user on the site whether they are logged in or not falls into this group. So if a user has logged in he will be in both the *Public group and the *Logged-in users group.
These default groups are displayed with an asterisk to indicate that they are special system groups that cannot be deleted. You can reorder groups by dragging them to your preferred position in the list. Alternatively you can click 'alphabetise groups' to quickly put the groups in alphabetical order. The order on the group management page will affect how groups appear in lists and drop downs throughout the application.
Adding new groups
Click 'Add a group' to add a new group. This will take you to the Add Group page where you can specify the properties of your new group.
- Name (required field) - the name of your new group.
- Description - a short description of your new group.
- Maximum downloads - specify how many downloads users within this group are allowed per a certain period (leave this blank or set to 0 for unlimited daily/hourly downloads). Please note: For users who belong in multiple groups, the most permissive restrictions will apply.
- Max download height - specify the maximum height of an image that users in this group are allowed to download (leave blank for unlimited).
- Max download width - specify the maximum width of an image that users in this group are allowed to download (leave blank for unlimited).
- Users can email assets - if ticked, users in this group will get the option to send assets as an email when downloading.
- Users can view larger size - if ticked, users will see the 'view larger size' or 'view full size' links when viewing the detail page of an image.
- Users can publish assetbox - if assetbox publishing is enabled on the Asset Bank then this tick box allows you to control whether a user can publish their assetbox. Users will only be denied assetbox publishing if all their groups have this box unticked.
- Editors can only edit their own files -if ticked, users with edit permissions are restricted to only editing assets that they have uploaded to the system themselves.
- Users can export assets: if ticked, users in this group have permission to export assets and their metadata .
Users can select group on registration - if ticked, this group will be displayed on the registration page for users to select it. If users are manually approved then the admin user can choose whether to allow them to join the requested group(s) or not. If user approval is disabled then users will automatically become a member of the selected group(s).
Two settings control this behaviour. The following setting determines if a user can select only one or more than one group during registration
can-select-multiple-groups-on-registrationAnd the following setting determines whether or not group selection is mandatory on registration.
- IP Mappings - if you enter one or more IP addresses in here then any user accessing the system who is coming from one of these IP addresses will automatically inherit the permissions of this group without having to log in. A common use for this is specifying your own companys IP address so that your employees will have the same permissions and access to the same assets of, say, the *Logged-in Users group without having to actually log in.
- URL Mappings - if you enter a URL mapping a special link can be used to automatically give users the permissions of the group without having to log in. Please see the knowledge base article: Assigning users the permissions of a group using a URL for instructions to enable this functionality and for further information on using it.
- Advanced viewing of unapproved assets - If the advanced-viewing-enabled setting is true then this option will allow members of this group to see unnapproved assets that have also been ticked as 'advanced viewing' (still subject to the permissions of the folders that the asset is in).
- Homepage - Custom content pages or custom internal links (i.e. to pages within Asset Bank) which are added via Admin -> Content -> Menu Items will appear in this drop down. Users who are members of that group will be redirected to the selected page on login instead of the default Asset Bank homepage. Leave this as 'Default' if you want the uses to be directed to the standard Asset Bank homepage.
- Remote Group(s) - If your Asset Bank is configured to integrate with SAML SSO or an LDAP server then you can enter the "remote group" names or DN (Distinguished Name) of an LDAP group. When a new user is added to Asset Bank from the SAML Identity Provider or the LDAP server then, if that user is a member of a remote group that is specified in one of Asset Bank's groups then the user will be added to the Asset Bank group automatically.
It is possible to change the default behaviour of displaying all menu items to new groups by default.
Once you have added the new group it will show in the list of groups on the Groups page. Alongside it will be a list of possible actions you can perform::
- Edit - rename the group or change some of its basic settings.
- Folder Permissions - configure folder permissions for this group.
- Categories - specify what categories users can edit.
- Attribute Exclusions - exclude access to assets depending on their attributes.
- Attribute Visibility - control which attributes are visible for users in the current group.
- Filter Exclusions - exclude certain filters from being accessible for users in the group.
- Usage Exclusions - select usage types that will not be visible to users in this group.
- Asset Type Visibility - control which asset types users are able to upload to.
- Permissions - assign limited admin permissions to users within this group.
- Workflows - control the workflow states that approval groups can approve assets at.
- Remove all users - clicking this will remove all users from the group. Note: this will only disassociate the users from this group it will not remove them from the system.