Roles and asset groups are the primary mechanisms for securing assets within Acquia DAM. They govern who has what kind of access to which assets.

As a DAM admin, you'll assign all users into one or more roles. A role represents a group of users that have the same access to assets. You'll assign specific permissions to each role.

You'll also assign assets into one or more asset groups. An asset group is a combination of assets that share common permissions. Users interact with assets based on asset group permissions.

Determining roles and asset groups

To get started with determining user roles and the assets groups in which assets should be included, we recommend drawing out your asset groups and roles, then adding them to your DAM site. To get started with determining asset groups and roles you'll need:

• Create a list of names of users in your organization who will access the site. Consider individuals who have emailed to request logos and marketing materials.
• Create a list of assets that are included in the site. Types of assets could be press guidelines, logos, department pictures, sales brochures, or promotional videos. Consider assets that are often requested by colleagues or vendors and if those assets are used in certain documents.
• Create a list of asset groups based on the types of assets and how users will access them. Some people may need access to everything, such as downloading or editing. Others, such as partner companies or agencies, may only need to browse for assets.
• Create a list of roles for users. To determine the roles that need to be created, consider the users and how they are alike in regards to the types of assets they will need to access. A variety of roles can be set up depending on which users will access the site.
• Assign assets into asset groups based on the type of asset. Draw arrows from asset names to appropriate asset groups.
• Assign users to roles. Draw arrows from user names to role types.
• Assign roles to asset groups. Draw arrows from asset groups to appropriate roles.

Here's an example of how to determine user roles and groups for assets:

Role and asset group security

Security can be easily achieved in the DAM. The security model is comprised of two elements: roles and asset groups. Security is placed on roles (i.e., groups of users) and on groups of assets. Each role can have different levels of access to assets in an asset group. One role may have permission to order assets from an asset group, and a different role may have permission to order and edit metadata for the assets in the same asset group.

This table provides examples of ways asset groups and roles can be set up.
 

In the example above, asset admins have permission to edit metadata, order, upload, and view all assets in all asset groups. General users have permission to order and view assets only for the Public assets group. Video vendors have permission to order, view, and upload assets only for the Video assets group.

 

Cumulative permissions

Assets can be assigned into more than one asset group, similar to how users can be assigned into more than one role. When an asset is assigned to multiple asset groups, users will have access to the asset if they have permission to view at least one of the asset groups the asset is assigned to, even if they don’t have access to any of the other asset groups. This allows the DAM's security model to be flexible.
 

In the example above, Product_A.mpg has cumulative permissions. Although general users cannot see assets in the Video assets group, they can see this asset because it is also in the Public assets group.

In the cumulative permissions example:

• Asset admins can edit metadata, order, and view all of the assets since they have permission to view all of the asset groups.
• General users can order and view Photo_1 and Product_A.mpg because they have permission to order and view all assets in the Public assets asset group regardless of whether or not they are in any other asset group.
• Video vendors can order, upload, and view Product_A.mpg and Product_B.wmv because they have permission to order, upload, and view all assets in the Video assets group regardless of whether they are in any other asset group.