--- title: "How do I determine roles and asset groups?" date: "2025-01-09T14:13:31+00:00" summary: image: type: "page" url: "/acquia-dam/how-do-i-determine-roles-and-asset-groups" id: "345b731c-4d6d-4600-bab4-576be6926b39" --- Table of contents will be added [Roles](How-do-I-create-roles) and [asset groups](/acquia-dam/how-do-asset-groups-and-asset-categories-differ "How do asset groups and asset categories differ?") are the primary mechanisms for securing assets within Acquia DAM. They govern who has what kind of access to which assets. As a DAM admin, you'll assign all users into one or more roles. A role represents a group of users that have the same access to assets. You'll assign specific [permissions](What-does-each-permission-mean) to each role. You'll also assign assets into one or more asset groups. An asset group is a combination of assets that share common permissions. Users interact with assets based on [asset group permissions](What-are-asset-group-permissions). Determining roles and asset groups ---------------------------------- To get started with determining user roles and the assets groups in which assets should be included, we recommend drawing out your asset groups and roles, then adding them to your DAM site. To get started with determining asset groups and roles you'll need: 1. Create a list of names of users in your organization who will access the site. Consider individuals who have emailed to request logos and marketing materials. 2. Create a list of assets that are included in the site. Types of assets could be press guidelines, logos, department pictures, sales brochures, or promotional videos. Consider assets that are often requested by colleagues or vendors and if those assets are used in certain documents. 3. Create a list of asset groups based on the types of assets and how users will access them. Some people may need access to everything, such as downloading or editing. Others, such as partner companies or agencies, may only need to browse for assets. 4. Create a list of roles for users. To determine the roles that need to be created, consider the users and how they are alike in regards to the types of assets they will need to access. A variety of roles can be set up depending on which users will access the site. 5. Assign assets into asset groups based on the type of asset. Draw arrows from asset names to appropriate asset groups. 6. Assign users to roles. Draw arrows from user names to role types. 7. Assign roles to asset groups. Draw arrows from asset groups to appropriate roles. Here's an example of how to determine user roles and groups for assets: ![User-added image](https://acquia.widen.net/content/780c9407-cc17-4ec5-881e-2a33c001cca1/web/ka0Pb0000006pmD00N6g00000WDN1a0EM6g000005Lvqv.png) Role and asset group security ----------------------------- Security can be easily achieved in the DAM. The security model is comprised of two elements: roles and asset groups. Security is placed on roles (i.e., groups of users) and on groups of assets. Each role can have different levels of access to assets in an asset group. One role may have permission to order assets from an asset group, and a different role may have permission to order and edit metadata for the assets in the same asset group. This table provides examples of ways asset groups and roles can be set up.   Example Role/Asset Group Security Setup **Roles (user groups)** **Asset groups** **Security permissions** Asset administrators Public assets Product photos Video assets Restricted assets Edit metadata Order View Upload General users Public assets Order View Video vendors Video assets Order View Upload In the example above, asset admins have permission to edit metadata, order, upload, and view all assets in all asset groups. General users have permission to order and view assets only for the Public assets group. Video vendors have permission to order, view, and upload assets only for the Video assets group. Cumulative permissions ---------------------- Assets can be assigned into more than one asset group, similar to how users can be assigned into more than one role. When an asset is assigned to multiple asset groups, users will have access to the asset if they have permission to view at least one of the asset groups the asset is assigned to, even if they don’t have access to any of the other asset groups. This allows the DAM's security model to be flexible.   **Cumulative Permissions Examples** **Asset filenames** **Asset group permissions** Photo\_1 Public assets Product\_A.mpg Public assets Product\_C Restricted product photos Product\_D Restricted product photos Product\_A.mpg Video assets Product\_B.wmv Video assets In the example above, Product\_A.mpg has cumulative permissions. Although general users cannot see assets in the Video assets group, they can see this asset because it is also in the Public assets group. In the cumulative permissions example: * Asset admins can edit metadata, order, and view all of the assets since they have permission to view all of the asset groups. * General users can order and view Photo\_1 and Product\_A.mpg because they have permission to order and view all assets in the Public assets asset group regardless of whether or not they are in any other asset group. * Video vendors can order, upload, and view Product\_A.mpg and Product\_B.wmv because they have permission to order, upload, and view all assets in the Video assets group regardless of whether they are in any other asset group.