Assigning permissions to media libraries

Please note

Due to the ASP.NET architecture, a site restart occurs when:

  • a media library is deleted
  • a group containing a media library is deleted
  • one of the following actions is performed when editing a library in the Media libraries application or on the live site:
  • a folder is deleted
  • a folder is renamed
  • a folder is moved
  • a large number of files is deleted (100 by default, this can be set in the <system.web> section of your web.config by the following key: <compilation debug="true" numRecompilesBeforeAppRestart="100">)

A recommended solution is to restrict the number of users allowed to perform these actions to the minimum. For example, let site administrators pre-define the folder structure of media libraries when they are created. Do not allow further modification of the structure by regular users.

The permission model built around the Media libraries application allows you to configure access to the application and the media libraries defined within. See the following sections for details:

Creating a role to manage media libraries

This section explains how to create a role in the system and assign users to it. If you already know how to create roles in the system, you can skip this section and move to Configuring permissions for the Media libraries application.

  1. Open the Roles application.
  2. Click New role.
  3. Fill in the Role display name and Role description fields, for example:
    Creating a new role
  4. Save the role.

The General tab of the role that you just created opens.

Assigning users to a role

  1. Switch to the Users tab.
  2. Click on Add users. The Select users dialog opens.
  3. Select the check box next to the users that you wish to assign.
  4. Save & Close the dialog.

Now that you created the role and assigned users to it, you can set its permissions.

Users assigned to a role

Configuring permissions for the Media libraries application

This section explains how to configure permissions related to the Media libraries application. 

  1. Open the Permissions application.
  2. In the Site drop-down list, select the site for which you wish to configure media library permissions.
  3. In Permissions for select Module and Media libraries.
  4. Grant required permissions to the site's roles.
    • Read – allows users to access the Media libraries application and view the content of media libraries.

    • Manage – allows users to create, configure, and delete media libraries. Also allows them to manipulate media files in all of the site's media libraries.

    • Destroy – allows users to delete media file version history, provided object versioning for media files is enabled.  

Permissions for individual media libraries

Module-level permissions grant access to the Media libraries application and all media libraries it contains. If you wish to provide a more restrictive permission model for your site, individual media libraries allow you to configure permissions per file operation. Note, however, that all roles need to at least have the Read permission to access the Media libraries application.

Configuring media library permissions

Media library permissions offer a more granular alternative to global Media library application-level permissions (granted via the Permissions application). For example, if a role has the Manage permission granted to it via the Permissions application, all users belonging to that role can freely manipulate media files across all media libraries on a given site. This can be offset by configuring permissions for specific file operations (create, update, delete) per media library instead.

  1. Open the Media libraries application.
  2. Edit () the Media library you wish to configure.
  3. Switch to the Security tab.
  4. Set permissions for the Create file, Create folder, Delete file, Delete folder, Modify file, Modify folder, and See library content actions according to your requirements.
    • Nobody – no one but global administrators or users with the Manage permission for the Media libraries module can perform the corresponding action. By default, all newly created media libraries use this permission level for every action.
    • All users – everyone can perform the corresponding action.
    • Authenticated users – all signed-in users can perform the corresponding action.
    • Authorized roles – users belonging to allowed roles or with the Manage permission for the Media libraries module can perform the corresponding action. A list of all roles available for the current site is listed in a separate matrix underneath.
      Configuring media library permissions

Configuring group media library permissions

Groups have roles separate from the rest of the system. If you want to set group media library permissions for group roles, create a group role first, as described in Working with groups.

  1. Open the Groups application.
  2. Edit () the group in which you want to modify the media library.
  3. Switch to the Media libraries tab.
  4. Edit () the media library for which you wish to configure permissions.
  5. Switch to the Security tab.
  6. Configure permissions for the website according to your requirements.
    • Nobody – no one but global administrators or users with the Manage permission for the Media libraries module can perform the corresponding action.
    • All users – everyone can perform the corresponding action.
    • Authenticated users – all signed-in users can perform the corresponding action.
    • Group members – users belonging to the group or with the Manage permission for the Media libraries module can perform the corresponding action.
    • Authorized roles – users belonging to allowed roles or with the Manage permission for the Media libraries module can perform the corresponding action. A list of all roles available for the current site is listed in a separate matrix underneath. 

Permissions Grid

The following table shows which permissions need to be assigned to allow users to perform particular actions. Users with the Global administrator privilege level can perform all of these actions for all general and group media libraries on the site. Group administrators can perform all of these actions for group media libraries of groups where they are group administrators.

Action/Permission


FileFolder

ReadManage
CreateDeleteModifyCreateDeleteModifySee library content
Files









upload or import
(tick)or(tick)





modify file properties
(tick)or

(tick)



delete
(tick)or
(tick)




copy
(tick)or(tick)





move
(tick)or

(tick)



Folders









create
(tick)or


(tick)


rename
(tick)or




(tick)
delete
(tick)or



(tick)

copy
(tick)or


(tick)


move
(tick)or




(tick)
Administration









Access the Media library application(tick)
or






Modify media library properties and content
(tick)or






Live site administration









Access the Media library application(tick)
or






Modify media library properties and content
(tick)or






Live site









See and browse library content (Media gallery web part)(tick)
or





(tick)
Upload file (Media file uploader web part)
(tick)or(tick)





By default, Kentico does not check the See library content permission for visitors on the live site. To force the system to check this permission, you need to enable the following settings in the Content -> Media category of the Settings application:

  • Use permanent URLs
  • Check file permissions

Was this page helpful?