How Do Folder Access Rights Work?
Author: David Klanac
Folder access rights can be a source of confusion for new users to the CMS. Similar to any system that attempts to find a balance between simplicity and complexity, the CMS implements an access rights approach that attempts to address the many contingencies that can arise with designing a permissions scheme for an organization's managed assets.
Cascade Server currently makes use of Unix-style access rights with folder assets which means that there is no way to configure access for separate groups on one folder asset. Each folder may only permit access for one group, a single user, or all users.
For example, suppose there are three groups within the system that require separate permissions policies from one another. Group A needs full read and write access while Group B simply requires read access and Group C needs to be completely locked out of the folder. Access rights in the CMS would allow Group A to edit/copy existing assets as well as create new ones that will reside in the folder, which can be achieved by choosing "Group A" from the "Group" field dropdown list in the Access dialog for the folder and selecting the "Edit/New" radio button. In terms of satisfying the granular requirements for Group B and Group C, an administrator must accept a current limitation with folder access rights. An administrator cannot assign read-only access to an additional group and also lock out another group when specific group access has already been configured as is the case with Group A. Both groups will either need to accept read-only access or both be locked out of the folder since the only other option that the administrator has is to configure the "All Users" field which allows for any user, regardless of their group, to either edit/create, read, or have no access to the folder assets.
The likely decision for Group B and Group C is to permit read access for all users since this will naturally apply to both groups. Although it is not ideal, read access still provides a security measure against unauthorized edits to folder assets by Group B or Group C, since Group A is the only group of users who may create, read, update, or delete assets.