The CELUM Content permission system

These three principles for permissions allow CELUM Content to represent your organization's real-world employee hierarchy and privileges in a highly granular and efficient way.

General user types

In the CELUM Content help, users with different permission levels are simplified in four types who have access to different functions:

Read-only: A read-only user can only have the most limited set of global user permissions. Read-only users can never upload, create, move, or edit assets or nodes and their metadata, independent of their local role permissions.
Editor: An editor user can have a more extensive set of global user permissions. The only global permissions which cannot be granted to editor users are administrative permissions, like user, system task, or content type permission management.
Administrator: An administrator can do almost anything within the system, including uploading, moving, and editing assets and nodes or their metadata. All role-based permissions take effect for administrators.
Super-Administrator: A super-administrator is an administrator with the additional "Super-Administrator" global user permission. This permission automatically grants all other global permissions and allows a super-administrator to see, download, edit, move, and delete all nodes and assets in the system, independent of the local role-based permissions.

Which global permissions are there?

Global permissions manage access to global functions which are only assigned to the user and are not tied to any specific object.

Upload assets: Allows you to upload assets or asset versions to the system.	Manage Content Type Permissions: Allows you to set "View" and "Use" permissions for node types.
View expired assets: Allows you to view assets whose validity date has expired.	Manage System Tasks: Allows you to execute system tasks, for example for system cleanup or asset imports.
Edit expired assets: Allows you to edit metadata of assets whose validity date has expired.	Change Password: Allows you to change your own user password.
Download expired assets: Allows you to download assets whose validity date has expired.	Users and User Groups: Allows you to add, restructure, or remove users and user groups.
Administer PINs from other users: Allows you to edit PIN Links from other users.	Super-Administrator: Allows you to access every feature in the system and override local permissions on nodes.

Upload assets: Allows you to upload assets or asset versions to the system.	Manage Content Type Permissions: Allows you to set "View" and "Use" permissions for node types.
View expired assets: Allows you to view assets whose validity date has expired.	Manage System Tasks: Allows you to execute system tasks, for example for system cleanup or asset imports.
Edit expired assets: Allows you to edit metadata of assets whose validity date has expired.	Change Password: Allows you to change your own user password.
Download expired assets: Allows you to download assets whose validity date has expired.	Users and User Groups: Allows you to add, restructure, or remove users and user groups.
Administer PINs from other users: Allows you to edit PIN Links from other users.	Super-Administrator: Allows you to access every feature in the system and override local permissions on nodes.

Not all of these global permissions can be set for every user. CELUM Content users have specific technical types. These technical types automatically restrict some of the global permissions. Find out how the technical user type influences the global permissions in the Administrator Guide in the Customer Knowledge Base.

Content type permissions

A special case of global permissions are content type permissions, i.e. the permission to view or use a specific main view tab (both for node types and for other functions) or asset type. These permissions are tied to the specific asset type or main view tab and assigned to users.

Main view tab permissions are not granted by default

Users can't see any of the main view tabs in the application by default. A power user must explicitly grant them the permissions for each main view tab that they want to see.

Which local role-based permissions are there?

Roles only manage access to actions which users can execute on specific objects in the system. They are tied to a specific object and assigned to users on each object.

For nodes, any role can define access to the following actions: View: The ability to view a specific node and/or its sub-nodes.	For assets within permission-defining nodes, any role can define access to the following actions: View: The ability to view an asset.
Manage Role Assignment: The ability to assign roles to users on a specific node.	Versions: The ability to manage or add asset versions.
Add/Delete/Move node: The ability to add, delete, or move the current node and/or its sub-nodes.	Security Context: The ability to add an asset to another node with different local permissions.
Add/Delete/Move asset: The ability to add, delete, or move assets to or from the current node and/or its sub-nodes.	PIN: The ability to create, update, or delete PIN Links on the asset. The ability to edit the asset's name and availability.
Use in Information Fields: The ability to reference the current node in node-referencing information fields.	The ability to edit the asset's metadata, down to field level.
Manage Own PIN: The ability to create, update, or delete PIN Links on the current node and/or its sub-nodes.	Download Formats: The ability to download a given asset in a specific download format.
The ability to edit the node's name, validation level, and icon. The ability to edit the node's metadata, down to field level.	Original Download: The ability to download an asset of a specific file type in its original format. You can restrict the original download to specific file extensions.