ImageKit's Digital Asset Management solution allows you to organize, manage, and share your assets in files and folders. Using Media Collections, you can create virtual groups of assets regardless of their current location in the DAM. This provides a simple way for users to share and collaborate on those assets.
ImageKit allows you to set access and permission levels for each user on your assets as per your organization's needs. Based on your business requirements, you can decide which assets a user can access and what actions they can perform on them.
Access and permission management
A new Media Library Restricted Access user will see an empty Media Library under the "Shared with me" section until any files, folders, or media collections are shared with them.
ImageKit allows granular access control on media collections, files, and folders (and therefore their subfolders and files) with selected restricted access users or user groups with different permissions ranging from view-only to manage access.
The account administrator is responsible for setting up the file and folder hierarchy and assigning appropriate permission levels across users and user groups.
If you can grant a user or a user group "Manage" access to the assets, they would have access to share files, folders, and media collections with other user groups or particular users with any access level. This means that more users would end up with access to assets than what you initially added. Elevated permission levels also allow users to delete resources or carry out other such destructive actions on them.
Users with the following roles or permissions can share assets and media collections with restricted media library users and user groups:
- Account administrator
- Developer
- Media library full access
- Media library restricted access with "Can manage" permission on an asset
How to share assets and media collections?
You can share files, folders, and media collections with other restricted media library users and user groups as given below.
To share an asset or media collection, click the "Share" button in the dropdown menu after selecting it. A popup will appear, allowing you to select the users and user groups and specify their access level under the "User & user groups" tab. You may also view, change, or remove the permissions of existing users and user groups with access to the asset or collection. You can also see the media collections to which the selected asset has been added by clicking on the "Media collection associations" tab in this popup.
This document only covers sharing files with users and user groups already added to your ImageKit DAM. However, you can also share them with users who are not part of your ImageKit DAM by generating a public link. We have covered Public links separately.
Understanding access to assets and media collections
Access control and permissions can only be managed for Media Library Restricted Access users.
They can only perform actions on files and folders that are shared with them based on their permission levels. However, such users can create new media collections.
An asset or media collection can be shared with users in the following ways:
Sharing with users A user can be given access to any asset or media collection. This is useful when giving certain users access to specific resources with appropriate permission levels.
Sharing with user groups We usually work as teams; for most requirements, the entire team needs the same access and permissions on assets. You can streamline your workflow by creating user groups with all relevant users and then sharing the assets or media collection with the user group, granting access to all associated users in one go.
By asset or media collection ownership A user who creates a file, folder, or media collection owns that resource, and has the "Can manage" permission on it.
For example, if a user creates a folder, they can perform all operations that "Can manage" permission level allows on the folder and all the assets inside it. Even if you revoke the access through which they could create the folder in that directory, they would still have the same access to the folder they created and any subfolders and files inside it.
Understanding how a user's role change affects access
When a user's role is changed from "Media Library Restricted Access" to some other role or when any such user is deleted, they are removed from the user group. If their role is changed back to "Media Library Restricted Access", they would still have access to all the assets and media collections that were previously individually shared with them. However, they won't be added back to any of the user groups they were previously added to.
Understanding how deleting user groups affects access
When a user group is deleted, users lose access to any files, folders, or media collections they had access to through the group unless it was shared with them directly.
Recommended workflow
It is important to plan out your DAM workflow carefully. Your media collections, folders, and files should be organised such that your team members have appropriate access and permissions to the right resources.
To help you establish your workflow, we recommend the following steps:
Define your teams. Consider the various teams in your organization. Do you, for example, have a design, marketing, sales, and technology team? This lets you think about different teams and what permission and access they will need in the next step. Once you have determined that, you can add them to their respective user groups.
Organize your assets, folders, and media collections.
A very important aspect of setting up your workflow is creating the right folder structure. Remember that permissions would cascade down to its subfolders, meaning that if you grant a certain level of access to a folder, you can't restrict that access from any of its subfolders or files.
Create separate folders for each team (or user) in the root media library and grant appropriate permissions. Avoid deep nesting of folders, as this will increase the chances of permission escalation by mistakenly giving higher permission to some parent folders. Instead of a deep nested folder structure, use custom metadata for better organization.
You can also add individual assets and folders to a media collection and share the collection with relevant stakeholders with the proper access level. This helps organize and share a lot of scattered assets and folders from one central location.
- Share assets and media collections with your team members. Grant the appropriate level of access for each user or user group you want to share it with. Share it with an individual user if they don't have the right access to that asset via their group.
For example, the marketing team will need sufficient permission to add, remove, and modify assets in certain folders. Technology or the sales team might only need read/view permission for specific folders containing brand assets.
If you create a new user with Media Library Restricted Access, the Media Library will appear empty to them initially. They won't be able to upload assets to the Media Library either. You can share a folder with at least "Can contribute" permission so that they can start uploading files to it.
Permissions
Understanding permissions on assets and media collections
An asset can be shared with a user in different ways and with varying permission levels. The permission level on the asset would be the highest permission the user derives through all these means. For example, suppose a user is in multiple groups, and the same folder is shared with each group at different permission levels. In that case, the highest of those permission levels applies to the user for that asset.
When you share a folder, its permission level cascades down to all its subfolders and files.
A user or user group's permission level can be increased in a subfolder of a folder to which they already have access, but it cannot be lowered.
If you don't share a file and folder (or any parent of that folder) with a particular user or group by any means, those users will not be able to see that folder or the contents inside it. Even when performing a search on all folders, the results will only include folders where the user has at least view permission. Furthermore, if you don't share any folders with a particular user or user group, then those users won't have access to any assets in the Media Library.
If assets are added to a media collection, and that media collection is shared with a user or user group who otherwise do not have access to that asset, those users will still be able to take all "Can view" permission actions on the assets in that media collection. However, they won't be able to modify those assets unless they have "Can contribute" or "Can manage" permission on them.
You cannot share the Home (root) of the media library with any Media Library Restricted Access user.
File and folder permission levels
An ImageKit account user with relevant permissions can view and manage access permissions on an asset (files and folders) for restricted access users and user groups. For an asset, you can assign one of the following permission levels:
- Can view
- Can contribute
- Can manage
The table below summarises the operations that can be performed on media library assets at each permission level:
| Operation | Can view | Can contribute | Can manage |
|---|---|---|---|
| View & search assets | ✅ | ✅ | ✅ |
| View file & file version details | ✅ | ✅ | ✅ |
| Download file | ✅ | ✅ | ✅ |
| Download assets as zip | ✅ | ✅ | ✅ |
| View downloads | ✅ | ✅ | ✅ |
| View threads and comments | ✅ | ✅ | ✅ |
| Add new comment and replies | ✅ | ✅ | |
| Edit and delete own comments | ✅ | ✅ | |
| Modify own reaction on comments | ✅ | ✅ | |
| Resolve and unresolve thread | ✅ | ✅ | |
| Create new folder | ✅ | ✅ | |
| Upload file & new file version | ✅ | ✅ | |
| Restore file version | ✅ | ✅ | |
| Update custom metadata | ✅ | ✅ | |
| Edit tags | ✅ | ✅ | |
| Add auto tags (extension) | ✅ | ✅ | |
| Remove background (extension) | ✅ | ✅ | |
| Remove tags | ✅ | ✅ | |
| Edit image | ✅ | ✅ | |
| Edit custom focus area | ✅ | ✅ | |
| Copy asset | ✅ | ✅ | |
| Add asset to media collections | ✅ | ✅ | |
| Delete a comment thread | ✅ | ||
| Rename file | ✅ | ||
| Move asset | ✅ | ||
| Delete file version | ✅ | ||
| Delete asset | ✅ | ||
| Share asset | ✅ | ||
| View public links | ✅ | ||
| Create public links | ✅ | ||
| Edit public links | ✅ | ||
| Delete public links | ✅ |
Media collection permission levels
An ImageKit account user with relevant permissions can view and manage access permissions on media collections for restricted media library users and user groups. For a media collection, you can assign one of the following permission levels:
- Can view
- Can contribute
- Can manage
The table below summarises the operations that can be performed on media collections and assets added to them at each permission level:
| Operation | No permission | Can view | Can contribute | Can manage |
|---|---|---|---|---|
| Create new media collection | ✅ | ✅ | ✅ | ✅ |
| View & search media collections | ✅ | ✅ | ✅ | |
| View assets in media collection | ✅ | ✅ | ✅ | |
| View file & file version details | ✅ | ✅ | ✅ | |
| Download media collections as zip | ✅ | ✅ | ✅ | |
| Add assets to media collection | ✅ | ✅ | ||
| Rename media collection | ✅ | |||
| Remove assets from media collection | ✅ | |||
| Delete media collection | ✅ | |||
| Share media collection | ✅ | |||
| View public links | ✅ | |||
| Create public links | ✅ | |||
| Edit public links | ✅ | |||
| Delete public links | ✅ |