General information

Roles can be added to users in three ways:

Directly on the user (Role→User)
Inherited via a group which the user is a part of (Role→Group→User)
Inherited via a group that has the role inherited from another group (Role→Group→Group→User) (Technically, you can have unlimited groups in groups - but the groups must never create a circular reference)

Users can simultaneously have roles added directly and roles inherited via groups - having the same role added twice (or multiple times) doesn't have an impact. Removing e.g. a group with a duplicate role - will still leave your user with the role.

Roles and groups that have been inherited, will be greyed out. (You also inherit download qualities, but our current implementation does not make them show up. In a perfect world, the inherited download qualities would show up as greyed out)

If you have duplicate roles then the role will have a (+) appended

List of roles

id	Role	Description
2	Uploader	This role is obsolete
25	Editor_SystemTools_Profiles	Gives access to see and edit profiles in the DAM administration view
27	Editor_SystemTools_UserManager_Users	Gives access to see and edit users in the DAM administration view
29	Editor_Catalogs	Gives access to edit catalog folders in the DAM administration view
30	Viewer_Catalogs	Gives access to see catalog folders in the DAM administration view
36	Editor_SystemTools_UserManager_Groups	Gives access to see and edit groups in the DAM administration view
37	Editor_SystemTools_Metadata	Gives access to see and edit metadata definitions
38	Administrator	Administrator role used for all administration APIs
41	Editor_SystemTools_Destinations	Gives access to see and edit destinations in the DAM administration view
42	Editor_SystemTools_Dam	This role is obsolete
43	Editor_SystemTools_DigizuiteConfig	Gives access to see and edit Digizuite constants in the DAM administration view
44	Editor_SystemTools_MediaFormat	Gives access to see and edit media formats in the DAM administration view
45	Editor_SystemTools_TranscodeSetting	Gives access to see and edit transcodes in the DAM administration view
46	Editor_Portal	This role is deprecated but in use for the old API when editing channel folders. Only used in the DAM Administration view
50	Editor_Portal_Admin	Same as above (Editor_portal)
52	RunningJobs_View	Gives access to see your own upload progress
54	RunningJobs_ViewAll	Gives access to see all upload progress
55	RunningJobs_EditOwn	This role is obsolete
57	RunningJobs_EditAll	This role is obsolete
58	RunningJobs_ChangePriority	This role is obsolete
59	RunningJobs_AdminViewSubmitXML	This role is obsolete
60	Uploader_ShowFolderSelector	This role is obsolete
61	Uploader_ReplaceWithArchive	This role is obsolete
65	Editor_SystemTools_Config	This role gives access to product configuration, including searches, labels, and configuration
67	VP3_Portal_Admin_StartScreen	This role is obsolete
68	VP3_Portal_Admin_VideoSlides	This role is obsolete
72	ItemControlAdmin	This role is obsolete
74	Editor_SystemTools_AlwaysAllowItemSecurityEdit	This role ignores all item security - use carefully!
76	MediaPortal_Admin_StartScreen	Allows editing of the start screen in Media Manager
77	MediaPortal_Admin_Users	This role is obsolete
78	MediaPortal_Admin_Log	This role is obsolete
79	MediaPortal_Admin_Trash	This role is obsolete
80	MediaPortal_User	Basic user role that gives access to login into MediaManager
81	MediaPortal_Collection	Gives access to collections
82	MediaPortal_Uploader	Gives access to upload from MediaManager
83	MediaPortal_Downloader	This role is obsolete
84	Editor_SystemTools_PlayerTemplate	This role is obsolete
85	Editor_SystemTools_Stopwords	This role gives access to edit stopwords for Search2
86	Editor_SystemTools_License	This role gives access to edit Digizuite licenses
87	Editor_SystemTools_Status	This role is obsolete
88	Editor_SystemTools_Workflow	This role is obsolete
90	Editor_SystemTools_MediaFormatType	This role gives access to edit media format type setup
91	Editor_SystemTools_MetaDataLanguage	This role gives access to managing languages
94	Upload_Only	This role is deprecated but used in the Digizuite administration to restrict users to only seeing the upload dialog
95	Member_Viewer	This role allows users to see information about other users
103	Comments_CRUD	Gives access to see, add, delete, and edit own comments
104	Comments_View	Gives access to see comments
105	Comments_Admin_Delete	Gives access to delete all comments
106	Asset_Can_Download	Gives access to download assets - Please note that download is controlled by a set of roles and download qualities
107	Asset_Can_Download_Custom_Quality	Gives access to download custom download qualities if enabled by configuration
108	Asset_Can_Replace	Allows users to replace assets
109	Asset_Can_Revise	Allows users to replace an asset with a trim or crop
110	Asset_Can_Crop	Allows users to crop and trim assets
111	AuditTrail_View	Allows users to view audit trail for assets
112	Ai_Add	Allows users to use AI capabilities if enabled and configured
113	Can_Change_Styling_And_Theming	Allows users to change the styling and theming when Brand portal is not enabled
114	WorkStages_View	This role allows the user to see the statuses of tasks they're assigned to
115	WorkStages_Edit_Others	This role allows editing of asset status' they are not assigned to
116	WorkStages_View_Others	This role allows users always to see asset status
117	GDPR_Admin	Allows users to do GDPR actions
121	Saved_Searches_CRUD	Gives access to saved searches
122	Ai_Translate	Gives access to use metadata translation APIs
123	Integration_Endpoints_View	Allows users to see integration endpoints
124	Integration_Endpoints_CRUD	Allows users to edit integration endpoints
125	Asset_Can_Delete_Permanently	Allows users to delete assets permanently
126	Can_Edit_Automation_Workflow	Allows editing of automations
127	Can_View_Logs	Allows users to see system logs
128	Can_View_Automation_Workflow_Status	Allows users to see the status of automations
129	Can_Live_Export_Assets_And_Metadata	Full access for downloading and exporting assets and their metadata
130	Can_Live_Export_Asset_Only	Gives access to download assets
131	Can_Live_Export_Metadata_Only	Gives access to export metadata for assets
132	Business_Workflow_View	Gives access to see the workflow definitions
133	Business_Workflow_CRUD	Gives access to edit the workflow definitions
134	Download_Approval_Bypass	If download approval is enabled, this role bypasses it
135	Download_Approval_Admin	Gives access to configure download approval
136	Copyright_Notification_Bypass	If copyright notification is enabled, this role bypasses it
138	Youtube_Admin	Gives access to configure Youtube integrations
139	Business_Workflow_Instance_View_Others	This role allows the users to see tasks in Workflows they are not assigned to
140	Asset_Can_Download_Any	Bypasses all download rules
141	Can_See_Grafana_Shortcut	Gives access to system monitoring
142	Comments_Admin_Update	Gives access to edit all comments
143	Business_Workflow_General_Transition_Executor	Allows users to do transitions in workflow tasks that have no user constraints on transition
144	Business_Workflow_Instance_Delete	Allows users to delete workflow tasks
147	Business_Workflow_Instance_View	Allows users to see workflow tasks they are assigned to
148	Business_Workflow_Instance_Transition	Allows users to see transitions
149	Business_Workflow_Instance_Assign	Allows assigning workflow tasks to other people
150	EditSso	Allows editing of SSO settings
151	CanImpersonate	Allows a user to create access keys for other users. Be careful with this role, as it allows bumping user access. Should only be used for System user
152	FileRepository_Read	Used for files in workflows. This gives the users access to see attached files
153	FileRepository_Read_Secret	Used for files in workflows. This gives the users access to see secret attached files
154	FileRepository_Upload	Used for files in workflows. This gives the users access to see uploaded files
155	FileRepository_Delete	Used for files in workflows. This gives the users access to see deleted uploaded files
156	MailTemplates_CRUD	Allows users to edit mail templates
157	Can_Force_Job_Status_Change	Allows users to change job status, for example, restarting a failed job
158	Can_Configure_Members	Used in MediaManager to allow editing users. This is behind a feature flag in the current version. Will be available in the future
159	Can_Rerun_Workflows	This allows users to run automations with a manual trigger
160	ItemCheckInOut_CRUD	This gives access to check-in and check-out
161	ChannelFolder_CRUD	Allows the user to edit Channel folders. As of this release, this is a new API not being used in any UI, and therefore, this role is not needed by users
162	ChannelFolder_View	Allows the user to see Channel folders. As of this release, this is a new API not being used in any UI, and therefore, this role is not needed by users
163	ConfigManagement_Admin	Allows users to edit the configuration for products. This is a new API and is not available through UI yet.
170	Creative_Cloud_Connector	Allows users access to the Creative Cloud Connector
171	Can_See_Generic_Job_Status	Allows users to see generic job status - for instance, elastic re-indexing
172	Can_Admin_Accelerated_Search	Allows users to see the status for search administration in Media Manager
173	Smart_Asset_Picker_Connector	Allows users to use the embedded Media Manager UI
174	Can_configure_portals	Allows editing of Digizuite portals. Requires FileRepository_Upload, FileRepository_Delete, Editor_systemTools_config to work
175	Can_view_portals	Allows users to see Digizuite portals
176	Can_view_metadata_tab	Allows users to see the metadata tab on asset details
177	Can_view_related_assets	Allows users to see the related assets tab on asset details
178	Can_manage_filters_and_fields	Allows users to set up filters and free text searching. Requires Editor_systemTools_config to work
179	Can_configure_external_sharing	Allow users to configure external sharing. Requires Editor_systemTools_config to work
180	Can_view_service_health	Allows users to see the health status of the DigizuiteCore services
181	Asset_Can_Archive	Allows users to archive (soft delete) assets
182	Can_view_rabbit_health	Allows users to see the RabbitMQ queues
183	Can_crud_rabbit_health	Allows users to perform move and purge messages also create and delete temp queues in RabbitMQ
184	Collection_Super_Administrator	Allows the user to access the APIs defined under "DigizuiteCore/CollaborationService/api/collection/admin". These are currently only used by AW. So only the System user needs this role, though by default, it is given to the Super Administrator group.
186	Upload_with_required_metadata	Removes the right to upload without filling in metadata fields with "Upload required" set to true
187	Can_crop_email	Allows the user to make a crop and e-mail it to someone
191	Collection_can_share_mail	Allows the user to share with an external e-mail (available from 5.6.1, but not enabled before 5.6.2) can be turned on through Media Manager Settings → collections → Enable external collection sharing
192	Collection_can_share_zip	Allows the user to share asset(s) as a zip (available from 5.6.1, but not enabled before 5.6.2) can be turned on through Media Manager Settings → collections → Enable external collection sharing
193	Collection_can_share_user	Allows the user to share collections with other users (available from 5.6.1, but not enabled before 5.6.2) can be turned on through Media Manager Settings → collections → Enable external collection sharing
194	Collection_can_share_group	Allows the user to share with groups (available from 5.6.1) can be turned on through Media Manager Settings → collections → Enable external collection sharing
195	Collection_can_share_link	Allows the user to share a collection as a link (available from 5.6.1, but not enabled before 5.6.2) can be turned on through Media Manager Settings → collections → Enable external collection sharing
	Business_Workflow_Instance_View_Secrets
	Can_change_password	Allows the user to change password. Avatar → My Profile → Password section
	Can_Open_Office_Document	Allows the user to open office documents
	Can_publish
	MediaPortal_Can_Preview_Office	Allows the user to preview office documents in the compare window
	MediaPortal_Share	This gives access to sharing functionality. An additional role, that specifies which sharing type, is required.
	MediaPortal_Video_Embed	Allows users to see the Embed option in the sharing panel (videos only)
	Office_Can_Replace	Allows the user to replace the active document
	Office_Can_Upload_New	Allows the user to upload the active document

Features

The other way around - what roles and rights need to be added to enable a feature

MediaPortal_User is needed to access MM - so for all MM features below, it's given that MediaPortal_User is already enabled.

In a lot of instances, you also need read access to assets. I only scarcely add this as a right sometimes. Usually, it's self-evident that one should have read access to an asset to add it to a collection.

The Upload folder (46) is the default folder for uploading. This can be changed - and if changed, use this other folder instead.

For Keywords - Keywords (10192) is the default. This can of course also be changed - where you should use this new metadata field instead.

All users must have read rights to the following metafields:

.../Media Manager/is Public
.../Asset Info/Media Manager Menu
.../Tasks/Status
.../Tasks/Owner
.../Tasks/Message

Without these, recipients of shares can experience assets not loading.

Features in MM	Roles	Rights	ConfigManager
Upload assets via MM + see "Your uploads".	MediaPortal_Upload	Write access to the "Upload" folder (Usually granted through the "Trusted" group)
Enable users to change their profile information			Enable users to see and edit their account information = True
Upload/change profile image via MM	MediaPortal_Upload		Enable profile images = True Enable users to see and edit their account information = True
Restore old asset version via MM	Asset_Can_Replace	Write access to the "Upload" folder (Usually granted through the "Trusted" group) (Having write access to Content does nothing)
Replace asset + See "Asset History" (Not audit trail)	Asset_Can_Replace	Write access to the asset
See asset statuses + Enable the "My tasks" view	WorkStages_View	Read access to the asset
Enable the "All tasks" view	WorkStages_View WorkStages_View_Others	Read access to the asset
Change/set assets' statuses (on assets not already assigned to other users - Meaning only assets where you or none is assigned)	Member_Viewer WorkStages_View	Write access to the asset Write rights to the combo options in "Metadata → Asset → Shared → Tasks → Status" and then "Metadata field label → Edit combo values" (usually granted via trusted)
Change/set assets' statuses (regardless of who they're assigned to)	Member_Viewer WorkStages_View WorkStages_Edit_Others	Write access to the asset Write rights to the combo options in "Metadata → Asset → Shared → Tasks → Status" and then "Metadata field label → Edit combo values" (usually granted via trusted)
Printing	Asset_Can_Download	The asset is "public" (no padlock)
Enable (single- and multi-) download of an asset's predefined qualities Enable (single- and multi-) download of assets and metadata Enable download of collections as a zip	Asset_Can_Download Can_Live_Export_Assets_And_Metadata	The asset is "public" (no padlock) Should be added to a group with download qualities: "Guest", "Light Users", "Content Creators", "Administrators", or "Super Administrators"
Enable (single- and multi-) download of an asset's predefined qualities Enable (single- and multi-) download of metadata Enable download of collections as a zip	Asset_Can_Download Can_Live_Export_Metadata_Only	The asset is "public" (no padlock) Should be added to a group with download qualities: "Guest", "Light Users", "Content Creators", "Administrators", or "Super Administrators"
Enable (single- and multi-) download of an asset's predefined qualities Enable (single- and multi-) download of assets Enable download of collections as a zip	Asset_Can_Download Can_Live_Export_Asset_Only	The asset is "public" (no padlock) Should be added to a group with download qualities: "Guest", "Light Users", "Content Creators", "Administrators", or "Super Administrators"
Download custom qualities	Asset_Can_Download Asset_Can_Download_Custom_Quality	The asset is "public" (no padlock)	Custom quality color spaces = must have content Custom quality image types = must have content Enable custom quality download = true
Enable embed as a sharing option for videos	MediaPortal_Video_Embed MediaPortal_Share	The "Embed player user" has read rights to the video assets	Choose available embed video sizes = must have content Choose available embed video qualities = must have content Embed player user = must have content (usually "Guest")
Enable sharing assets to/via collections (Create new, Add to existing)	MediaPortal_Share MediaPortal_Collection	The asset is "public" (no padlock)
Add asset to own collection.	MediaPortal_Collection	The asset is "public" (no padlock)
Enable the ability to CRUD own collections	MediaPortal_Collection
Enable ability to CRUD own collections + CRUD collections shared to oneself/Others	MediaPortal_Collection		Give new recipients of non-social collections (e.g. not Facebook collections) access to manipulate collections = true
Enable non-pre-existing users to read collections on an SSO site	MediaPortal_Collection		Allow shared collection users to bypass login required screen = true
Enable users to use AI Tagging + your site has external access	Ai_Add	Write access to the asset (only images)	Enable AI tagging functionality for metadata field = Keywords(10192) (Keywords must be autotranslate = true)
If you want AI tagging but don't have external access	Ai_Add	Write access to the asset (only images)	Enable AI tagging functionality for metadata field = Keywords(10192) (Keywords must be autotranslate = true) Use local analysis for AI services = true
Enable CRUD of own saved searches	Saved_Searches_CRUD
Enable crop/trim (share it via email)	Asset_Can_Crop
Enable crop/trim + Replace original asset with crop/trim + Restore to an older version of an asset	Asset_Can_Crop Asset_Can_Replace	Write access to the asset Write access to the Uploads folder OR the Content folder (The option to restore requires "write access" to the Uploads folder)
Enable crop/trim + Make new child asset with crop/trim	Asset_Can_Crop Asset_Can_Revise	Write access to the asset Write access to the Uploads folder OR the Content folder
Have the filter open every time you access the MM			Automatically expand filter pane in asset list = true
Make all filters be expanded every time you access MM			Automatically expand filter pane in asset list = true Automatically expand individual filters in asset list = true
Make asset ID shown			Show asset ID in asset list = true
Enable password reset			Enable the option to reset one's password = true
Enable self sign-up where users can choose their own password			Enable self sign up = true Template user for self sign up users = A user with all the rights, roles, and groups your users should have (User must be enabled) Allow users to choose a password on signup = true Auto-created user folder ID = the ID of the folder where you want your users to go.
Enable email verification for self-sign-up (when self-sign-up already is enabled) where users can choose their own password			Enable self sign up = true Template user for self sign up users = A user with all the rights, roles, and groups your users should have (User must be disabled) Allow users to choose a password on signup = true Verification when a user is created using self sign up = Email verification
Enable admin verification for self-sign-up (when self-sign-up already is enabled) where users can choose their own password			Enable self sign up = true Template user for self sign up users = A user with all the rights, roles, and groups your users should have (User must be disabled) Allow users to choose a password on signup = true Verification when a user is created using self sign up = Admin verification Administrative verification email = the admin's email
Enable that refreshing MM will log one out			Enable persistent login = false
Enable reading other peoples' comments and annotations	Comment_View
Enable commenting and annotating	Comment_View Comment_CRUD
Enable commenting and annotating + tagging other users	Comment_View Comment_CRUD Member_Viewer
Access the task list	Business_Workflow_Instance_View
Edit workflows	Business_Workflow_CRUD Business_Workflow_View
Request download of an asset's predefined formats. Can single download approved assets. Can single download if bypassed with a bit field.	Business_Workflow_Instance_Transition Business_Workflow_Instance_View Asset_Can_Download	Download approval must be set up The asset is "public" (no padlock)
Request download of an asset's predefined formats. Can single download approved assets. Can single and multi download if bypassed with a bit field.	Business_Workflow_Instance_Transition Business_Workflow_Instance_View Asset_Can_Download Can_Live_Export_Asset_Only	Download approval must be set up The asset is "public" (no padlock)
Request a custom-quality download	Business_Workflow_Instance_Transition Business_Workflow_Instance_View Asset_Can_Download_Custom_Quality	Download approval must be set up The asset is "public" (no padlock)
Circumvent the download approval process	Download_Approval_Bypass	Download approval must be set up Have enabled either standard or custom download
Approve or deny download requests	Business_Workflow_Instance_View Business_Workflow_Instance_Transition Download_Approval_Admin	You must be auto-assigned via the accompanying workflow as per the documentation
Enable copyright notification		Follow the documentation: In short, you need to set it up via the config manager settings + metadata settings
Circumvent the copyright notification	Copyright_Notification_Bypass	Have copyright notifications enabled
Upload both insecure and secure attachments on tasks. Required for upload file constraints	FileRepository_Upload
View own and others' insecure attachments on tasks	FileRepository_Read
View insecure and own secure attachments on tasks	FileRepository_Read	The upload constraint you upload with must have the "secret" bit set to true
View own and others' secure attachments on tasks + insecure attachments	FileRepository_Read FileRepository_Read_Secret
Enable intro screen			Choose intro screen mode: Splashscreen or Disclaimer
Enable configuration of the brand portals + styles	FileRepository_Upload FileRepository_Delete Editor_systemTools_config Can_configure_portals
Enable viewing of the brand portals	Can_view_portals
See other users in notifications.	Member_Viewer
Remove access to upload without setting upload required metadata fields	Upload_with_required_metadata	The metadata field has "Upload required" = enabled

The CCC (DACCC or Digizuite Adobe Creative Cloud Connector) requires all its users to have read access to assets + the following roles.

Creative_Cloud_Connector
Asset_Can_Download
Uploader

Features in CCC	Roles	Rights	ConfigManager
Check-out assets + check-in assets you've checked out yourself (This does not make sense if you do not have the replace role)	ItemCheckInOut_CRUD	Write access to the asset	Enable check-in/out = true
See who has checked out assets (both own and others')	Member_Viewer (OR Administrator)
Check-in assets that other people have checked out	Administrator Member_Viewer
Upload active documents or, e.g., image files	MediaPortal_Upload	Write access to the "Upload" folder (Usually granted through the "Trusted" group)
Replace (INDD, PSD, AI, AEP, PRPROJ)	Asset_Can_Replace	Write access to the "Upload" folder (Usually granted through the "Trusted" group) (?) Write access to the asset

Features in OC	Roles	Rights	ConfigManager
Insert asset	Asset_Can_Download	Image download qualities

Features in DC	Roles	Rights	ConfigManager
Upload only (e.g. for photographers)	Upload_Only	Write access to the Uploads folder
SuperAdministrator rights	Editor_SystemTools_AllwaysAllowItemSecurityEdit

General information

List of roles

Features

Features in MM

Features in CCC

Features in OC

Features in DC