Folder permissions for Cloudinary users
Overview
A summary of an investigation into the different folder permissions available for Cloudinary users, including access levels, asset creation and management etc. Ideally we would like to prevent Cloudinary users in the Digital Merchandising and Digial Brand teams from deleting or moving assets once they are added to Cloudinary as this could result in broken links on the site. We would also like to prevent the Digital Brand team from renaming assets once they have been uploaded (Digital Merch need to be able to rename assets so that they can reorder them as needed, and we have a process in place to handle this). After investigating the different options it is not going to be possible for us to prevent these users from renaming or moving assets, however we can prevent them from deleting assets.
Requirements
We would like our users on both teams to be able to:
- Add assets using upload presets
- Add tags, contextual metadata
- Edit structured metadata (this will be used for the approvals process)
We would also like the Digital Merchandising team to be able to:
- Rename assets after upload (this will be used for reordering assets in Hybris)
We would like to prevent the teams from:
- Moving assets between folders once they have been uploaded
- Renaming assets once they have been uploaded (Digital Brand)
- Deleting assets
Cloudinary options
Media Library admins can control other users access to assets using folder permissions. In order to restrict access via folder permissions users must have Media Library user status. Users in any other role will already have full access to all folders and assets.
Folder permissions can be set at any folder or subfolder level. The folder or subfolder for which you wish to grant permissions needs to be created before it is shared with a user that you wish to set the specific permissions for. Once a folder is shared with a user with a specific set of permissions, those same permissions will be applied to any folders lower in the hierarchy.
Note: You can increase the permission level for a particular user or group in a sub-folder of a folder they already have access to, but you cannot decrease their permission level. For this reason, it's recommended to minimize permissions given to Media Library users at high-level folders, and especially on the Home (root) folder.
How we will work
Since the ability to rename assets, move assets and update structured metadata all fall under the same permission of "Edit assets" in the table above it is not possible for us to prevent users from moving or renaming assets without also inadvertently preventing them from updating structured metadata. This would prevent us from implementing our approvals workflow that we have already agreed with the teams. Also the inability to separate renaming assets from moving assets means that for us to allow the Digital Merch team to be able to rename to reorder assets, we cannot prevent them from moving assets.
From our discussions with the teams, they don't often move assets between folders so we are optimistic that allowing this level of permissions won't result in issues very often. We receive notifications when assets are renamed or moved, so we have options to set up infrastructure to deal with this if we see it as necessary:
- Assets renamed in the mannequin, triptych, location and event folders will be handled by Hybris, since this is an expected use case for the team to be able to rename assets, and reorder the mannequin ones.
- The event and location folders are gonna be owned by Brand Team, but Merch team needs to have access to these folders because these assets can be used as Gallery assets in the PDP, so, the Merch team must be able to add tags (with valid Base SKU values) and approve these assets to create them in Hybris.
- We also know that the Branding team often use assets that will be located the mannequin and triptych folders. Brand will be able to contribute to the mannequin folder because they need to be able to add mannequins, currently they are duplicating them but they agreed with Merch that they can add the mannequins for products they need on content pages. Regarding the triptych folder, to prevent any renaming, moving or duplication of content we can give Digital Brand users "Can view" permissions. This means they will be able to use URLs from that folder but not make any changes that could result in broken URLs.
- Additionally, it is necessary to create new folders exclusively owned by Brand: graphics and studio-campaign.
- If an asset is renamed or moved in the location, event, graphics or studio-campaign. folders we could use notifications to alert Contentful to check for any uses of that asset within existing content (this would only apply to new content, not content that has been migrated from the current site) and show a warning that the link may be broken.
- Brand and Merchandising folders will preserve current permissions until the day that they will be deleted.
Based on the above, we will create the mannequin, triptych, location, event, graphics and studio-campaign folders that sit under the Home directory. We will give everyone from Digital Merch and Digital Brand "Media Library User" roles in Cloudinary. We will set the following folder Cloudinary permissions:
- mannequin: Digital Merch Group: "Can Manage", Digital Brand Group: "Can Contribute".
- triptych: Digital Merch Group: "Can Manage", Digital Brand Group: "Can View".
- location: Digital Brand Group: "Can Manage", Digital Merch Group: "Can Edit" (It's the minimum permission that allows to add tags and edit approval status metadata.
- event: Digital Brand Group: "Can Manage", Digital Merch Group: "Can Edit" (It's the minimum permission that allows to add tags and edit approval status metadata).
- studio-campaign: Digital Brand Group: "Can Manage", not visible for Digital Merch Group.
- graphics: Digital Brand Group: "Can Manage", Digital Merch Group: "Can Contribute".