Access control for multiple departments
During the evaluation of the new DAM system, there is an area that we pay a lot of attention to – access control for multiple tenants. Multiple tenants can refer to multiple departments, offices around the world, clients, etc. We will use department for illustration in this article.
You are probably already familiar with the use of shared folders to store and restrict access to digital files in your organisation. Many DAM systems follow this concept of using folders to segregate the access control between the departments. So if your organisation is using one of these DAM systems, most likely, you are comfortable with this familiar function and will not see any issue with it initially.
But when the number of assets and users increase, it will come to a point where more granular permissions are required. Folder-based access control will become an issue. For example, within the same folder, you may want some assets to be viewed by all users in the organisation and some assets to be only viewed by users from your own department.
This requirement cannot be achieved by folder-based access control because all assets within the same folder will inherit the same permission settings. The best way to achieve granular permissions is to assign the access control settings to individual assets – Asset-based access control.
Take this real-world access control requirement as an example. There are more than 10 departments in this organisation. This table shows the permissions assigned to each user role in Dept A at different access levels.
A true multi-department DAM system will be able to provide virtual walls between departments so that each department can only govern their own assets. Within each department, different user groups can also be further defined.
From our experience and research, the best and user-friendly way to assign permission to each asset is by making use of the metadata fields. Hence, the DAM system must be capable of checking the values of specific metadata fields of each asset and grant access rights to the users accordingly.
To fulfil the access control requirements as illustrated in the table above, we configure two metadata fields to be used as the control fields: Department and Access Level.
Once a user logins, the DAM system will check which department the user is from and the user’s role: Admin, Manager or General User. In combination with the two control fields of each asset, the system will determine which assets can this user view, edit or download.
Of course, the DAM system must also be capable of setting the Department and Access Level in batch. No one is going to apply the settings for the assets one by one.