Object Permissions

object permissions can be granted to users and roles to allow or deny execution of certain business operations and the specific instances of a given entity type they are typically used for overriding operation permissions which describe a general security policy you can manage object permissions for the entities of content, dynamic and tagged playlist, live text and media feed, presentation, group and player types permissions granted to users on the object level have the highest priority but the narrowest scope permissions granted to roles on the object level have second priority and may be overridden by user permissions permissions granted to roles on the operation level (visible in the admin > roles page) have the lowest priority but the widest scope operation permissions affect all entities of a given type, but have lower priority than object permissions they are useful for defining a baseline security policy which then can be adjusted by more granular object permissions see object permissions & custom roles docid\ arsvzypzjxmp9uh9v95h2 for more information about how to use this feature in brightauthor\ connected examples store managers a company may want to let store managers decide which deals to promote so managers need to view various presentations and schedule them for the players in their store however, if you assign them to a custom role based on publishers , they would have access to the presentation schedules of all stores and might accidentally delete or modify those schedules for other stores create a custom role based on publishers assign all of the store managers to this role change the role so that the actions view groups and update schedule in the group category are denied make sure that each group of players reflects a different store location change the object permissions of each group on the network so that each user assigned to the custom publishers role can only view and modify the group corresponding to his or her store you can also assign object permissions based on individual players this is helpful if you already organize groups in some other way (by region, by store type, etc ) this object permissions system allows store managers to schedule menus and offers only at their own store locations you can customize this system even more for example, if you want certain store managers to have access to certain menus or promotions depending on region or store type, you can use the object permissions for presentations to deny or allow access as you see fit prototypes the marketing department wants to upload an announcement to test how it will look on a digital display however, only certain employees should have the ability to view, edit, or schedule the presentation since the announcement is confidential you can limit access to this presentation either by role or by individual user; or allow access to a user who is working on this project but who doesn’t normally have access to presentations for this scenario to work, most or all users need to be assigned to custom roles since the object permissions for system roles cannot be edited keep in mind that there are other factors beside object permissions that can limit access to a presentation or other object for example, you can give a user full permissions for a dynamic playlist object, but that user will not be able to save content changes to that dynamic playlist if the role restricts the assign content action in the content permissions category