Folder rights: how they work
Folder rights control who can do what within your Digital Asset library: who sees the assets, who edits them, who manages the structure itself. Understanding the underlying logic prevents inconsistent configurations and allows you to build a solid governance from the beginning.
The two-level model
Whenever a user or group obtains a right on a folder, they actually acquire two distinct and independent types of access:
Folder rights — what the user/group can do on the folder itself (rename it, manage who accesses it, create subfolders).
Rights on assets in the folder — what the user/group can do with the content published inside that folder.
These two levels combine. A user can have the right to view assets in a folder without being able to manage the folder itself, and vice versa.
Available right levels
Group rights on the folder
Level |
What the group can do |
|---|---|
Can only view |
Sees the folder, cannot modify it |
Can add/remove assets |
Publishes and removes assets from the folder |
Can manage users/groups |
Adds and removes other users/groups from access |
Can manage the folder |
Full access: renames, modifies structure and code |
The right Can manage users/groups is also required to delete a folder. No user can assign rights to another user higher than their own on the same folder.
Group rights on assets in the folder
Level |
What the group can do |
|---|---|
No permission |
Sees the folder but not the content inside it |
Can only view |
Views assets |
Can edit |
Views and edits metadata, thumbnail, versions |
Can share |
Views and distributes assets |
Can manage assets |
Full access on assets |
Viewing is a mandatory prerequisite for editing and sharing: a group cannot get the edit right without first having the viewing right.
How inheritance works
The basic rule: the parent commands
The rights a user or group has on a folder automatically extend to all its subfolders, recursively. This means that correctly configuring the root folders is sufficient: you do not have to repeat the configuration on every level of the tree.
You can add, never take away
In a subfolder a group can acquire broader rights than those it has on the parent folder, but it cannot lose those already inherited. Rights accumulate downwards, they do not narrow.
Practical example: if the Commerce Team group has read-only right on the root folder Brand Library, you can assign them full editing on the Product Content subfolder — but you cannot remove their read access on Brand Library.
In the rights management screen of a subfolder, the rights inherited from the parent folder are visible in read-only and cannot be modified from that screen.
What happens when you move a folder
When a folder is moved under a new parent, the new parent's rights are added to those already present on the moved folder.
The rights previously inherited from the old parent are automatically removed. This means that after a move a folder might become more accessible than expected, if the old and new parents had different configurations.
Before moving a folder, verify the rights of the destination branch. If the folder contains sensitive assets, manually check the resulting configuration after the move.
To complete a move you must have at least the Can manage folder right on the destination folder.
Rights via Group, not via user
In THRON, folder rights are always assigned via Work Group, not directly on individual users. The Group is the only intermediary between a user and the resources they have access to.
This setup has an important practical implication: if you want to revoke a user's access to a folder, you don't act on the folder — you act on the Group, removing the user or modifying the Group's rights.
To configure Groups and assign rights to folders, see → Configure Users and Work Groups
Conflicts and prevalence rule
A user can belong to multiple Groups. If two Groups have different rights on the same folder, the most permissive permission always prevails.
Situation |
Effective user right |
|---|---|
Group A: only view / Group B: edit |
Can edit |
Group A: no permission / Group B: view |
Can view |
To reduce a user's rights on a folder, the only way is to remove them from the Group providing those rights.
Recommended configuration
Three standard scenarios to start from for most setups.
Profile |
Folder rights |
Asset rights |
|---|---|---|
Admin / Manager |
Can manage folder |
Can manage assets |
Operational team |
Can add/remove assets |
Can edit |
Read-only user |
Can only view |
Can only view |
Recommended strategy: configure rights on root folders and leverage inheritance. Intervene on lower levels only where responsibilities are truly different.