1300 886 238
Cumulus and Extended Permissions

Cumulus and Extended Permissions

STOP PRESS: Canto offers 50% discount till end December 2016 for existing customers
PermissionsCumulus out-of-the-box allows for a user’s access to be controlled by permissions which are applied for each user and that control the content with which they can interact. Generally, the functions a user is allowed to perform on records, assets and categories is set by the Cumulus administrator. These permissions can either apply to all catalog a user has access to, or can be catalog-specific.

Extended Permissions is a Cumulus add-on module that offers real-time permissions based on the business rules that you set. The permissions can change based on circumstances such as workflow approval processes, embargo and expiry dates, and other factors. It allows for the actual assets to have a permissions aspect that will determine how people can interact with the content.

This is implemented in either of two ways: either by assigning permissions to the assets themselves or by applying dynamic filters that control access based upon content characteristics.

What you can do with Extended Permissions:

Live Filtering

search_filterLive filtering is perhaps the simplest/ easiest way of implementing Extended Permissions. The traditional static permissions model doesn’t work when “yes” versus “no” needs to be based on real-time workflow status, rather than decisions made in advance. With live filtering, the visibility of assets can be controlled by a dynamic search query. After saving a query, it can be added to a user as a Live Filter. This could be used to give users only access to assets with a certain status, such as Approved. As soon as the status of a certain asset changes, the visibility of that asset to the user may change too.

As long as filtering is active, any further search operation – Quicksearch, Category Search, whatever – will only take into account the collection as defined by the filter criteria, not the whole catalog. Accordingly, the Find All Records command will only find records that match the filter criteria. An example is to create a checkbox metadata field called, “Ready for Client Approval.” Then create a Live Filter that finds only those files ready for approval. When the user logs in, she sees files ready for her approval, without any searching.

Set individual record/ category permissions

These enable administrators to determine who sees what on a particular asset or category. It allows a much more granular approach to asset access as you can hide asset records or categories from users who don’t need them ensuring asset security and metadata privacy. You can specify that user X can access specific types of documents like press releases for example, but not price lists.

For assigning individual permissions, a Permissions Template may be employed to grant individual permissions to multiple users/roles as defined in the template, granted to selected users one by one, or even automatically using built-in scheduler actions or the Roboflow (pdf) module.

This makes it possible to provide “private” metadata fields in your catalogs, such as “CIO Approved” or “Manager Approved” fields. Other users can see the fields if they have access to view sets that contain them – but only those listed as editors of the fields can make changes.

The primary value this feature offers is data integrity. If your catalog includes a “Manager Approved” field and that field is checked, you know for certain your manager has approved the asset. Because these fields can also serve as control mechanisms for Live Filtering, this enables managers in your group to enable or disable access to certain assets just by logging in (from anywhere) and changing a value.

Set permissions to edit field values

Field specific permissions can restrict the editing of certain fields to only chosen individuals or roles. Administrators can define permissions for certain metadata fields, for example they could define that in general a certain user can only view assets but have limited access to edit certain metadata fields for which they are responsible, such as copyright or distribution.


This is a very powerful feature, especially in workflow and approval scenarios. You can combine several permissions to achieve your desired outcome.

Note: Extended Permissions and Permissions templates are included in Cumulus Enterprise edition.

Written by Antra Silova, Media Specialist and Linda Rouse, Information Manager.

Useful links

Comparison of Workgroup versus Enterprise blog post.
Roboflow datasheet (pdf).


Cumulus Workgroup vs Enterprise

Cumulus Workgroup vs Enterprise

Cumulus Workgroup or Enterprise – which one is right for you? As the names suggest, the two editions provide features and functionalities suited to different organisations needs and requirements. Selecting the ‘right’ solution depends a lot upon how it is to be used and the environment in which it will be deployed. The following information is intended to provide some broad guidelines on the different features of each – please contact DataBasics to discuss your individual needs.

Cumulus Workgroup

The Cumulus Workgroup edition is by far the most popular and is basically a DAM for work groups that want a simple collaboration and sharing platform – to create, find, organise and share digital content via the web. The Cumulus web solutions enable access for general users and power users, as well as content managers via a smart visual interface. There is a Desktop Client installed on a PC or Mac for business and IT administration of the system.

The public web portal is an interface used by guest users such as external agencies or designers who do not require login credentials, to view, download, print or email digital assets, depending on their level of access. With Workgroup you can distribute to an unlimited number of users and content consumers.

The management of the content is at a “catalog” level, meaning that you have the ability to establish broad groupings of content and control access accordingly. For example we often see content groupings like New, Approved and Archived as groupings of content or categories in our Workgroup.

The Web Client is for DAM business or content managers to upload, update and search for assets, add comments and metadata to individual or batched items. Content can be previewed, downloaded and shared. This is the interface where recently uploaded content can be sorted and distributed to the various production folders in the system.

Cumulus EnterpriseEnterprise puzzle

The Enterprise edition, as the name suggests, is more suited for large, multi-office or global organisations that have more complex workflow needs to oversee the content creation and management process, with typically several different stakeholders and associated teams involved.

The Enterprise server architecture is more powerful and allows for use of all available hardware resources, thus able to deliver greater loading and faster throughput, as well as providing a more powerful and robust database engine.

Enterprise comes with all the features of Workgroup but also comes bundled with a number of modules or add-ons that expand and enhance Cumulus functionality. There are advanced permissions for granular control of content, greater administrative management capabilities, statistical and usage reporting. Many of these modules are available for Workgroup if required but with Enterprise they are all automatically switched on.

These additional modules are outlined below:

Extended Permissions

Enterprise provides for additional permissions than those available in Workgroup. Using category and asset-level permissions, the built-in scheduler can scour your catalogs regularly for issues of concern – such as expired usage licenses – and apply a permissions template that removes access to the assets, ensuring no one can access them until the situation is resolved.

You can hide individual categories or asset records from certain users or roles. Changes can be made manually via permissions templates or even automatically using Scheduler actions. No other records or categories need be affected.

This makes it possible to provide “private” metadata fields in your catalogs, such as “CIO Approved” or “Manager Approved” fields. Other users can see the fields if they have access to the view sets that contain them – but only those listed as editors of the fields can make changes.

The primary value this feature offers is data integrity. If your catalog includes a “Manager Approved” field and that field is checked, you know for certain your manager has approved the asset. Because these fields can also serve as control mechanisms for Live Filtering, this enables managers in your group to enable or disable access to certain assets just by logging in (from anywhere) and changing a value.Distribution

You can also create one-click distribution control! Create a “distribution control” field as a mechanism to enable a group of authorised users to immediately take any asset offline.

Roles and Extended LDAP

In Enterprise, complete user management and access permissions can be controlled by a central system such as Active Directory (AD) and  LDAP. Thus users are not managed by the DAM team but by the IT team or by business administrators. Content can be controlled at a more granular level with individual characteristics of an asset, e.g. status or applicable usage, defining who can do what with it.

The Roles and Extended LDAP module supports:


• Using roles (Role-based User Management)
• User context fields filled by external authenticator modules (e.g. LDAP)
• Roles assigned by external authenticator modules (e.g. LDAP).

Filling user context fields, such as email and mailing addresses by an external source such as LDAP ensures Cumulus always has the most recent user data for the purposes of emailing notifications, addressing mailing labels and more, as provided by third party option products.

When roles are assigned by an external source such as LDAP, no Cumulus accounts are even required. Cumulus will honor the LDAP logins, and map LDAP roles to Cumulus roles, ensuring faster deployment and easier maintenance of larger sites.

Because access permissions can be based on groups, a single permissions change can now affect potentially hundreds of users. Roles not only make the administration of larger systems easier, they make temporary personnel changes easy on all systems.

Usage Statistics and Reporting

The Usage Statistics and Reporting module expands on the standard collection of asset usage statistics. Create automated reports that help you value assets, fine-tune Cumulus and plan for the future.

  • discover which assets provide the most value
  • fine-tune metadata by discovering which search terms fail and which are most common
  • determine the value of an entire collection on a per-asset basis and anticipate growth and budget needs in advance
  • configure recurring, automated graphic and textual reports without IT involvement.

Usage stats
The Cumulus Servers gather asset usage statistics, including asset edits, printing, downloads previews and more. You can view statistics inside Cumulus, however the Reporting module enables you to also generate automated graphic and textual reports based on Cumulus statistics and search statistics as well. Reports can be configured per catalog, and run at time intervals you specify.

Customise chart formatting and output formats, and choose from font choices, colors, label styles, and report orientation.

Enterprise Secondary License

Most importantly, Enterprise comes with a second license of the software that can be used as a staging, failover or development server. The ability to have a development server to test latest releases or new options with your existing data prior to going ‘live’ on the production server is a major consideration. This is especially significant for those users reliant on 24 hour access to the solution with no downtime, and/or the IT department having strict standards relating to implementation of business solutions.

You could use your second license to run a mirrored copy of your Cumulus server. This enables you to split Web access requests between two machines, or limit Web access to the mirrored machine, reducing the load on your main Cumulus server.

Questions to help determine your requirements

• How many power users need to be managing the content? How many will need training on the solution and require read/write level of access?
• How many users need to upload content and enter metadata along with the upload?
• Do we have detailed statistical usage and reporting requirements?
• Do we need automation of processes and workflows e.g. for approvals?
• Do we need email ordering of images/documents/products?
• Do we need integration with other systems?