Control Access

Manage user accounts and assign permissions from our simple and intuitive web app.

Every creative.space system comes with a built-in enterprise-level authentication system. That’s a lot of big techie words, but what it means is that you don’t need to integrate some other complicated solution like Microsoft Active Directory just to secure and control access to your data.

Core Concepts

With creative.space, there are three core concepts to understand when it comes to access control:

Users - Give each of your team members their own creative.space login and lets you control what each of them can access.
Groups - Make it easy to give several users access to the same spaces and folders.
Roles - Make it easy to give several users access to the web app’s user interfaces and actions.

Users

Just like how your user credentials on your computer let you log in to your operating system and access files, your creative.space user lets you log in to the node, i.e. server, and access files.

In the same way that the user on your workstation determines which files you can access and settings you can change on it, your creative.space user determines which spaces you can connect to, which files you can access within a space, and what settings you can change on the node.

In creative.space, a user can have two types of access: file access and management access.

File Access
- Why do you need it? - File access lets you connect to a space and read and write the files within it.
- How do you get it? - You must be added to a space, or added to a group that has been added to a space and also have at least the Team Member role.
Management Access
- Why do you need it? - Your responsibilities go beyond simply accessing assets and working in applications, so you need to be able to manage permissions for spaces, folders, and files, create templates, ingest from other devices, recover modified or deleted data, and/or administrate the storage and networking.
- How do you get it? - Your user must be given a role of System Admin, System Monitor, or Team Leader.

creative.space users can be:

Added to spaces
Added to groups
Given roles that confer access to interfaces and actions upon them

Groups

A group is somewhat like a creative.space user: both can be granted permissions to access spaces, folders, and files. However, the similarities end there.

A group cannot:

Log into the node
Connect to a space
Receive a role that confers management access upon it

So what can a group do? Why have groups at all?

A group can share the access it has to spaces with all the users you add to it. This makes it easy to give everyone on your team the access they need, no matter how many spaces you create, and how many users you add.

Groups make it easy to manage who can access what. Without groups, you would need to individually add every user to every space, folder, and file they need to access. Instead, all you need to do is add groups and then add or remove the users from those groups. The users automatically get access everything that the groups they are in can access. Even better, if you need to revoke a user's access, all you need to do is remove them from the group.

Roles

While groups determine who can access spaces, they do not determine who can access the node's user interfaces and their available actions. That's the job of roles.

Hierarchy of Roles:

Role	Access Level
System Admin	Full control over system settings and management.
System Monitor	System performance and access monitoring.
Team Leader	Expanded access to manage spaces and teams, including the ability to control permissions for spaces they are members of, creating templates, and data recovery from snapshots.
Team Member	Access to spaces in the web and desktop apps.
Client	Access to only the Libraries interface in the web app.
User	SMB access only. No access to user interfaces, except to change your password.

<aside> ⚠️ Only give the System Admin and Team Leader roles to people you trust.

These roles have far-reaching privileges compared to other roles.

Give most of your users the Team Member role. Team Members can access and browse the ‘Spaces’ page, but are restricted from management features.

While even Team Members can delete or corrupt files, a System Admin or Team Leader can recover them using a snapshot. However, if spaces and/or snapshots are deleted entirely, you can never get the content back.

</aside>

To learn more, including a complete breakdown of what each one can do, go to the Roles page.

Managing Access with Permissions

One of the things that makes creative.space unique is the built-in authentication system, which is deeply integrated with ZFS, i.e. the filesystem.

Permissions are actually written to the spaces, folders, and files on the drives. This means that permissions need to be applied individually at every level.

To access assets on the desktop or in the web, users must have access to the entire path, not just the file itself. For this reason, it is very important to set up your folders to regulate this access.

Here are a few important things to understand:

Groups vs. Users: Granting read and write access at the group level allows you to quickly grant or revoke a user’s access with a single action, instead of having to update each item individually.
Inherited Permissions: When folders and files are created, they inherit the permissions of the parent space or folder. The person who creates it will also be the “owner” of it. The only exception is when applying a folder structure template, in which case, the creator of the template will be the owner, regardless of who applies it.
Recursive Permissions: Whenever you apply permissions, they will only effect the currently selected level, unless you turn on the ‘Recursive’ toggle. This overwrites the permissions of all children with the current user and group rights.

The Permissions card in the web app for a folder.

When you change permissions without toggling on the “Recursive” option, they only apply to the item you’ve selected and will only be applied to new folders and files that get created within them.

For example, applying write access to a space and read-only to the root folders within means that the user can create new folders and files at the root. Inversely, read-only access at the root and then write access to root folders will guarantee that the root of the Space never gets cluttered.

The ‘Recursive’ toggle will trigger the same permissions to be applied all the way down the folder tree. This will overwrite existing permissions, so always apply custom permissions from the highest level and then work your way down, when using recursion.

Folder structure templates make managing access easy by allowing permissions to be configured once and then applied automatically when a new project is created. Think of them as your organizational blueprint. How you apply permissions to control access is the key to keeping your projects orderly and manageable.