Access control for metadata fields

Metadata field access control lists can be used to control the usage of metadata fields and metadata field groups at a global level, i.e. they apply to all items. The default behavior for a field or a group without any access control list is to grant everyone full permissions.

In case of a conflict, i.e. one or more entries in the access control list for a certain field or group applies to the same user - the entry granting the highest level of permissions apply.

Note that metadata field access control lists are applied after any other access control list have been applied. So for example a metadata field access control list won’t grant a user access to a certain field of an item’s metadata if the user cannot access the item in the first place.

Permission levels

There are four levels of permission, higher levels of permissions include all other permissions. The semantics of each permission differs depending on if it is associated with a group or a field.

Permission Field Group
NONE Grants no permissions whatsoever. Grants no permissions whatsoever.
READ Determines if user can see the contents of a field. Allows for the group to be retrieved and seen when it is listed. Also allows for the group to be associated with items.
WRITE Allows a user to set the value of a field. Allows fields to be added and removed from the group.
DELETE Allows a user to delete a field from the metadata of an item. Allows deletion of the group.