Last updated July 13, 2021

Access control for the Media entities in Drupal 8/9 works in much the same way as any other content entity. The module provides fine-grained control over create, update, and delete operations, while providing only basic control over who can view Media assets. The thinking is that there are too many possible permutations of how an application may want to restrict read access to content. Therefore, rather than try and pick one setting and add it to core, it's left entirely up to the site administrator and contributed modules.

In this tutorial we'll:

  • Look at the different permissions provided by the Media module for controlling access to Media entity operations
  • Discuss some common misconceptions about file permissions that can lead to potentially exposing private data

By the end of this tutorial you should know how to configure access control for Media entities, and explain how access control relates to files attached to a Media entity attached to a Node.