Model Permissions have recently been integrated into Roblox. Currently, you are able to give groups, users and games access to your model. I have attempted to use load asset to load a model from my alt account in a group owned game. I have gave my group and the group owner both access to use this model and edit. Additionally, I have went into the game settings and allowed the asset model specifically in the settings. However, when joining the game it either says user is not authorized to access asset or asset is not trusted which should not be the case since the model is in the group inventory. It is obvious that Roblox has made an oversight when adding model permissions as load asset does not reflect this change. For context, LoadAsset has never been able to work in group-owned games only user owned, not even model permissions fix this issue. This has been a feature requested for several years.
Expected behavior
I expect that it should be able to properly insert the asset as long as the group has permission to use the model as it is in the group inventory. Please update loadasset to accommodate for the new model permissions.
Hi,
That’s definitely something we are looking and trying to resolving. In next few weeks, we are trying to addressing this concern.
On the other hand, to let insertService load asset in the experience is not via share to that group but share your asset to that “experience”. Have you tried put that universeId under your model → permission → experiences under creator hub?
Unfortunately, I do not have access to edit the game I am intending to do this for. Hopefully this issue gets resolved soon where I can give the group permission to load the asset.
insertService’s actor is that experience not a user, so we need grant asset permission to that experience.
there is 2 ways to let it happen:
you share the asset experience to experience owner - which you had already done, then the group owner should be able to find that asset under “toolbox → my model”, and they need to explicit drag and drop the model into the experience once in the studio → which will grant that experience the permission
you ask group owner to grant your account with edit permission of the experience, under the group experience permission pages. after your account has edit permission for that experience, you will be able to grant your asset to that experience.
I understood it’s a little…painful and confused, i will talk to our product to see whether we can make this workflow better
Hi, Thanks for your response. However, this is not ideal for me. What I essentially want to achieve is users being able to make user generated content for the game in real time without the creator’s intervention or giving the user complete access to the game. I want InsertService:LoadAsset to be able to insert the model as it has permission given to the group to use in the experience. The current workflow hinders this from being achieved and therefore making it more difficult to create user generated content. If this isn’t able to be achieved, it would be nice to at least be able to upload models to the group and update them with full asset permissions instead of requiring full game access. Hopefully, loadasset gets updated soon to accommodate the expanded permissions. Thank you for your help.
Yeah I totally understand your needs, i will talk to our product team about this requirement and maybe also security team as well, given biggest challenge for this endpoint is actually security concern if we loose all those restrictions.
We will consider it as a feature requirement and see how we can prioritize it.
Hi Lian,
just a update, talked with team, unlikely we can loose this requirements of “let you share to group only you has edit permission on experience” due to security concern. Otherwise it become a super easy way to let a bad actor to take down any other’s game → share a good model to a group and intended update with bad content with newer version, then entire game will be taken down due to bad content.
But let insertService working with shared model is still on our roadmap, we should be able to handle that in near future.
Hi,
I see what you mean. Though this security concern is already on InsertService im pretty sure since you are able to perform this in user-owned games through the owner of the game purchasing the asset and using loadasset. I don’t see why this would be any different with group-owned games.
Hi, a big difference is “require game owner explicit consensus and take action”. But your suggestion is a user can just freely share to any group and any group member can accident use insertService without any consensus from game owner. Actually I heard from my colleague this kind of case was causing a big issues back many years ago and almost shut down most popular games in roblox.
Could it work similar to how it works with user-owned games. Like the group owner needs to own the model so that it can be loaded in game. Or the group owner has to explicitly allow the asset to be loaded ingame. Anything like that would work fine for me. LoadAsset does not require users to edit the game if the game is user-owned as long as the owner of the game owns the asset. I don’t see why this couldn’t be integrated into groups.
require(id) works on Model assets that were granted access via the new asset permission system, so I don’t get why InsertService:LoadAsset() isn’t allowed to. Both functions load a Model asset from the website.
The only difference is that require(id) requires the Model asset’s top-level instance to be a ModuleScript, and it doesn’t directly give you the ModuleScript instance. You can still parent any arbitrary instances under the ModuleScript and then have the ModuleScript’s code move them into the DataModel.
This method achieves what I want to, thank you. But yeah, I don’t know why loadasset doesn’t work but require works fine even though they are pretty similiar to each other.
The key is the security concern, and to be fair, they are not same and require has other restrictions to make sure it’s safe: require only works for model type + they has to listed in creator store + they need a ModuleScript → which all gave us some additional checks to make sure they are safe and no easy way to bring bad content to anyone else’s game.
