Suppose you wish to prohibit WordPress attachments deletion for your authors. WordPress manages access to the Media Library items (attachments) using ‘posts’ capabilities set. Yes, the key capability to access the ‘Media Library’ is ‘upload_files’, but in order to edit uploaded image attributes a user needs ‘edit_posts’ capability, in order to delete uploaded video a user needs ‘delete_posts’ capability, etc. So there is no way to prohibit attachments deletion for users who may (and should) delete posts with WordPress default Media Library permissions model.
Pro version of User Role Editor offers a workaround – ‘Force custom post types to use their own capabilities’ option:
When this option is turned ON, any custom post type and attachment (it’s realized as a post type too), which use ‘posts’ capabilities by default, starts to use its own capabilities sets instead, like:
– ‘videos’ post type uses ‘edit_videos’, ‘delete_videos’,
– ‘attachment’ type uses ‘edit_attachments’ and ‘delete_attachments’
instead of ‘edit_posts’ and ‘delete_posts’.
So with this option enabled you may realized more granulized access model to your WordPress posts and Media Library items (attachments), like this: