Feature Spotlight: Access Controls

SnapStream Enterprise TV, the software that runs our TV servers, has a lot of different features that make it suitable for a lot of different tasks. But as someone once said, with great power comes great responsibility!

 

Like Uncle Ben told Peter, “With great power comes great responsibilty.” – Uncle Ben tells Peter Parker

Because the server has a lot of different functions, it may be accessible to a lot of different users – for example, at one educational institution, the SnapStream server is accessible to professors and students from a dozen different classes, as well as departmental staff, research assistants and IT. The server might be in use for two or three different purposes at any given time. That means a lot of users with different and sometimes competing needs, who have a lot of opportunities to get in each others’ way.

Fortunately, we also have some very powerful and versatile tools for wrangling your user base.

User Groups
SnapStream software has group-model security. This means that users aren’t assigned permissions directly, but rather, they are assigned to groups, and permissions are assigned to everyone in each group. This makes it a lot easier to manage a large group of users- especially when you’re using the LDAP integration feature, which I’ll talk about a bit below.

The permissions configuration page looks like this:

A detailed description of what each permission does is available in our help file.

Predefined groups
Enterprise TV comes preconfigured with several user groups that are designed for some of the typical tasks that you might want to permit or deny.

Administrators: These users can do everything on the server, including change user permissions, so put only your most trusted and knowledgeable users in this group. An unskilled user in this group can do a lot of damage by accident.

Schedulers: Basically just like Administrators, except they don’t have access to any server settings. Notably, these users can manage recording priorities. These guys are sort of “in charge” of the recording schedule.

Basic Schedulers: They can submit recording jobs, but they can’t manage recording priorities. New jobs that they submit will come in at the bottom of the priority list, so they can’t accidentally bump someone’s crucial CNN Newsroom recordings for a ball game (or vice versa).

Live TV Viewers: These users can’t schedule recordings, but they can view Live TV and create TV Alerts. Note that Live TV can’t ever cause a recording to be blocked- these guys are one step below Basic Schedulers.

Recorded TV Viewers:
They can watch and use recordings, but they can’t watch Live TV.

All of these groups can download files, create clips and schedule TV Alerts. A detailed breakdown of the permissions for each group can be found in
the help file.

How permissions affect the user experience
Users will only see options to which they have access. A Basic Schedulers user, for example, won’t be able to even try to access the Settings menu- they simply won’t see the option.

This helps ensure that users are steered towards the functions that you want them to perform without getting distracted by trying to fiddle with settings or change the recording schedule.

“Hiding” recordings from users with Folder Security
A client called us recently wanting to know if it was possible to create a series of recordings that would be hidden from most of their users. We weren’t sure what they were planning- and we didn’t ask – but what they were trying to do is pretty simple to accomplish using our Folder Security feature.

First, create a folder to which these “hidden recordings” will be saved.

Make sure that the Folder Security option is Enabled, as in the screenshot above. You’ll see your user groups in a picklist. Simply select the groups that you want to have access the folder. To select multiple groups, hold the CTRL key and click on the group names.

Now, we need to create a recording that will be saved to the hidden folder. The easiest way to do this is by using the scheduling tools in the web admin. To create a manual recording, mouse over Setup Recordings and select Create New Recording.

Set the recording options however you want, and for Target Video Folder, select the hidden folder. (Note that the user creating the recording will need to have access to the hidden folder in order to select it from the drop-down menu). All recordings created by this job will now be saved to the hidden folder.

If you want to create a hidden recording from the Program Guide, first schedule the recording through the guide as normal. Then, you can change the Target Video Folder by Editing the recording, through Setup Recordings=> Recording Manager.

LDAP integration
Our LDAP integration feature allows your users to use their Active Directory or Novell credentials to log in to the server- one less password for them to forget!

Configuring LDAP integration is a three-step process.
1. Consult our recommendations for LDAP integration for some best practices relating to the configuration of Windows on the server.
2. Enable LDAP integration, in Settings=> Advanced Settings=> Security Settings. You’ll need the location of your LDAP server, as well as a username and password who have permission to query other users.

3. Go to Settings=> Advanced Settings=> User Configuration. Add a new LDAP-linked group for each LDAP group that should have access, select the LDAP group that you want, and specify the permission settings. Note that users who aren’t in an LDAP group that is “linked” in this way won’t be able to log in.

A few words about security
When you log in to Enterprise TV Link, you can feel as secure as logging in to Windows. If you’re using version 4.9.2 of Enterprise TV Link along with our LDAP integration feature, Windows will pass your login information to the SnapStream server, allowing you to bypass the login screen automatically.

When you’re logging in to the web admin, you may see a page like the following:

This is a result of our implementation of SSL encryption in the web admin. The security handshake that allows your web browser to trust a site using SSL depends on a certificate that verifies the network name and domain of the server. Since that information is different for every installation, SnapStream can’t provide a security certificate with new servers, which is why this error appears. However, it does NOT mean that the security of the TV server is compromised- it just means that your browser can’t verify the name of the TV server. This error screen can be bypassed safely. If you’d like to purchase a security certificate for the server, we have instructions posted in our knowledgebase .

Please note that this only applies to the secure side of the web admin- that is, if the text in the address bar of your browser begins with HTTPS. If the address begins with HTTP, you’re accessing the nonsecure side of the web admin, and your password will be transmitted in plain text, so be careful.