Home
TeamSite
Permissions Best Practices
jajtiii
I was wondering how others are using the permission settings in MediaBin to control access to assets. We are investigating implementing MB in an enterprise environment where some assets will be shared openly while others will be restricted to various users. We will not be able to take advantage of the LDAP functionality at the outset. Although it will be small at first, the number of users is expected to grow quickly.
Do other implementations of MB set up local windows accounts on the server to mimic the roles of their users and then use permissions on folders to determine access? This approach seems to remove the ability to use the folder structure to present a logical hierarchy to the end users to find assets.
Do other implementations use domain account groups to control access? Doesn't this create the same problem as above?
Thanks for any suggestions.
Find more posts tagged with
Comments
Migrateduser
Hello:
After reading your question, I'm still a little foggy on what security methods you have available (Domain(s), Active Directory, LDAP). I understand LDAP isn't an option at the moment. Therefore I'll start out by asking some basic questions and then give a few historical perspectives.
Are you authenticating each user or are you allowing "guest" or anonymous logins (hopefully not).
Do you have Domain Groups created today that most users fall into?
Most large implementations use/apply group permissions to the folder hierarchy within MediaBin. This means that IT usually has to create the groups at the Domain/LDAP/Active Directory level. Once created, the MediaBin Admin(s) can apply the groups to the folder hierarchy without IT's involvement. Further, you can specify a number of "power users" within each division of your company. Usually each division of a company has a "main node/folder" within the hierarchy. These "power users" are trained how to apply security permissions within MediaBin and then the application of security policies within each area is "federated" to those power users. This allows the overall MediaBin Administrator more freedom and less day-to-day maintenance duties. Power users simply have to have Full Control over the folders they control. They don't have to be MBPAdmins (within MediaBin Enterprise Manager).
By using groups at most levels within the repository, it also simplifies the overall setup. When a new person is added by IT to the company (and the appropriate groups), they then have access to the appropriate areas in MediaBin. This can be augmented by modifying/specifying certain individuals at the folder/task/metadata level within MediaBin so that they are either granted or denied certain rights that are greater or lesser than the public "group" population. In other words, some folders will have Everyone = Read, and Joe User = Change; or Everyone = Read, and Joe User = No Access. The use of "Everyone" should be considered carefully. Most customers do not use it except in areas that are truly meant for anyone and everyone to access. In the examples given previously, it's just as easy to swap a group name for Everyone...
Finally, with some creative help from your IT staff, you can create temporary user accounts that have "rolling" passwords. IT can script the daily/weekly change of passwords on a number of accounts that can be freely given out. When an external user is given one of these accounts, they are granted access for a short time to a specific area of the repository (i.e. a "Press Room" folder). For example, lets say the New York Times calls up and says we need the most recent picture of your Corporate HQ building and the President. You could simply login and place a Reference Copy of those images along with a Usage Guidelines document into the Press Room folder. You give them the account id and password-of-the-day. They login, see only the Press Room folder and download those assets (in the format they need).
Hope this helps.
M...
jajtiii
M,
Thanks very much for your thorough and well-written response.
"Are you authenticating each user...?"
Well, we're are not doing anything yet, but we would like to retain the ability to audit usage by individual user. It seems that would preclude allowing anonymous logins or the use of 'generic' user accounts.
We intend to use MB with TeamSite 6.1 (TS), but it is my understanding that the MediaBin - TeamSite connector uses only one account for authentication to MB. If true, this seems to mean that it will be impossible to track individual user's usage of assets, as every MB activity performed by users through TS will just show up as the TeamSite account.
"Do you have Domain Groups created today that most users fall into?"
We do have domain accounts for every user, but as yet no MB specific groups have been created.
I could be way off base but here is what I am thinking. Because I don't want to have to create a user account for every user, I have to use either their SiteMinder/LDAP account or their domain accounts. There are about a dozen domains so creating and managing the groups on each domain will be a bit of a headache, but appears as though it should be manageable. The LDAP option appears at first glance to be much better, but my lack of familiarity with LDAP concerns me.
Thanks again for your post.
jajt
lyman
Hi. Forgive me for jumping in. I thought I would make a few quick comments.
MediaBin allows you to associate access control lists to folders, tasks, and metadata fields. Permissions can be granted to NT users and groups, and to LDAP users and groups (or a mixture).
Simple is good. In general it is far simpler to decide on a few types of user permissions and set up groups. That means that when "Joe" leaves the marketing group you do not have to edit the permission list on every folder. If you have implemented security using groups, you merely have to remove "Joe" from the Marketing group and no further work is necessary within MediaBin.
In general the server allows any configuration but it is more efficient in many cases (especially for search) if you tend to decide permisisons in the first few levels of the container hierarchy. The simpler the security, the easier it will be to remember and maintain.
Cheers,
Lyman Hurd
MediaBin Server Team
ramesh_kumhar
Do anybody have idea about how to implement security means add domain groups to specific folder in medibin using API (programmatically).
